Brazil is one of the countries that suffers the most cyber attacks in the world - and this scenario was worsened considerably after the pandemic. Being aware of the threats on the rise in Brazil and worldwide becomes increasingly important and allows us to be one step ahead of potential attackers, as well as to act more quickly and efficiently in order to detect such threats and avoid possible impacts and damage resulting from them.
TOP 10 THREATS
A cyber threat is a malicious act that aims to damage or steal data and/or disrupt digital services in general. Cyber attacks include threats such as viruses, data breaches, and denial of service (DoS) attacks.
In the last month, the most recurrent threats were:
| HEUR:Trojan.Script.Generic | This family includes programs that have features typical of malicious Trojan scripts, such as performing actions and creating backdoors. |
| HEUR:Trojan.MSOffice.Emotet.gen | This family consists of malware that is used to download other malware ("bankers") to the victim's device. Emotet malware is mainly distributed via phishing email that contains links to malicious websites or attachments (PDF or Microsoft Word documents). PDF documents contain links to malicious websites and Microsoft Word documents contain malicious macros and instructions on how to enable these macros. |
| HEUR:HackTool.Win32.KMSAuto.gen HackTool.Win64.HackKMS.b | Applications in this family can activate unregistered Microsoft software products. Such applications can be used in conjunction with malicious or unwanted software. |
| HEUR:Trojan.PDF.Badur.gena | A "booby-trapped" PDF document[1] with a link that leads to a site with questionable content. |
| Trojan-Dropper.HTML.Agent.aq | Trojan-Dropper programs are designed to secretly install malicious programs embedded in their code on victims' computers. Such programs are used by hackers to secretly install Trojan Horse programs and/or viruses that protect known malicious programs from being detected by antivirus solutions |
| HEUR:Trojan.Script.Miner.gen | This family includes programs that are malicious scripts used for mining cryptocurrency without the user's knowledge. The results of the mining go directly into the wallets of criminals. |
| HEUR:Hoax.Script.Scaremail.gen | This family includes blackmail e-mail messages that force the user to pay for not disclosing sensitive data, even though the attackers do not have this data. |
| HEUR:Trojan-Downloader.Win32.Banload.gen HEUR:Trojan-Downloader.Script.Generic | Family of Trojans that downloads other malware. This downloaded malware is usually members of the Win32/Banker family, Trojans that steal banking credentials and other sensitive data and send them back to a remote attacker |
[1] Infected PDF document.
VULNERABILITIES
Every day, manufacturers patch vulnerabilities detected in their products in order to prevent potential attackers from taking advantage of these flaws. Typically, hackers write code and malware capable of exploiting them in applications or operating systems, and this code is called Exploits. During an exploit, an attacker can gain unauthorized access to or use of the application and/or operating system.
In the chart below, we have an average number of exploitation notifications that occurred between 03/07/2022 and 04/08/2022 in Brazil:
The peak days were:
- 03/14/2022 - 6,998 notifications
- 03/17/2022 - 6,930 notifications
- 04/04/2022 - 7,881 notifications
Exploit:W32/CVE-2011-3402.A is a generic detection that identifies malicious font files that can be used to exploit a known vulnerability in the TrueType font parsing engine in specific versions of the Windows operating system. If successfully used, this exploit could allow the execution of malicious code contained in specially crafted font data in a Web page or Word document. This exploit is known to be used by malware such as the Cool exploit kitwhich is associated with the distribution of ransomware distribution. Revetonransomware distribution, and the backdoor program Duqu.
RANSOMWARE
Ransomware is a cyber attack that is gaining more and more notoriety - it is a matter of utmost importance in the security of any company's infrastructure. These attacks have been growing year after year, and after services like RaaS (Ransomware as a Service)[1], it has become popular and accessible even for attackers with still limited knowledge.
In the last month, the prominent threat was Trojan-Ransom.WIN32.Phny.astill in first place with 43.38% usage in attacks that occurred in Brazil. This trojan is part of the WannaCry family, encryption ransomware active since 2017.
[1] It works like an affiliate program, in which the ransomware developers provide the malicious program to their affiliates (attackers), usually with monthly fees or agreements in which the percentage of profit is established for both parties.
IOCS
As a way to assist in the rapid detection of threats, we have selected the most recurrent indicators of attacks in Brazil during the last month. Among them are MD5hashes, URLs, and Command and Control (C&C).
Such indicators help in detecting data breaches, malware infections or other malicious activities. By monitoring indicators of compromise, you can detect attacks and act quickly to prevent breaches from occurring or limit damage by stopping attacks in their early stages.
TOP 10 MD5
The most observed hash was from the malware category, HEUR:Trojan.Script.Generic.
- MD5: B031E991F354D7FA51E7682452B3D5C1
- First seen on: March 21, 2022
- VirusTotal detection rate on 07/04/2022: 7/57
- Class: Malware
HEUR:Trojan.Script.Generic is a heuristic detection[1] designed to generically detect a Trojan Horse, a program that, besides performing the functions for which it was apparently designed, also performs other, usually malicious, functions without the user's knowledge.
