Trends and Main Threats The Impact of Infostealer in the Latam Region - BSIDESCO

Thank you very much for those who stayed. I see that the audience left, many people. A pleasure to be here, one more version. I have already participated in several versions collaborating in the event and being part of the panelists that we come here to explain some of the things that we see out there in the field of security. Today we bring an investigation that we did with William. on the subject of the emergence and growth of this, let's say, flagellum, of what we could say, flagellum about what are the InfoStealers. Later we will explain what it is and I do not want to take so much time in this case. The contents are these four main elements, we will talk a

little about the state of art, the reason why we raise this this conference, this space to talk with you about this topic. We are going to present some specific figures of the region and very specific, very intentionally, of what was, let's say, our country, Colombia. After we did a series of elements, we will present you some of the things that are coexisting here in our country, and some recommendations. Again, my name is Jaime Andrés Bello Vieda, I have been here for more than 12 years, that I work with these security issues, I went through audit issues and I dedicate myself very punctually to everything that has to do with investigations of security gaps, let's say, forensic-type

situations, threats of intelligence issues, some issues regarding malware analysis and others. I also contribute, I am part of other types of communities, I am a professor at the School of Engineering Julio Garavito in Bogotá, And additionally, I like other types of music, I'm an interpreter of some musical instruments. And currently I work covering a large part of Latin America's territory in IBM, a functional area called X-Force. Now I'll leave you here with engineer Zua Schoenegger. Good afternoon everyone, my name is William Forero. Like Jaime, I also have an experience of approximately 12 years in security and incident response. Currently we work, as Jaime mentioned, in issues of forensic computer incident response, where we support different clients to recover from this type of incident. I

am a systems engineer, I have some postgraduates and some of the certifications that I have in the industry are the ones you can see on the screen. I have worked in the public sector, in the financial sector, technology, retail. I am enthusiastic about what cybersecurity is, forensic informatics, incident response. And let's say that personally I practice a lot what cycling and swimming is. There, so that they have that context. And stop. Well, then the market is born of the InfoStealer. as we were saying, what is the reason or the state of art that is behind it. So, various suppliers and big houses in terms of cybersecurity worldwide, some have done studies in which they mentioned or those who made a series of forecasts

of what was going to happen year by year. And there are others who are dedicated to corroborate or see what actually happened. And that's what we can see here in this slide. So, let's say that here we are taking one of many studies, for this case we are taking, let's say, a study from Mandiant, where they said that By 2023 there will be a relatively considerable growth with everything that has to do with the suffering of the InfoStealer malware. Just to make it clear, and I'll explain it later, it is a type of malware, very punctually, within so many categories that exist, that has a main focus and it is stealing or filtering information. We'll see what kind. And additionally, reports such as the

IBM case, X-Force, the Trade Intelligence Index was launched, where we, or the company, condenses this report according to what happened in reality, in the attention of incidents, and intelligence threats that occurred in 2023. That is, both the report on the top right and the report on the bottom, which is the CrowdStrike report, have figures or are called from the year 2024, however, they come or take the data of what was last year, that is, 2023. So, both reports converge on the same thing that somehow they had already made some predictions and it is in the emergence of malware type InfoStealer. In fact, for the case of the IBM report, we could evidence that there is, let's say, a growth between what was

in 2022 to 2023 of 266%, which was a considerable peak in what is being seen that today, in the panorama of threats of organizations and obviously of personal teams, we are not only talking about business things. So, taking into account that kind of things, taking into account that in fact that is what is directing today big gaps and computer attacks that are being seen worldwide by the use, let's say, of these InfoStealers, is one of the reasons why we started to think, well, there are some numbers, in general, but going to the context of what is happening. And that is what we are going to present to you as part of this conference. It is important that we know it.

