Security insights: June's main attack indicators

By Caique Barqueta: As a way of spreading cybersecurity and keeping the entire technology community in Brazil informed of the main developments, in this article we present the main data collected on attacks potentially aimed at ISH Tecnologia's existing collectors in Brazil.

The main focus is to present which services are most targeted by threat actors, attack statistics, credentials used for brute force attacks and any other information relevant to the market for the period June 2024.

Compromise indicators and attack indicators can be obtained from the feeds provided by ISH Tecnologia's Threat Intelligence team, known as Heimdall.

Statistics collected

In this section, we will cover different topics on the types of information and data collected, with the aim of aiding cyber maturity.

Countries with the most targeted attacks

Among the data collected, we can mention and rank the countries that sent the most requests to our external collectors in June.

Top 10 countries with the most requests
and collector activities

Credentials used for Brute Force purposes

Another relevant piece of data collected that can help organizations is the finding that external threat actors often exploit services that have standardized access account settings, such as the simple use of "admin" (user) to access various tools.

Check out some of the main users and passwords used for access:

Top 20 user credentials and passwords used to brute force services

Information related to DDoS attacks

Another relevant piece of information is the indicators collected on attacks targeting specific ports, especially port 53, used by the DNS (Domain Name Server) service. This port is often the target of denial of service attacks, which can result in services being unavailable.

For port 53 alone, more than 470,000 attacks originating from different countries were identified, which were classified as follows:

Top 10 countries with the most requests
and activities directed at door 53

The highest peak of attacks on this port occurred around 12:00 pm (BRT) on June 17, resulting in more than 43,000 requests. The most active country was China, responsible for 41,000 of these requests.

Information related to attacks on port 22

One of the ports most targeted by threat actors is port 22, which uses the SSH (Secure Shell) protocol, allowing remote administration of systems, execution of commands on servers, among other things.

For this port alone, more than 200,000 attacks have been recorded, with the countries responsible listed below:

Top 10 countries with the most requests
and activities directed at port 22

In addition to the countries, we also present the top 5 ASNs (Autonomous System Numbers) originating from and identified by the IP addresses responsible for the attacks on the collectors, as listed below:

Top 5 ASN internet provisioning services

Information related to attacks on ports 445 and 1433

Another protocol frequently targeted by threat actors is port 445, corresponding to the SMB (Server Message Block) protocol, which allows files, printers and other resources to be shared.

As a reminder of this protocol's vulnerabilities, we can mention the EternalBlue flaw (MS17-010), widely exploited by ransomware such as WannaCry and NotPetya. More than 400,000 activities were recorded on this port alone.

Another relevant port is port 1433, used by Microsoft SQL Server for SQL communications. This port is often used by database administrators to access their SQL servers.

One of the main points here is to capture the authentications attempted by the threat actors to access the SQL service, with a description of the users and passwords below:

Top 10 users and passwords used to access services such as MSQL

Information related to attacks on ICS/SCADA services

We also collect information from industrial services, focusing mainly on anticipating some of the main attacks carried out by threat actors targeting specific industries and systems.

The countries of the IP addresses responsible for the most frequent attacks are listed in the top 10:

Top 10 countries related to attacks
on ICS/SCAD systems

This category includes services such as the SNMP protocol (port 161), Microsoft RPC (port 1025), standards for control and supervision systems in electricity networks and SCADA systems (port 2404 - IEC Protocol 60870-5-104), and devices that use LON for communication (port 10001), such as building and industrial automation.

Main commands executed

Another important detail is the information and commands potentially used by actors to interact with systems. It also identifies the commands used and passed on in connections and requests from potentially malicious IP addresses, which are listed below:

Top 10 countries with the most requests and collector activities

Files identified and captured by collectors

In addition to the commands, it was possible to identify a list of files and indicators related to possible malicious files for the purposes of securing backdoors and cryptominers, one of which could be identified as a manifestation of the well-known MIRAI botnet.

it was possible to identify that it was a manifestation of the well-known MIRAI botnet.

