By Caique Barqueta: As a way of spreading cybersecurity and keeping the entire technology community in Brazil informed of the main developments, in this article we present the main data collected on attacks potentially aimed at ISH Tecnologia's existing collectors in Brazil.
The main focus is to present which services are most targeted by threat actors, attack statistics, credentials used for brute force attacks and any other information relevant to the market for the period June 2024.
Compromise indicators and attack indicators can be obtained from the feeds provided by ISH Tecnologia's Threat Intelligence team, known as Heimdall.
Statistics collected
In this section, we will cover different topics on the types of information and data collected, with the aim of aiding cyber maturity.
Countries with the most targeted attacks
Among the data collected, we can mention and rank the countries that sent the most requests to our external collectors in June.
Credentials used for Brute Force purposes
Another relevant piece of data collected that can help organizations is the finding that external threat actors often exploit services that have standardized access account settings, such as the simple use of "admin" (user) to access various tools.
Check out some of the main users and passwords used for access:
Information related to DDoS attacks
Another relevant piece of information is the indicators collected on attacks targeting specific ports, especially port 53, used by the DNS (Domain Name Server) service. This port is often the target of denial of service attacks, which can result in services being unavailable.
For port 53 alone, more than 470,000 attacks originating from different countries were identified, which were classified as follows:
The highest peak of attacks on this port occurred around 12:00 pm (BRT) on June 17, resulting in more than 43,000 requests. The most active country was China, responsible for 41,000 of these requests.
Information related to attacks on port 22
One of the ports most targeted by threat actors is port 22, which uses the SSH (Secure Shell) protocol, allowing remote administration of systems, execution of commands on servers, among other things.
For this port alone, more than 200,000 attacks have been recorded, with the countries responsible listed below:
In addition to the countries, we also present the top 5 ASNs (Autonomous System Numbers) originating from and identified by the IP addresses responsible for the attacks on the collectors, as listed below:
Information related to attacks on ports 445 and 1433
Another protocol frequently targeted by threat actors is port 445, corresponding to the SMB (Server Message Block) protocol, which allows files, printers and other resources to be shared.
As a reminder of this protocol's vulnerabilities, we can mention the EternalBlue flaw (MS17-010), widely exploited by ransomware such as WannaCry and NotPetya. More than 400,000 activities were recorded on this port alone.
Another relevant port is port 1433, used by Microsoft SQL Server for SQL communications. This port is often used by database administrators to access their SQL servers.
One of the main points here is to capture the authentications attempted by the threat actors to access the SQL service, with a description of the users and passwords below:
Information related to attacks on ICS/SCADA services
We also collect information from industrial services, focusing mainly on anticipating some of the main attacks carried out by threat actors targeting specific industries and systems.
The countries of the IP addresses responsible for the most frequent attacks are listed in the top 10:
This category includes services such as the SNMP protocol (port 161), Microsoft RPC (port 1025), standards for control and supervision systems in electricity networks and SCADA systems (port 2404 - IEC Protocol 60870-5-104), and devices that use LON for communication (port 10001), such as building and industrial automation.
Main commands executed
Another important detail is the information and commands potentially used by actors to interact with systems. It also identifies the commands used and passed on in connections and requests from potentially malicious IP addresses, which are listed below:
Files identified and captured by collectors
In addition to the commands, it was possible to identify a list of files and indicators related to possible malicious files for the purposes of securing backdoors and cryptominers, one of which could be identified as a manifestation of the well-known MIRAI botnet.
it was possible to identify that it was a manifestation of the well-known MIRAI botnet.
Indicators of compromise of the Miner Trojan (Crypto) | |
md5: | c58b0c5c4b79f38024640017c85cb29b |
sha1: | 004fd9713962de7a245388f084e5ba1f9c137512 |
sha256: | 2497ed422b8667ae58fe7fa22acf5761632e433d48504e5083c8b7c95d3420ff |
Indicators of compromise of the Miner Trojan (Crypto) | |
md5: | b901d69f8fa11394a64ae1cc0b6d7497 |
sha1: | 3d9400a9ec4cce61a6b6807d953f483a048e571c |
sha256: | 39065179218c0180437d69a220df7714ab6b065aec7b7837d4dd85c6199e888a |
Indicators of compromise of the Miner Trojan (Crypto) | |
md5: | e99f9382de93223afbbaef8ec64a250b |
sha1: | 3550280d650b9b8a2faf99714f7cb77ad1811341 |
sha256: | 47b268c21591069bfe4099833ad66b8138a53ab2dcb866e040d466aee1f8624c |
Indicators of compromise of the Miner Trojan (Crypto) | |
md5: | 244dab3dede7bd0c1fea893fec36a1d5 |