I'm going to base myself on what I read five minutes ago about what an InfoStealer is. Basically, let's say it is a type of malware within all the categorizations that exist, that what it does or what it seeks and its main objective is once it is incubated or installed in the computational systems, even in mobile devices, although let's say we are not going to focus so much on that world of mobile devices, Once it is encoded, what it is looking for, or is intentionally programmed to try to look for information that is related to login pages, with saved credentials, with libraries where credentials are hosted, for example, when you go to your browser and ask them if they

want to save the password, That, for usability, is very good, but you have to pay the price. In what sense? That it is not totally, let's say, safe or not totally safe. And today, in fact, this type of malware goes to all those locations takes that data and is what is being stolen or what is being leaked, that reaches criminal hands and with which can be done various activities of illicit or illegitimate type. The ecosystem is quite large, as you can see, unfortunately I do not have the device to point out, But quickly, within the ecosystem of how this works, there are different roles that fulfill specific tasks. There are people who are dedicated to the

development of the info-stealer, to its maintenance, and we can say that they are the intellectual authors. They often don't... Oh, thanks. They often don't... to put it that way, hands do not get dirty in the sense of having to do operations of illegitimate type, to go and install it to remote locations. No, the way to monetize them is simply with the development of the code promote it and within the chain there are several other people who perform other tasks within these organizations. Some are affiliated people, others not so much, and within the ecosystem there are people who also dedicate themselves to everything that has to do with marketing, sales, offerings and others. And likewise, as it exists, or this obeys that if there is a series of specific

offers and that offer has grown as we saw in the previous slide that has had a considerable peak is because there is actually a demand and within that there are also people who are dedicated to to take the information from the InfoStealer per se to go to organizations or to try to incubate it in citizens, individuals, organizations and not necessarily these people do something with the information, that is, they only take it and can put it for sale and other people are dedicated to buy it and try to do something additional with that information. So let's realize that there is a universe of possibilities in what can be done in these issues. And from there, being such a large ecosystem in which so many actors and

so many people participate, there is a value in this, because behind it there are, in many cases, thousands of millions of dollars of monetization. So, the common infection vectors that are presented for this, continue to be the social engineering issues. Nowadays, all the topics that even though they sound classic, for many of those who are dedicated here, they are entering with what are the techniques of penetration, attacks, etc., audits and this kind of things, it is still, let's say, the most important element and it is still functional, even though it sounds trivial and we try to underestimate it, it is still very useful the use of phishing, the use of deceit, the use of this kind of things because it

really is still one of the main factors critical of success from the attacker's side to achieve entering, let's say, the organizations. We have seen, or it has been seen also in other cases, that a lot of InfoStealer type malware comes embedded in the software that comes with a crack or this kind of stuff. I know that more than one here maybe understands the situation. Or in other cases with video games. Why? Because they come with this crack issue and others. Also additionally, and during one of the most representative InfoStilers today, It came about because since 2020, when the pandemic happened and everything else, software and video games were being advertised through videos that are posted on

YouTube, where you put a link to download the video game or the utility. And thanks to that, let's say that the software, although one sees it and it works, What we can't see is the other thing that is installed and that is taking information out many times. And this has happened not only in individual cases but also at the corporate level. So basically, let's say that the information is once incubated in the devices, in this case, as I say, mobile devices are included, are usually sent to a command and control server and is offered in deep internet forums or in some other cases instead of a command and control server what is done is that the infrastructure of the telegram application is

used with bots associated with it as pivots or storage in which the information ends. In fact, last year I was just giving a talk about this with Phishing and it has some similarities with what happens with this. So, let's say that already having a clear context of what an InfoStiller is and how our research was focusing, Well, the first thing we saw, and as Jaime already mentioned, indeed, there was an exponential growth of this type of threats to access organizations. In fact, we have attended to it in several cases, in several of our clients. And the other thing we observe is that they are actually using or changing their techniques a little, without wanting to say that they no longer

use them, such as issues of vulnerability exploitation, recognition, etc. Why? Because by changing the techniques or by obtaining the credentials of an infrastructure, a server, etc., they will enter in a silent way and directly to the environment of an organization. So let's say that we also saw that change and we have seen it not only in what the reports showed us, but in real cases that we have attended. Taking into account that context, that panorama, what we asked ourselves with Jami, come on, we have to do an investigation to determine or observe what are the main infos that are affecting different countries in Latin America and so we did, but we needed to identify which companies we were going to do this analysis.

