Brazil is one of the countries that suffers the most cyber attacks in the world - and this scenario has worsened considerably following the pandemic. Being aware of the threats on the rise in Brazil and around the world is becoming increasingly important and allows us to stay one step ahead of potential attackers, as well as acting more quickly and efficiently in order to detect such threats and avoid possible impacts and damage resulting from them.
TOP 10 THREATS
A cyber threat is a malicious act that aims to damage or steal data and/or disrupt digital services in general. Cyber attacks include threats such as viruses, data breaches and denial of service (DoS) attacks.
In the last month, the most recurrent threats were:
HEUR:Trojan.Script.Generic | This family includes programs that have characteristics typical of malicious Trojan scripts, such as executing actions and creating backdoors. |
HEUR:Trojan.MSOffice.Emotet.gen | This family consists of malware that is used to download other malware ("bankers") to the victim's device. The Emotet malware is mainly distributed via phishing emails that contain links to malicious websites or attachments (PDF or Microsoft Word documents). The PDF documents contain links to malicious websites and the Microsoft Word documents contain malicious macros and instructions on how to enable these macros. |
HEUR:HackTool.Win32.KMSAuto.gen HackTool.Win64.HackKMS.b | Applications in this family can activate unregistered Microsoft software products. Such applications can be used in conjunction with malicious or unwanted software. |
HEUR:Trojan.PDF.Badur.gena | Abooby-trappedPDF document[1] with a link leading to a website with questionable content. |
Trojan-Dropper.HTML.Agent.aq | Trojan-Dropper programs are designed to secretly install malicious programs embedded in their code on victims' computers. Such programs are used by hackers to secretly install Trojan Horse programs and/or viruses that protect known malicious programs from being detected by antivirus solutions |
HEUR:Trojan.Script.Miner.gen | This family includes programs that are malicious scripts used to mine cryptocurrency without the user's knowledge. The mining results go directly into the wallets of criminals. |
HEUR:Hoax.Script.Scaremail.gen | This family includes blackmail e-mail messages that force the user to pay for not disclosing confidential data, even though the attackers don't have this data. |
HEUR:Trojan-Downloader.Win32.Banload.gen HEUR:Trojan-Downloader.Script.Generic | Trojan family that downloads other malware. This downloaded malware is usually a member of the Win32/Banker family, Trojans that steal bank credentials and other confidential data and send it back to a remote attacker |
[1] Infected PDF document.
VULNERABILITIES
Every day, manufacturers correct vulnerabilities detected in their products in order to prevent potential attackers from taking advantage of these flaws. Usually, hackers write code and malware capable of exploiting them in applications or operating systems. Exploits. During an exploit, an attacker can gain unauthorized access to or use of the application and/or operating system.
The graph below shows the average number of exploitation notifications between 07/03/2022 and 08/04/2022 in Brazil:
The peak days were:
- 14/03/2022 - 6,998 notifications
- 17/03/2022 - 6,930 notifications
- 04/04/2022 - 7,881 notifications
Exploit:W32/CVE-2011-3402.A is a generic detection that identifies malicious font files that can be used to exploit a known vulnerability in the TrueType font parsing engine in specific versions of the Windows operating system. If used successfully, this exploit can allow the execution of malicious code contained in specially crafted font data on a web page or Word document. This exploit is known to be used by malware such as the Cool exploit kitwhich is associated with the distribution of ransomware Revetonransomware, and the backdoor Duqu.
RANSOMWARE
Ransomware is a cyber attack that is gaining more and more notoriety - it is an extremely important issue in the security of any company's infrastructure. These attacks are growing year on year and, after services such as RaaS (Ransomware as a Service)[1], it has become popular and accessible even to attackers with limited knowledge.
In the last month, the main threat was the Trojan-Ransom.WIN32.Phny.astill in first place with 43.38% of attacks in Brazil. This Trojan is part of the WannaCry family, encryption ransomware that has been active since 2017.
[1] It works like an affiliate program, in which the ransomware developers provide the malicious program to their affiliates (attackers), usually with monthly fees or agreements in which the percentage of profit for both parties is established.
IOCS
As a way of helping with the rapid detection of threats, we have selected the most recurrent indicators in attacks in Brazil over the last month. These include MD5hashes, URLs and C&C - Command and Control.
These indicators help detect data breaches, malware infections or other malicious activities. By monitoring indicators of compromise, you can detect attacks and act quickly to prevent breaches from occurring or limit the damage by stopping attacks at an early stage.
TOP 10 MD5
The most observed hash was from the malware category, HEUR:Trojan.Script.Generic.
- MD5: B031E991F354D7FA51E7682452B3D5C1
- First seen: March 21, 2022
- VirusTotal detection rate as of 07/04/2022: 7/57
- Class: Malware
HEUR:Trojan.Script.Generic is a heuristic detection[1] designed to generically detect a Trojan horse, a program that, in addition to performing the functions for which it was apparently designed, also performs other, usually malicious, functions without the user's knowledge.