Indicators of compromise of the Miner Trojan (Crypto)
md5:c58b0c5c4b79f38024640017c85cb29b
sha1:004fd9713962de7a245388f084e5ba1f9c137512
sha256:2497ed422b8667ae58fe7fa22acf5761632e433d48504e5083c8b7c95d3420ff
Indicators of compromise of the Miner Trojan (Crypto)
md5:b901d69f8fa11394a64ae1cc0b6d7497
sha1:3d9400a9ec4cce61a6b6807d953f483a048e571c
sha256:39065179218c0180437d69a220df7714ab6b065aec7b7837d4dd85c6199e888a
Indicators of compromise of the Miner Trojan (Crypto)
md5:e99f9382de93223afbbaef8ec64a250b
sha1:3550280d650b9b8a2faf99714f7cb77ad1811341
sha256:47b268c21591069bfe4099833ad66b8138a53ab2dcb866e040d466aee1f8624c
Indicators of compromise of the Miner Trojan (Crypto)
md5:244dab3dede7bd0c1fea893fec36a1d5
sha1:2891062b32a865055ed9317897b271dd548f3a9d
sha256:4b8d9950fd27cb8021d03ad980248bf0a7b8a276bbb3fa2083402f531b6209b1
Indicators of compromise of the Miner Trojan (Crypto)
md5:50d98cac2b0ad85fc7f6ded000ea0ea3
sha1:2737299e0391e1892b48f90aae625752b2de1b9f
sha256:a843ac9c087f399fbf8ef10fec872a732c9cf97c2cd249566a6133a2cebdc0c1
Indicators of compromise of the Miner Trojan (Crypto)
md5:3bd757f9d88773d7130598701bbb8cae
sha1:40b9328b7c5e59440c8b3ff140598aa81554efd4
sha256:ea9f3911ff2884621874c1e98b5dc9139964adeab333b92816eb5c307d73a67f
Indicators of compromise of the Miner Trojan (Crypto)
md5:6ea9618ee8fb18c097e023704172a104
sha1:771e2940413db535ecef22d1f6c44fa0fbeaa6f5
sha256:88dc89bf303026c3ea273d879148e308a503cb211538f4cc47b667cf9f43bebb
Indicators of compromise of the Miner Trojan (Crypto)
md5:b99d23a829926888e7be575ed96c6a51
sha1:e50343b161af02e1523ee382ca29bb9af430ae10
sha256:8fc5d13238daba3a4986d674ad885f81850c67000c7f4f57df707f5d810ad241
Indicators of compromise of the Miner Trojan (Crypto)
md5:5d48c415e18f49f27e5e038ad59f5997
sha1:61447991965ddae6159dc993987c5b9329a8e101
sha256:9ef2ef02376445bf4c145820c0c81f2bbe0b96f2017278562e0bd259bf7bd061
Indicators of compromise of the Miner Trojan (Crypto)
md5:2e4ac48e6a716e4ebb19942a6e1ba71c
sha1:0b5f3da0ad9c3f30a5eee4f266b28f71dc5c1f50
sha256:19a06de9a8b66196fa6cc9e86824dee577e462cbeaf36d715c8fea5bcb08b54d
Indicators of compromise of the Miner Trojan (Crypto)
md5:07db7c34621453db287722245085c5b4
sha1:9d4f2640b89c148e70953d49eb6d7d1867c182d2
sha256:ab897157fdef11b267e986ef286fd44a699e3699a458d90994e020619653d2cd
Indicators of compromise of the Miner Trojan (Crypto)
md5:ad7e6d767dbecea73c431c59870d969d
sha1:3943d4264c4bc1dcff12cca5550e0cea96c219a4
sha256:0a544f1dc2b259d9960e70b2b8a140bc2622cd66f7344c31087348609ac98f43
Source indicators
URLhttp[:]//93[.]123.85.120/fenomenal[.]sh

Safety recommendations

ISH Tecnologia, based on the information disclosed in this bulletin, presents the following mitigations and recommendations:

  • Protection against attacks on Port 53 (DNS)

DNSSEC Response Validation: Use DNSSEC (DNS Security Extensions) to validate DNS responses and ensure that DNS traffic has not been altered or poisoned.

Rate Limiting: Implement rate limitations for DNS queries to reduce the risk of amplification attacks.

Secure Recursive DNS Servers: Configure your DNS servers to only allow recursive queries from trusted networks.

Traffic Monitoring and Analysis: Regularly monitor DNS traffic to detect abnormal patterns that could indicate an attack.

  • Protection against Brute Force attacks

Multifactor Authentication (MFA): Always use MFA to add an extra layer of security on top of passwords.

Account Blocking and Delays: Set up systems to block accounts or introduce delays after several failed login attempts.

Strong Password Policies: Require complex passwords that combine letters, numbers and symbols to make brute force attempts less likely to succeed.

Intrusion Detection Tools: Use tools that detect and alert you to suspicious or abnormal login attempts.

  • Protection against attacks on port 22 (SSH)

SSH Keys Instead of Passwords: Use SSH keys instead of passwords for authentication, as they offer much greater security.

Change Default Port: Change the default SSH port from 22 to a less obvious one, reducing visibility to automatic scanners.

Access Control List (ACL): Restrict SSH access to only the necessary IP addresses, minimizing exposure. Fail2Ban or Similar Tools: Use tools like Fail2Ban to automatically block IPs that exhibit suspicious behavior, such as multiple failed login attempts.

  • Protection against attacks on Port 445 (SMB/CIFS)

Disable SMBv1: Disable SMBv1 and use more secure versions such as SMBv2 or SMBv3.

Firewall: Block access to port 445 for incoming and outgoing traffic from untrusted sources on the Internet. Allow only on secure internal networks, if necessary.

VPN: If remote access to files is required, use a secure VPN instead of exposing port 445 directly to the internet.

Patches and Updates: Keep the operating system and associated software up to date to protect against known vulnerabilities.

  • Protection against Port 1433 attacks (Microsoft SQL Server)

Strong authentication: Use Windows-based authentication or SQL Server authentication with strong passwords and strict security policies.

Firewall: Restrict access to port 1433 to trusted IPs or subnets only. Ideally, the database should not be accessible directly from the internet.

Data Encryption: Activate encryption for connections to the SQL Server to protect data in transit.

Auditing and Monitoring: Implement auditing for database access and queries and use monitoring solutions to detect suspicious activity.

  • Protection against attacks on ICS/SCADA systems

Network Segmentation: Physically or virtually separate ICS/SCADA networks from the rest of the corporate IT infrastructure.

Access Controls: Implement role-based access controls with strong authentication and least privilege management.

Updates and Patches: Ensure that all ICS/SCADA devices have up-to-date software and are regularly reviewed for vulnerabilities.

Training and Awareness: Ensure that ICS/SCADA personnel are well trained in cybersecurity practices and aware of current threats.

References

  • Heimdall by ISH Tecnologia

Leave a comment

Your e-mail address will not be published. Required fields are marked with *