We did not want to have a subjective selection or at our own discretion, so for that we use the Merco study, In fact, it is very likely that you have received in your organizations this study to see which are the most important companies in each country, etc. So, in this way, we could have a view of the countries that we are going to take within the analysis that was not subjective. Why? Because they are countries that we know that in the study will show us that they are top organizations within each country and that is also important to mention it because being the most important companies in each country we know that they are large companies that have several subsidiaries that have money and

that additionally invest in security and technology and yet they are exposed to this type of threats, so imagine with those that are a little smaller or do not implement enough money for security issues. Under this context, what we did was the threat intelligence issue to collect this information and see what is that ecosystem of InfoStealers within the countries, taking into account the top 10 of the companies that the Merco study tells us. And the other thing we wanted to show you is that having identified that ecosystem within the region at the level of InfoStealers, show you what are the top 3, show you what are the main techniques used by the InfoStealers and what are the methods used to do both the filtering of

information and how they also sell it within the different forums and mainly in the forums of the DITWEB. And as a result of all this, show you some of the recommendations at a preventive and reactive level so that you can implement them within your organizations and at a personal level as well. So, intelligence in action. So here basically what we did is we need some sources of intelligence to be able to collect the information. In our case we selected two two sources, one of them is Russian Market, which is a forum that is on the Divinadar web, it is one of the main forums where you can find what is the sale and legal products and services, obviously all the

issue of stolen information, malware issues, hacking services, credit cards, etc. And that's why we chose, this is one of the sources we chose to do the study. Additionally, within the Russian Market forums, shows us in detail the information that was collected through the InfoStealer, but it also tells us which InfoStealer was used to extract that information. So let's say that was quite important for us to be able to determine which was the InfoStealer that was being used to extract the information. And the other one we chose is Telegram. Telegram has become one of the favorite platforms by the attackers to also make sales of this type of information collected with InfoStealers and additionally they use it too much to sell their products and services. their

combo leads, their... the info-stealer of how much is monthly, how much is annual, how much is the test service, etc. So those were the two main sources of information that were selected to do this study. As I mentioned, in terms of countries, we chose all the main countries of Latin America, except Paraguay, because the Merck study does not have let's say that there is still information of the main companies in Paraguay and the others that we included were Guatemala and Republic Dominicana, the rest we included them in the study and basically showed us which are the main companies that at a reputational level are more important for each country. And what was the objective? Know about this InfoStealers ecosystem which

were the ones that were affecting each of the countries. So, as a result of the study, What could we find? So here we see that for the case of Brazil, which is the country with the largest number of devices affected by Info Steelers, with a total of 3,802, it is in the first place and let's say it is the most representative in all of Latin America. In second place we have Chile with 2,108 positive numbers affected by InfoStealers, then we have Mexico, Argentina, Colombia is in fifth place and in the last place we have Olivia. We managed to identify a total of 15,612 InfoStealers that are affecting the entire region and the period of analysis that I had, in which this investigation was carried out, this analysis,

is the period between July 1, 2023 to December 31, 2023. Let's say it's a short period, but even so, the data is extremely valuable. Here is an important fact: Brazil is in the top 1 And one of the reasons that we managed to identify with Jaime is because, in some way, at the extension level, Brazil obviously has a greater technological development and a greater number of devices, therefore it will be more valuable for attackers to have access to the personal equipment of the people or corporate of Brazil, because it will be much more profitable. compared to Bolivia, for example, which we know that obviously, in industrial and technological development, is not the same as Brazil. The

rest of the countries, if we take into account Mexico to Ecuador, we have a very similar behavior in terms of Infostylers. In terms of the type of Infostylers that is affecting the region, We see that LUMA has the first place with a participation of 30% of the affected devices that are in the Latin American region. Secondly, we have Redline with 4,056 infostellers. Let's say here the time period is the same as mentioned before, from July 1 to December 31, 2023. Third, we have Rise Pro with 3,675 InfoStealers. Fourth, we have Telegram. Here we put this in a category called Telegram because, as I mentioned a moment ago, Telegram has become one of the sources in which a lot of information of the InfoStealer type is being

sold. But within the information they are selling, they tell us: "Look, I have the information and the users and passwords, the cookies, etc. of this organization, but I got this information from Rise Pro, from Luma, from Raccum. So, let's say that for treating the data, we decided to integrate it into a category called Telegram. That's the reason, but finally, information is being obtained from various types of infostylers. We also have Vidar in fourth place with 955, 358 for STELLAC and RAC1 with 308. So here we see some changes, for example, in the region, in the United States, for example, what is Vidar has much more representation, unlike, for example, Redline or RacePro, which is more representative in the TAM. Having done this