[1] Heuristics are a technology designed to proactively detect malicious code, that is, without the need to rely on a specific signature. Along these lines, the security solution analyzes a file and compares its behavior with certain patterns that may indicate the presence of a threat. For each action performed by the file, a score is assigned. So if this number is higher than a certain value, it is classified as probable new malware. Source: welivesecurity.
Globally, such a hash has a much higher incidence in Brazil, with more than 157 , 000 detections, followed by the United States, with about 2,200 detections in the last month.
It can be seen that there was a peak in detection of the mentioned hash between 3/21/2022 and 3/23/2022, with more than 70,000 detections.
| Top 10 MD5 | Description | Name(s) |
| B031E991F354D7FA51E7682452B3D5C1 | HEUR:Trojan.Script.Generic | b28c12f432f7faab266a67f8116f1b341fa5aa4dce0a965fca8adca2a0fc3945 anexo_2020098492784.html |
| C3D11B1DEADC4C0736C520CDE8143BE5 | - | - |
| 024603BC678EC0B0C5C85F76B01DBF56 | - | anexo_2020098492784.html |
| 754F13D7FDD0DDF9AACA24AC8526E0C0 | - | anexo_2020098492784.html |
| 3B760FA0DC2F3719311336A60FF409F9 | - | 7ebe91aa8f20b8d4393d73e9484441bed6b28f1d5121db3b7f6ff4b076a4694f_1647522059789_anexo_2020098492784 |
| 9B0951269B64ADD3658B908FD2C02E07 | - | 34a1d8c1898c71f91d43e05788adb9ac1827d38ad7f9b3fb219e67be27ed0797 anexo_2020098492784.html |
| FC5A81A9B840740B02BBBBE8F2BB6920 | - | anexo_2020098492784.html |
| 335EB95FA1FADBE89A54A32110F70186 | - | anexo_2020098492784.html |
| DA3EF275E8A08E20A6A006A945C61193 | - | anexo_2020098492784.html |
| 20ED258BB98E83EC5DB43DAEE1FD609E | - | anexo_2020098492784.html |
It is important to note that most of the hashes mentioned above are related to the same file name attachment_2020098492784.html, and it can be deduced that some phishing/malware campaign was or is still being run.
Looking at the hash 9B0951269B64ADD3658B908FD2C02E07, we can see that it is linked to e-mails supposedly sent by Fazenda.Gov. During tax return period, it is normal and expected that criminals use this theme to carry out phishing attacks phishing attacks.
The hash 20ED258BB98E83EC5DB43DAEE1FD609E, on the other hand, shows relationship to the following MITRE ATT&CK tactics and techniques:
TOP 10 URLS
When it comes to the URL, the tinyurl2.ru domain was the most frequently found, reaching mainly countries such as Brazil, India, the United States and Colombia. In Brazil, the number of detections reached 48,008.
TOP 10 C&C - COMMAND AND CONTROL
A Command and Control - C&C server is a computer controlled by an attacker or cybercriminal that is used to send commands to systems compromised by malware and receive stolen data from a target network.
In the TOP 10 C&C of the last month, the domain iustinus-agi.com was observed numerous times and categorized as Malware and Botnet C&C (Backdoor.Win32.Shiz).
According to the image, the most affected countries are: United States, Brazil, Germany, Spain and the United Kingdom.
Next, some information about this domain is detailed, such as IP addresses and files hosted on the server.
Server hosted URLs:
- iustinus-agi.com/zcredirect
- iustinus-agi.com/zcvisitor
IP addresses that resolve to this server:
- 146.112.49.133
- 52.73.147.241
- 34.195.129.193
- 213.162.88.110
- 146.112.49.177
- 146.112.49.131
- 146.112.49.14
- 146.112.49.228
- 146.112.49.145
| Files related to this IP | ||
| Status | MD5 | Name |
| Malware | 45DE073220D50C54B2720A748E83E265 | VHO:Trojan-Proxy.Win32.Windigo.aq |
| Malware | C660ECE3DB968142A90A3B2641DA4490 | HEUR:Backdoor.Win32.Generic |
| Malware | C1DCBF6290D85ED01AA92A6A7803CAFB | PDM:Trojan.Win32.Generic |
| Malware | ABDE47D530FF41C46046EEEF811B506D | BSS:Trojan.Win32.Generic |
| Adware | 2716794273A6C673AD02C1FE5C896450 | BSS:Trojan.Win32.Generic |
| Adware | 6B22DF52CA4368CA364B45045AECAE55 | BSS:Trojan.Win32.Generic |
| Adware | 6786269D385D61CBAA5121117B5B497A | BSS:Trojan.Win32.Generic |
| Adware | 68763433E6C2E98AA44F1ADF075A7664 | BSS:Trojan.Win32.Generic |
| Adware | 45DFE2096EDDEE0AE988C1103137229F | BSS:Trojan.Win32.Generic |
| Adware | D967AEB7E2D98F068DD37C4D29E16D8A | BSS:Trojan.Win32.Generic |
Additionally, other C&C also had a relevant occurrence in Brazil and can be seen below:
THREATS AROUND THE WORLD
Some threats that are present around the world also significantly affect Brazil. Some ransomware groups, for example, have no geographic boundaries that prevent them from acting.
