If you build it, they will come: Cyber-criminals are exploiting Latin America’s new digital economy

Max Heinemeyer, Director of Threat Hunting | Wednesday April 17, 2019

Over the past decade, Latin America has transitioned from a majority analog region to a predominantly digital one. But as its companies and governments embrace internet technologies at a breakneck pace, cyber security concerns have frequently taken a back seat. The number of internet users in Mexico, for instance, has grown by a staggering 13.4% annually since 2006, compared to a 3.3% annual increase in the United States. At the same time, the US spent considerably more on security solutions than all of Latin America combined, a discrepancy that experts anticipate will only widen in the coming years.

This dangerous combination of burgeoning networks and relatively lax cyber defenses has, unsurprisingly, attracted the attention of sophisticated online threat actors, who are now targeting the region with attacks designed to bypass conventional security tools. During the last few months, Darktrace detected a disproportionate barrage of such attacks against its Latin American customer base, three of which are examined below. From stealthy trojans to silent PowerShell attacks to subtle cloud-based threats, cyber-criminals are constantly innovating to compromise the personal information and intellectual property of the region’s 630 million residents. Safeguarding them will require a new approach to digitization — one that leverages AI to place cyber security at the very heart of the corporate network.

Case study 1: Polymorphic banking trojan

At a Latin American financial services company, a corporate desktop was seen downloading an EXE file from a rare external hostname. Following this download, the device generated multiple failed authentications with the credential “administrator” — an English word not frequently used in Spanish-speaking countries. The device then started sending rare EXE files with numeric names internally via SMB, before a few minutes later, multiple devices began beaconing to rare destinations never seen in the network before.

In the graph below, Darktrace’s Threat Visualizer captures the EXE file download and the resulting indicators of anomalous lateral movement. Every dot in the graph represents behavior that is atypical for the company’s unique users, devices, and network, as determined by Darktrace’s cyber AI algorithms, with darker colors corresponding to higher severity risks. These anomalous behaviors include the download of suspicious EXE files, connections to rare destinations, Kerberos authentication failures, and unusual internal transfers of EXE files via SMB.

Immediately after the download, the infected device was seen communicating with destinations that had never before been accessed from the network, as represented by the “100%” IP Rareness score shown in the box at the bottom right of this graph:

A subsequent analysis of the downloaded sample revealed that it was a live copy of the polymorphic Emotet banking trojan, which we examined on this blog in January. Whereas the Emotet trojan is notoriously difficult for traditional security tools to spot, the AI-powered approach to cyber defense managed to catch the threat because it provided an understanding of the company’s normal activity, allowing it to recognize Emotet’s key behaviors as abnormal.

Case study 2: PowerShell attack from rare location

These AI cyber defenses also proved critical in the defense of a technology start-up in another Latin American country, where a desktop was seen downloading a Python script from a rare location in Malaysia. Neither the desktop in question nor any other internal devices had ever connected to the external destination before, an early indicator of cyber-threat that signature-based security tools would have missed. The script was downloaded from a rare .com domain that included apparently legitimate strings like “windows”, but which was in fact not associated with Microsoft or other legitimate organizations.

Following the download, the device initiated an HTTP connection with the external destination using PowerShell, whereupon multiple company devices started communicating with this rare destination. But while this type of disguised attack has become popular among threat actors as a result of its ability to bypass traditional detection systems, AI anomaly detection flagged it right away as being unusual for the start-up’s particular traffic patterns, as illustrated by the graph below.

Download of script file and external communications with a suspicious rare external location.

Case study 3: Compromised SaaS credentials

At an international financial services firm based in Latin America, a Microsoft Office 365 user account that regularly authenticates from known Latin American locations suddenly started exhibiting unusual activity — authenticating many times from a rare IP address in Asia-Pacific. Darktrace AI immediately flagged the event as highly unusual, since the business has few ties to the Asia-Pacific region. This early detection of anomalous credential behavior revealed a breach in the use of the corporate SaaS service, a breach that could have escalated to compromise other Office 365 users had the firm not caught it in its nascent stage.

An anomalously high number of SaaS authentications occurred in a short time interval — from a rare location for the customer.

Digitizing with diligence

In light of Latin America’s rapid digitalization and increasingly lucrative virtual assets, existing security vulnerabilities that were not significant several years — or even months — ago are now being exploited by cyber-criminals. Indeed, the high value of their potential compromises incentivizes these criminals to create malware specifically tailored to Latin American targets, which promise to cause major disruptions, inflict significant financial and intellectual property losses, and entail incalculable reputational costs.

In this climate, it is imperative that companies and governments take a step back from their digital transformation projects to make cyber defense a core aspect of their organization, rather than an afterthought. And only with AI defenses at the center of such projects can they durably shape the region’s new economy.

Max Heinemeyer

Max is a cyber security expert with over a decade of experience in the field, specializing in a wide range of areas such as Penetration Testing, Red-Teaming, SIEM and SOC consulting and hunting Advanced Persistent Threat (APT) groups. At Darktrace, Max oversees global threat hunting efforts, working with strategic customers to investigate and respond to cyber-threats. He works closely with the R&D team at Darktrace’s Cambridge UK headquarters, leading research into new AI innovations and their various defensive and offensive applications. Max’s insights are regularly featured in international media outlets such as the BBC, Forbes and WIRED. When living in Germany, he was an active member of the Chaos Computer Club. Max holds an MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.