study and having identified what we observed in those forums, the big web and the Telegram channels, we have a top 3 and Luma is in first place, Redline in second place and Rise Pro in third place. On these we want to focus on what are the techniques they use so that you can know and how to defend yourself in some way. Just to make some precision about the sources of information that we took the study, corresponding to the Russian market and channels and forums, let's say, of the Telegram infrastructure. The main reason for this is that they are the largest markets where you can find this information, that is, um - They live in Russian Market and in channels that are associated with Telegram, where the

same affiliates and creators of the InfoStealers have the support pages and others, and they are available to anyone who has Telegram, can reach it and can even see how it is worth and others. The idea of this is what I tell you, the purposes are, let's say, of knowledge and didactics. The idea is that the favoritism of these things is because you are going to do something illegal or malicious against an individual or a company. So, putting it a little more in context and all the figures that we just showed you, let's not lose the focus that it is based on the top 10 of what is Merco, that is, we took the first 10

companies of each of the countries in the region to get the figures we saw there, within the period of time in which information was sought. Why were these companies important to us? Because if you think about it, in fact, it has two specific elements. One, that due to prestige and type of company, due to its reputation and the economic muscle it has for the countries, so they are companies that are very reputed, that in fact move the economic needle of the member countries or members of Latin America. and it is also assumed that they are companies that because they are so big and prestigious and have a great economic power, they have investments in cybersecurity

issues to be protected. And yet, these figures are found. And very quickly, here to show you a little of these comparisons and others, what we can see is that in some way the regions or South America, and I'm going to include in this case Mexico, South America can be divided into two large segments. One that is, let's say, the upper part where we are, from Colombia down, after Peru, what is already Chile and the countries, even Brazil, are already in some way other types of cultures. If you look at it from the perspective of historically how we come, we can get into what was the great Colombia, we can get into that we are member countries, for

example Ecuador, Bolivia, Peru, and others, we are part of something called the Andean community. And Venezuela should be there, but it's not there because of the political situation. But This shows us that even from all that history and other things, it creates certain patterns of behavior, both at the business and individual level. In this case we are showing things at the business level. But what we want to show, and that even, as I mentioned, even though we are separated or far from Mexico, if one starts to think and looks at the figures, In fact, the pastel, or the type of graphic that you can observe, is very similar between Colombia and Mexico. And in fact, it's because even though we are far away and so on, we keep certain

types of elements very, very similar. So that's what makes, in some way, let's say there is a very specific representation in this case for what countries are close to Colombia and others, with Infoestiler, or who is predominant, is Redline in this case. And additionally, we made a comparison here, as I was mentioning, of what Colombia is with countries that are a little away from what is the cultural context. We are all Latin America or part of South America, excluding Mexico. mainly, and let's say that in some way you can see patterns and differentiations in what are the models and what is emerging and the rise that exists of a certain type of Infoestiler or not. So, who

participates the most in this case, who was the winner in fact, and because obviously by extension and all the technological implementation that exists, Brazil has a predominance with an Infoestiler called Luma, and yet, the Red Line is still predominant in Argentina and the situation changes a bit in Chile's geography with the InfoStealer Rise Pro. So, the idea of this, as we were mentioning, is to understand what is happening in each of the regions Many of these InfoStealers are very similar, we will see it later, they keep some differences, and in fact the issue of, for example, in Colombia, the fact that Redline is one of the predominant is because when you look at how all

these issues have emerged in the short term, you can say that the father of the others is this malware or the one called Redline. So here we are putting in context the 1,470 devices that we identified within the 10 companies that are distributed in that Merco studio. All these elements of Colombia correspond to equipment and final workstations that are corporate. We are not, as I said, part of information of mobile devices, they are corporate equipment because we are associating them to what is happening with those ten organizations that are the main ones that can exist in our country. And from there, we can also obtain or present here this graph where we can see that there are two companies within the visibility

we had that apparently do not have associated info-stealer data, however, there is one that is gaining here the prominence with almost 500 credentials, in this case 500 credentials. We do not keep the same order of the Merco study precisely for issues of reputation and others, because anyone goes and looks, then the first is the company and the fifth is the other, then no. And additionally, Well, something important that we did here and that is outside, let's say, inside the studio, but also we found it important and we wanted to see a little, well, already, let's say, moving a little or changing a little, let's say, the process of what we had been doing inside the research was to do some monitoring and a