[1] Heuristics is a technology designed to detect malicious code proactively, i.e. without the need to rely on a specific signature. In this way, the security solution analyzes a file and compares its behavior with certain patterns that may indicate the presence of a threat. For each action performed by the file, a score is assigned. Therefore, if this number is higher than a certain value, it will be classified as probable new malware. Source: welivesecurity.
Globally, this hash has a much higher incidence in Brazil, with more than 157,000 detections, followed by the United States, with around 2,200 detections in the last month.
It can be seen that there was a peak in the detection of the hash mentioned between 21/03/2022 and 23/03/2022, with more than 70,000 detections.
Top 10 MD5 | Description | Name(s) |
B031E991F354D7FA51E7682452B3D5C1 | HEUR:Trojan.Script.Generic | b28c12f432f7faab266a67f8116f1b341fa5aa4dce0a965fca8adca2a0fc3945 anexo_2020098492784.html |
C3D11B1DEADC4C0736C520CDE8143BE5 | - | - |
024603BC678EC0B0C5C85F76B01DBF56 | - | anexo_2020098492784.html |
754F13D7FDD0DDF9AACA24AC8526E0C0 | - | anexo_2020098492784.html |
3B760FA0DC2F3719311336A60FF409F9 | - | 7ebe91aa8f20b8d4393d73e9484441bed6b28f1d5121db3b7f6ff4b076a4694f_1647522059789_anexo_2020098492784 |
9B0951269B64ADD3658B908FD2C02E07 | - | 34a1d8c1898c71f91d43e05788adb9ac1827d38ad7f9b3fb219e67be27ed0797 anexo_2020098492784.html |
FC5A81A9B840740B02BBBBE8F2BB6920 | - | anexo_2020098492784.html |
335EB95FA1FADBE89A54A32110F70186 | - | anexo_2020098492784.html |
DA3EF275E8A08E20A6A006A945C61193 | - | anexo_2020098492784.html |
20ED258BB98E83EC5DB43DAEE1FD609E | - | anexo_2020098492784.html |
It's important to note that most of the hashes mentioned above are related to the same file name attachment_2020098492784.html, and it can be deduced that some phishing/malware campaign was or still is being run.
If you look at the hash 9B0951269B64ADD3658B908FD2C02E07, you can see that it is linked to emails supposedly sent by Fazenda.Gov. During the tax return period, it is normal and expected that criminals will use this theme to carry out phishing attacks. phishing.
The hash 20ED258BB98E83EC5DB43DAEE1FD609E shows a relationship with the following MITRE ATT&CK tactics and techniques:
TOP 10 URLS
As far as the URL is concerned, the tinyurl2.ru domain was the most frequently found, mainly affecting countries such as Brazil, India, the United States and Colombia. In Brazil, the number of detections reached 48,008.
TOP 10 C&C - COMMAND AND CONTROL
A Command and Control (C&C) server is a computer controlled by an attacker or cybercriminal that is used to send commands to systems compromised by malware and receive data stolen from a target network.
In the TOP 10 C&C of the last month, the domain iustinus-agi.com was observed numerous times and categorized as Malware and Botnet C&C (Backdoor.Win32.Shiz).
According to the image, the countries most affected are: United States, Brazil, Germany, Spain and the United Kingdom.
Some information about this domain is detailed below, such as IP addresses and files hosted on the server.
URLs hosted on the server:
- iustinus-agi.com/zcredirect
- iustinus-agi.com/zcvisitor
IP addresses that resolve to this server:
- 146.112.49.133
- 52.73.147.241
- 34.195.129.193
- 213.162.88.110
- 146.112.49.177
- 146.112.49.131
- 146.112.49.14
- 146.112.49.228
- 146.112.49.145
Files related to this IP | ||
Status | MD5 | Name |
Malware | 45DE073220D50C54B2720A748E83E265 | VHO:Trojan-Proxy.Win32.Windigo.aq |
Malware | C660ECE3DB968142A90A3B2641DA4490 | HEUR:Backdoor.Win32.Generic |
Malware | C1DCBF6290D85ED01AA92A6A7803CAFB | PDM:Trojan.Win32.Generic |
Malware | ABDE47D530FF41C46046EEEF811B506D | BSS:Trojan.Win32.Generic |
Adware | 2716794273A6C673AD02C1FE5C896450 | BSS:Trojan.Win32.Generic |
Adware | 6B22DF52CA4368CA364B45045AECAE55 | BSS:Trojan.Win32.Generic |
Adware | 6786269D385D61CBAA5121117B5B497A | BSS:Trojan.Win32.Generic |
Adware | 68763433E6C2E98AA44F1ADF075A7664 | BSS:Trojan.Win32.Generic |
Adware | 45DFE2096EDDEE0AE988C1103137229F | BSS:Trojan.Win32.Generic |
Adware | D967AEB7E2D98F068DD37C4D29E16D8A | BSS:Trojan.Win32.Generic |
In addition, other C&Cs have also occurred in Brazil and can be seen below:
THREATS AROUND THE WORLD
Some threats that are present around the world also significantly affect Brazil. Some ransomware groups, for example, have no geographical boundaries that prevent them from acting.
