By Bruno Odon: Most of the time, the main vector for the spread of a cyber threat is the user's own computer. Either through their own actions, such as accessing a fake link, or through configurations that don't depend on them, such as using software with an obsolete version.
Proof of this can be seen in the number of incidents that exploited breaches in Brazil in July. For this reason, there needs to be much greater interaction between security teams so that protective measures can be taken frequently.
Often, before a cyber-attack or any other type of security incident occurs in an organization, there is already an uncovered threat for that type of event, and it is up to the security teams to take all possible measures to eliminate or mitigate the risk.
The main threats last month were:
| Trojan.WinLNK.Agent.gen | Malware from this family contains links to download malicious files or the path to launch a different malicious executable file designed to destroy, block, modify or copy data, as well as interfere with the operation of computers or computer networks. Brazil is in 6th place in the ranking of infections worldwide. |
| Worm.Python.Agent.gen | This family consists of software written in Python and with characteristics typical of worms. |
| Trojan.Win32.Agentb.bqyr | Malicious programs in this family are used to destroy, block, modify or copy data or to disrupt the performance of computers or networks. |
| Trojan.Win32.AutoRun.gen | This malware consists of an .inf file, which is used to launch or install malicious applications automatically. |
| Virus.Win32.Pioneer.cz | This virus spreads by adding malicious code to other executable files. It looks for .exe and .dll files located outside the Windows folder and adds malicious code to them. This code is executed before the code in these files. Infected files can download and install other malicious software. |
| Trojan.WinLNK.Runner.jo | Malicious LNK files from this family launch a malicious executable. These files are used by worms to spread via USB drives. |
Vulnerabilities
Every day, manufacturers correct vulnerabilities detected in their products in order to prevent potential attackers from taking advantage of these flaws. Usually, hackers write code and malware capable of exploiting them in applications or operating systems, and these codes are called Exploits. During an exploit, an attacker can gain unauthorized access to or use of the application and/or operating system. The graph below shows the average number of exploit notifications between 03/07/2022 and 03/08/2022 in Brazil:
The peak days were:
- 04/07/2022 - 7180 notifications
- 06/07/2022 - 6711 notifications
- 11/07/2022 - 6665 notifications
What is very striking is that such an old vulnerability is the most exploited in Brazil. CVE-2011-3402 was discovered on 11/04/2011 and can be exploited on legacy Microsoft systems that have been out of support for a long time, such as Windows XP, Windows Server 2003 and Windows Vista. This vulnerability allows an attacker to execute arbitrary code using source data from a Word document.
A good vulnerability management strategy also involves keeping assets up to date with the latest versions as far as possible, avoiding the exploitation of loopholes that have already been resolved with patches released by the manufacturers.
Below is the Microsoft bulletin with the necessary updates for this fix: Microsoft Security Bulletin MS11-087 - Critical | Microsoft Docs
Ransomware
Data hijacking causes immense inconvenience for companies, especially for CSIRTs, who deal directly with handling security incidents. In many cases, the teams even have to make contact with the criminals, who demand a ransom in search of evidence that can help identify them.
For the second month in a row, the top threat was Trojan-Ransom.WIN32.Phny.a, with 56.54% of attacks in Brazil. This ransomware is part of the WannaCry family, which has been active since 2017.
It's worth remembering that, from 2017 to date, Wannacry has wreaked havoc on more than 200,000 systems, being responsible for one of the biggest ransomware attacks of all time.
This attack is still ongoing and, as seen in the graph above, many Brazilian systems have been hit in recent months. This should serve as a warning that vaccines and patches should always be up to date.
Offending IP addresses
One of the main traces that a digital criminal leaves behind is the offending IP address and this information is certainly of great value when investigating a cyber threat or attack, since it can be enriched with geolocation data, the type of use of that IP and the domain to which it belongs.
ISH collects and analyzes the malicious activity of these main offenders on a daily basis.
TOP 10 - Domains of origin
TOP 10 - Countries of origin
TOP 10 - Tor Network
The Tor network is still widely used by cybercriminals to try to carry out attacks as anonymously as possible. Below are the 10 IP addresses on this platform with the most malicious activity reported in July 2022:
| Blocklisted IP | Usage Type | Distinct Reports |
| 37.123.163.58 | Fixed Line ISP | 4,615 |
| 81.17.18.62 | Data Center/Web Hosting/Transit | 4,523 |
| 199.249.230.87 | Data Center/Web Hosting/Transit | 4,462 |
| 81.17.18.58 | Data Center/Web Hosting/Transit | 4,406 |
| 185.100.86.74 | Data Center/Web Hosting/Transit | 4,251 |
| 185.220.102.240 | Data Center/Web Hosting/Transit | 4,041 |
| 185.220.102.250 | Data Center/Web Hosting/Transit | 3,995 |
| 185.220.102.243 | Data Center/Web Hosting/Transit | 3,937 |
| 185.220.102.241 | Data Center/Web Hosting/Transit | 3,873 |
| 62.102.148.68 | Data Center/Web Hosting/Transit | 3,855 |
Malicious Brazilian IP addresses
The Brazilian IP addresses with the highest reports of malicious activity in July 2022, according to our Threat Intelligence platform, were:
| Blocklisted IP | Usage Type | Distinct Reports |
| 138.94.75.17 | Data Center/Web Hosting/Transit | 6,647 |
| 177.44.208.107 | Fixed Line ISP | 2,506 |
| 177.200.212.34 | Commercial | 1,325 |
| 177.43.247.17 | Mobile ISP | 1,299 |
| 201.13.136.60 | Mobile ISP | 713 |
| 189.69.204.197 | Mobile ISP | 481 |
| 187.2.120.21 | Mobile ISP | 329 |
| 187.57.13.65 | Mobile ISP | 241 |
| 189.46.131.40 | Mobile ISP | 195 |
The most devastating cyber attacks exploit old weaknesses for which there are already vaccines, patches or containment measures recommended by manufacturers.
As seen in the body of this report, the numbers of incidents that have exploited these old breaches in Brazil are alarming and much greater interaction between teams is needed so that these protection measures are taken frequently.
The use of legacy systems should be avoided as much as possible and, if it is essential, it should be done within very controlled environments.
Recommendations:
- Always be up to date with the vaccinations and security patches indicated by the manufacturers of the software in use throughout the corporation.
- Maintain a good offline backup strategy(incremental, full, differential), as well as a good restore strategy, so as to affect the environment's availability as little as possible in the event of an attack.
- Manage versions of operating systems and applications as centrally as possible. The use of orchestrators such as WSUS, Satellite, Ansible and Puppet is highly recommended to keep the park always up to date with the latest stable versions.
- Try your best to automate defenses! An indicator of compromise (IoC) can change several times during an attack, and having access to dynamic lists of these indicators can often save a company from a major cyber attack. We recommend using MISP as a platform for sharing threats and consuming these feeds. ISH makes these lists available daily to customers who wish to do so via integration with their MISP.
References:
- Heimdall Global Threat Intelligence by ISH
- Karspersky
- Cyware
- CISA
- Mitre
- Cert.br