series of checks of what was happening very punctually with credentials. This slide at the top presents 889 credentials for the distribution of the 10 Merco companies in Colombia. And this, which is part of some more recent data that we have taken, which are part of the 1st of February to the 17th of April, corresponding to what is the domain .gov or all the government organizations, all the IAs that one can imagine that exist in our country, There is a total, only for this period, which was even more reduced, of 8,449 credentials that are out there on offer in all these forums and in these channels associated with Telegram. This somehow shows the difficulties and opportunities that exist

in the government sector, because obviously all government entities obviously move the needle in the stability situation of the country. Those who remember what happened with the INVIMA a while ago, there was a relevant problem in all the raw materials, in the subject of medicines and others, the result of cyber attacks. And not only that, but we, as citizens of this country, many of the systems that are here, of those chairs and others, have our personal data. From there, what is more relevant that this is important and generates an alert about the risk and for no one A mystery that many issues associated with the road of security are missing, because if private organizations invest and that happens, we cannot ignore that here,

unfortunately, in our country, there are no capacities, nor investment, nor will, and that's why these things happen. Here we can see that the risk is much wider than in the private sector. And let's say it's also a call to attention so that as citizens we also take care of our data because the InfoStealer not only affect companies but also the own teams of our homes. Ready, let's continue. Well, very quickly, then let's say what is the availability, as I was saying, let's say that the father of all of them is Redline. Let's say that each of these InfoStealers, although they changed the name and others, they keep many similarities and many get to support what this is initially. The others that

you see here, they emerged at the level of the year 2022. are associated or affiliated with what is to trace a series of attacking groups or that are in this ecosystem that we mentioned initially associated with the region of Russia or with the country of Russia, although there are many other variants among other member countries of what was the former Soviet Union. We are not going to say only Russia, because in intelligence, threats and other, and in real life attacks, one reveals that not only from Russia they attack, but in countries of Eastern Europe and others that were former of the Soviet Union, this also happens. So not everything is attributed here, although, let's say that by culture we can say that it is

Russian. The programming language of all these elements is in C++. Let's say that the distribution mechanisms, depending on what I got to be in Auge and others, then, as I mentioned during the pandemic, many things were associated with topics, even at the YouTube level, many were, well, I'm at home in quarantine, so I'm going to look for a series, I'm going to look for I don't know what, I'm looking for a software, I'm looking for a game, and that generates a big peak of infections for this type of thing, already at the level of, let's say, personal. The other issues that occur in reality are situations associated with fraud and phishing campaigns and other situations situations with third parties, that is, these large companies

also have many third parties, the third parties are sometimes not as well supplied in their security and so on, and that is why this exists. The use of Windows systems that allow a business version of the systems with a crack and so on, is where the emergence of this is seen the most. There is one very important, And this is the one we are seeing, the Redline, which saves some modules in which it can collect credentials at the VPN level and systems that allow access points to organizations. In fact, that is one of the main interests of many of these groups, is because I have a credential that allows me, through a VPN or other

access of that type, enter the internal network of a company, make a discovery and everything else that is already done within the attack chain, that is what ends up leading to leaks of representative information, attacks from ransomware and other things at the level of organizations. Well. If you want to return to your moment, Jaime, please. In fact, Redline is one of the most representative in terms of the risk factor because if the attacker can obtain the credentials of the VPN or an FTP, he will have direct access to the organization. That is why there has also been an exponential growth in this type of attack, because many of us are working remotely today. and many of the organizations give

the possibility to use their own equipment and that's where the risk increases because it is easier to end up contaminated and the attacker will obtain the information with which he will obtain or will be able to access the environments of the organizations. Here what we wanted to show you about that top 3 is What is the main information they obtain about each of them. We can see that, for example, at the Luma level, the information they obtain is all the application issue. It lists which are the applications that the PC or device that is affected. All credentials associated by each one of the browsers, Chrome, Mozilla, etc. It also collects information related to wallets. We see