sha1: | 2891062b32a865055ed9317897b271dd548f3a9d |
sha256: | 4b8d9950fd27cb8021d03ad980248bf0a7b8a276bbb3fa2083402f531b6209b1 |
Indicators of compromise of the Miner Trojan (Crypto) | |
md5: | 50d98cac2b0ad85fc7f6ded000ea0ea3 |
sha1: | 2737299e0391e1892b48f90aae625752b2de1b9f |
sha256: | a843ac9c087f399fbf8ef10fec872a732c9cf97c2cd249566a6133a2cebdc0c1 |
Indicators of compromise of the Miner Trojan (Crypto) | |
md5: | 3bd757f9d88773d7130598701bbb8cae |
sha1: | 40b9328b7c5e59440c8b3ff140598aa81554efd4 |
sha256: | ea9f3911ff2884621874c1e98b5dc9139964adeab333b92816eb5c307d73a67f |
Indicators of compromise of the Miner Trojan (Crypto) | |
md5: | 6ea9618ee8fb18c097e023704172a104 |
sha1: | 771e2940413db535ecef22d1f6c44fa0fbeaa6f5 |
sha256: | 88dc89bf303026c3ea273d879148e308a503cb211538f4cc47b667cf9f43bebb |
Indicators of compromise of the Miner Trojan (Crypto) | |
md5: | b99d23a829926888e7be575ed96c6a51 |
sha1: | e50343b161af02e1523ee382ca29bb9af430ae10 |
sha256: | 8fc5d13238daba3a4986d674ad885f81850c67000c7f4f57df707f5d810ad241 |
Indicators of compromise of the Miner Trojan (Crypto) | |
md5: | 5d48c415e18f49f27e5e038ad59f5997 |
sha1: | 61447991965ddae6159dc993987c5b9329a8e101 |
sha256: | 9ef2ef02376445bf4c145820c0c81f2bbe0b96f2017278562e0bd259bf7bd061 |
Indicators of compromise of the Miner Trojan (Crypto) | |
md5: | 2e4ac48e6a716e4ebb19942a6e1ba71c |
sha1: | 0b5f3da0ad9c3f30a5eee4f266b28f71dc5c1f50 |
sha256: | 19a06de9a8b66196fa6cc9e86824dee577e462cbeaf36d715c8fea5bcb08b54d |
Indicators of compromise of the Miner Trojan (Crypto) | |
md5: | 07db7c34621453db287722245085c5b4 |
sha1: | 9d4f2640b89c148e70953d49eb6d7d1867c182d2 |
sha256: | ab897157fdef11b267e986ef286fd44a699e3699a458d90994e020619653d2cd |
Indicators of compromise of the Miner Trojan (Crypto) | |
md5: | ad7e6d767dbecea73c431c59870d969d |
sha1: | 3943d4264c4bc1dcff12cca5550e0cea96c219a4 |
sha256: | 0a544f1dc2b259d9960e70b2b8a140bc2622cd66f7344c31087348609ac98f43 |
Source indicators | |
URL | http[:]//93[.]123.85.120/fenomenal[.]sh |
Safety recommendations
ISH Tecnologia, based on the information disclosed in this bulletin, presents the following mitigations and recommendations:
- Protection against attacks on Port 53 (DNS)
DNSSEC Response Validation: Use DNSSEC (DNS Security Extensions) to validate DNS responses and ensure that DNS traffic has not been altered or poisoned.
Rate Limiting: Implement rate limitations for DNS queries to reduce the risk of amplification attacks.
Secure Recursive DNS Servers: Configure your DNS servers to only allow recursive queries from trusted networks.
Traffic Monitoring and Analysis: Regularly monitor DNS traffic to detect abnormal patterns that could indicate an attack.
- Protection against Brute Force attacks
Multifactor Authentication (MFA): Always use MFA to add an extra layer of security on top of passwords.
Account Blocking and Delays: Set up systems to block accounts or introduce delays after several failed login attempts.
Strong Password Policies: Require complex passwords that combine letters, numbers and symbols to make brute force attempts less likely to succeed.
Intrusion Detection Tools: Use tools that detect and alert you to suspicious or abnormal login attempts.
- Protection against attacks on port 22 (SSH)
SSH Keys Instead of Passwords: Use SSH keys instead of passwords for authentication, as they offer much greater security.
Change Default Port: Change the default SSH port from 22 to a less obvious one, reducing visibility to automatic scanners.
Access Control List (ACL): Restrict SSH access to only the necessary IP addresses, minimizing exposure. Fail2Ban or Similar Tools: Use tools like Fail2Ban to automatically block IPs that exhibit suspicious behavior, such as multiple failed login attempts.
- Protection against attacks on Port 445 (SMB/CIFS)
Disable SMBv1: Disable SMBv1 and use more secure versions such as SMBv2 or SMBv3.
Firewall: Block access to port 445 for incoming and outgoing traffic from untrusted sources on the Internet. Allow only on secure internal networks, if necessary.
VPN: If remote access to files is required, use a secure VPN instead of exposing port 445 directly to the internet.
Patches and Updates: Keep the operating system and associated software up to date to protect against known vulnerabilities.
- Protection against Port 1433 attacks (Microsoft SQL Server)
Strong authentication: Use Windows-based authentication or SQL Server authentication with strong passwords and strict security policies.
Firewall: Restrict access to port 1433 to trusted IPs or subnets only. Ideally, the database should not be accessible directly from the internet.
Data Encryption: Activate encryption for connections to the SQL Server to protect data in transit.
Auditing and Monitoring: Implement auditing for database access and queries and use monitoring solutions to detect suspicious activity.
- Protection against attacks on ICS/SCADA systems
Network Segmentation: Physically or virtually separate ICS/SCADA networks from the rest of the corporate IT infrastructure.
Access Controls: Implement role-based access controls with strong authentication and least privilege management.
Updates and Patches: Ensure that all ICS/SCADA devices have up-to-date software and are regularly reviewed for vulnerabilities.
Training and Awareness: Ensure that ICS/SCADA personnel are well trained in cybersecurity practices and aware of current threats.
References
- Heimdall by ISH Tecnologia