THE WAR STILL GOES ON
The war between Russia and Ukraine still remains relevant in the cybersecurity landscape. Until the conflict is resolved, many hacktivist groups will take part in this fight in whatever way they believe, targeting companies with business in Russia in retaliation.
SRING4SHELL
Considered to be the new Log4j, Spring4Shell, which allows remote code execution ( RCE), is a major vulnerability affecting spring-core, a framework widely used in Java applications that allows software developers to develop applications.
It is advisable to apply the security recommendations provided by the developer itself:
HIVE
Also claiming victims here in Brazil, the Hive ransomware was first observed in June 2021 and likely operates as an affiliate-based ransomware, using a wide variety of Tactics, Techniques and Procedures (TTPs), making it a challenge to defend and mitigate.
Hive has been observed around the world and detections show that Hive ransomware attack attempts against organizations have been most observed in South America, with Argentina receiving the most, followed by Brazil.
CONCLUSION
Given the above scenario, it is clear that Brazil still needs to improve its digital posture. Several new threats emerge every day, increasingly resilient and complex, demanding from organizations more attention and care with their assets, investment in training for their users and constant updating.
The data reported in this bulletin assists in the mitigation and prevention of the currently highlighted threats, and the following recommendations are an important addition to combat potential attacks.
RECOMMENDATIONS
Keep encrypted, offline data backups and test them frequently. Backup procedures should be performed regularly. It is important that backups are kept offline, as many variants of ransomware attempt to locate and delete or encrypt accessible backups.
Given the above scenario, it is clear that Brazil still needs to improve its digital posture. Several new threats emerge every day, increasingly resilient and complex, demanding from organizations more attention and care with their assets, investment in training for their users and constant updating.
The data reported in this bulletin assists in the mitigation and prevention of the currently highlighted threats, and the following recommendations are an important addition to combat potential attacks.
2. Create, maintain and execute a basic cyber incident response plan, a recovery plan and an associated communications plan.
- The cyber incident response plan should include response and notification procedures for ransomware incidents. We recommend the CISA and Multi-State Information and Sharing Center (MS-ISAC) Joint Ransomware Guide for more details on creating a cyber incident response plan.
- The recovery plan should address how to operate if you lose access to or control of critical functions. CISA offers no-cost, non-technical cyber resilience assessments to help organisations assess their operational resilience and cyber security practices.
3. Mitigate Internet-facing vulnerabilities and misconfigurations to reduce the risk of actors exploiting this attack surface:
a. Employ best practices for using Remote Desktop Protocol (RDP) and other remote desktop services. Threat actors often gain initial access to a network through exposed and poorly secured remote services and later propagate the ransomware.
Audit the network for systems using RDP, close unused RDP ports, apply account locks after a specified number of attempts, apply multi-factor authentication (MFA), and log RDP login attempts.
b. Perform regular vulnerability scans to identify and resolve vulnerabilities, especially those in Internet-facing devices. CISA offers a variety of free cyber hygiene services, including vulnerability scanning, to help critical infrastructure organizations assess, identify, and reduce their exposure to cyber threats such as ransomware. By taking advantage of these services, organizations of any size will receive recommendations on ways to reduce their risk and mitigate attack vectors.
c. Update software, including operating systems, applications, and firmware, in a timely manner. Prioritize timely remediation of critical vulnerabilities and vulnerabilities in Internet-facing servers - as well as Internet data processing software such as web browsers, browser plug-ins, and document readers. If rapid remediation is not feasible, implement vendor-provided mitigations.
d. Make sure that the devices are configured correctly and security features are enabled; for example, disable ports and protocols that are not being used for a business purpose.
e. Disable or block the incoming and outgoingServer Message Block (SMB) protocol and remove or disable outdated SMB versions.
4. Reduce the risk of phishing e-mails reaching end users:
a. Enabling spam filters.
b. Implementing a cybersecurity user awareness and training program that includes guidance on how to identify and report suspicious activity (e.g., phishing) or incidents.
5. Use the best available cybersecurity practices:
a. Ensure that all anti-virus, anti-malware and signature software is up-to-date.
b. Implementapplication allowlisting.
c. Ensure that user accounts and privileges are limited through account usage policies, user account control, and privileged account management.
d. Employ MFA for as many services as possible, especially for webmail, virtual private networks (VPNs), and accounts that access critical systems.
REFERENCES
- Kaspersky
- welivesecurity.com
- F-Secure
- TrendMicro
- cisco.com
- nist.gov