THE WAR IS STILL GOING ON
The war between Russia and Ukraine is still relevant on the cyber security scene. As long as the conflict remains unresolved, many hacktivist groups will take part in this fight as they see fit, targeting companies doing business in Russia in retaliation.
SRING4SHELL
Considered to be the new Log4j, Spring4Shell, which allows remote code execution (RCE), is an important vulnerability that affects spring-core, a framework widely used in Java applications that allows software developers to develop applications.
It is advisable to apply the security recommendations provided by the developer:
HIVE
Also claiming victims here in Brazil, the Hive ransomware was first observed in June 2021 and probably operates as an affiliate-based ransomware, using a wide variety of Tactics, Techniques and Procedures (TTPs), making it a challenge to defend against and mitigate.
Hive has been observed around the world and detections show that Hive ransomware attack attempts against organizations have been most observed in South America, with Argentina receiving the highest number, followed by Brazil.
CONCLUSION
Given this scenario, it is clear that Brazil still needs to improve its digital posture. Several new threats emerge every day, increasingly resilient and complex, requiring organizations to pay more attention and care to their assets, invest in training for their users and constantly update.
The data reported in this bulletin helps to mitigate and prevent the threats currently in the spotlight and the following recommendations are an important complement to combating possible attacks.
RECOMMENDATIONS
1. keep data backups encrypted and offline and test them frequently. Backup procedures should be carried out regularly. It is important that backups are kept offline, as many variants of ransomware try to locate and delete or encrypt accessible backups.
Given this scenario, it is clear that Brazil still needs to improve its digital posture. Several new threats emerge every day, increasingly resilient and complex, requiring organizations to pay more attention and care to their assets, invest in training for their users and constantly update.
The data reported in this bulletin helps to mitigate and prevent the threats currently in the spotlight and the following recommendations are an important complement to combating possible attacks.
2. Create, maintain and execute a basic cyber incident response plan, a recovery plan and an associated communications plan.
- The cyber incident response plan should include response and notification procedures for ransomware incidents. We recommend the CISA and Multi-State Information and Sharing Center (MS-ISAC) Joint Ransomware Guide for more details on creating a cyber incident response plan.
- The recovery plan should address how to operate if you lose access or control of critical functions. CISA offers no-cost, non-technical cyber resilience assessments to help organizations evaluate their operational resilience and cyber security practices.
3. Mitigate Internet-facing vulnerabilities and misconfigurations to reduce the risk of actors exploiting this attack surface:
a. Employ best practices for the use of Remote Desktop Protocol (RDP) and other remote desktop services. Threat actors usually gain initial access to a network via exposed and poorly protected remote services and subsequently propagate the ransomware.
Audit the network for systems using RDP, unused closed RDP ports, apply account locks after a specified number of attempts, apply multi-factor authentication (MFA) and record RDP login attempts.
b. Perform regular vulnerability scans to identify and resolve vulnerabilities, especially those in Internet-facing devices. CISA offers a range of free cyber hygiene services, including vulnerability scanning, to help critical infrastructure organizations assess, identify and reduce their exposure to cyber threats such as ransomware. By taking advantage of these services, organizations of any size will receive recommendations on ways to reduce their risks and mitigate attack vectors.
c. Update software, including operating systems, applications and firmware, in a timely manner. Prioritize timely patching of critical vulnerabilities and vulnerabilities in Internet-facing servers - as well as Internet data processing software such as web browsers, browser plug-ins and document readers. If rapid remediation is not feasible, implement vendor-provided mitigations.
d. Make sure that the devices are configured correctly and the security features are activated; for example, disabling ports and protocols that are not being used for a business purpose.
e. Disable or block the incoming and outgoing SMB(Server Message Block) protocol and remove or disable outdated versions of SMB.
4. Reduce the risk of phishing emails reaching end users:
a. Enabling spam filters.
b. Implementing a cybersecurity user awareness and training program that includes guidance on how to identify and report suspicious activity (e.g. phishing) or incidents.
5. Use the best cybersecurity practices available:
a. Ensure that all anti-virus, anti-malware and signature software is up to date.
b. Implementapplication allowlisting.
c. Ensure that user accounts and privileges are limited through account usage policies, user account control and privileged account management.
d. Employ MFA for as many services as possible, especially for webmail, virtual private networks (VPNs) and accounts that access critical systems.
REFERENCES
- Kaspersky
- welivesecurity.com
- F-Secure
- TrendMicro
- cisco.com
- nist.gov