that in all. and most of them deliver text files in an organized way for each category, for example credentials, software and application issues. For the case of Redline, we see that it also collects, if we compare each of them, the information it collects is very similar in all, except that Redline Unlike the others, I collect a little more information related to FTP and VPN issues, as we saw a moment ago. The autofields issue, which is when we are filling out those forms and somehow we tell them that for the next one, fill us that information automatically, this is also extracted by the InfoStealers. The FileGrabber is information that is extracting the InfoStealers that may be

valuable within the teams. Fimatico, PDF, basically about those files and if you see that it is interesting, for example, something related to a brand or a new strategy about a company, also filter them and that will also be an additional information for sale in the forums of the DITWEB or in the forums of Telegram. Basically, as I mentioned a moment ago, if we compare the information is very similar. As for the markets and sales, basically, as well as the sources, are mainly two. They have their own forums on Aditweb, where they offer their service packages, but they also do it through Telegram. Here we have, for example, the Luma, where the basic package is worth $ 250 and allows you to obtain logs and tools to

do that parsing and make it much easier to read those logs. It does not offer, for example, topics or network traffic tools and it does not offer, for example, topics to bypass or, let's say, not be detected by security tools in companies or in equipment. We have one of 500 dollars that they call professional, already offers basically the same as the previous one, only that this one offers tools for traffic analysis. The corporate one that costs 1,000 dollars for the case of Luma. And we have one of 20,000 dollars that already delivers the source code to the person who wants to acquire it. This is another one, this is for Redline, it also has its own forum, but also as I mentioned, they use Telegram to sell their information,

not only the information, but also their tools. There they show more basically what it consists of. For the case of Redline, approximately the cost at the moment is for a month, $150, and the source code for life is $900. And for the case of RISE Pro, the same. And the prices are very similar in the market. They have a regulated market in that sense. Here the issue of administration and operations. This is an administration console. Can you lend me the... Can you put it in zoom? This is an administration console of Redline. Basically here, left hand, you can run a little, that. This is like all modules that Redline has. The first module is the logs module, where basically it will show you what are the logs

that I could collect with InfoStealer. The statistics issue basically shows me what the statistics are at the level of operating systems, which are first, at the level of credentials, how many I have managed to collect. It's just to show at the level of statistics what information I have managed to filter. The partners theme is an interesting one because they offer additional packages or other types of malware where they tell you, "I can offer you another theme related to Keyloggers or Ransomware." And you can acquire those packages additionally with the partners you have. The guest list theme is the links that I can use to send, for example, through a phishing. And the person then obviously goes to the site and downloads the lympho-stealer.

We have several links, why? Because obviously as they are being used, many security tools will be banned over time. So that's why they are changing those links to stay active. The issue of the... Well, let's say that some important ones are the issue of the wallets the wallet checker, since we have talked today about digital wallets, they also steal this information and make a check of how many funds they have to see if it is viable or not, make other additional attacks and steal the money. The telegram issue is quite important because as Jaime mentioned a moment ago, what they are using is the telegram API to automate the alerts and tell me, come on, I already have this computer affected, and additionally,

automatically, it sends me the logs that it is collecting through a T-Grant bot. And now we see an example of that. This graph that we see on the right hand side is basically the communication between the infected PC and the command and control of the server that receives the information. And here we can see what is that communication, which is basically a client-server communication. And the way to filter information, let's say they use two ways, to put it in a way. so they can extract that information. The first one, they categorize it, they put it in a category called entity and they send it by packages. Why? Precisely so as not to generate those alerts about the security tools. So they send it in little drops

so that they are not detected. And some more used ones, yes, they can send the information already complete in a .zip or something like that. But they mainly use the first option because it is much more It is a more successful case for the defiltration. This is an example of the bots that are programmed in Telegram to send them information automatically. They are simply having a coffee and they get it. I already have the information collected from the system, from the browsers, from the topics with payments or payment pages where I already have the information, for example, the credentials of Paypal or Amazon, etc. And complete lists of credentials, users and passwords that has collected and that sends them through Telegram. Basically that is

part of the techniques that are using the InfoStealers that we saw mainly in of the top 3 that we managed to identify in the TAM. We also wanted to bring you a series of recommendations so that you, who know that everyone works in the industry, can support your organizations in implementing some of these recommendations. The first thing is to understand how InfoStealers work and how are the distribution methods, which is part of what we already explained to you so that you can implement this also in your organizational environments. And we brought a series of recommendations based on two points of view, some at a preventive level, to prevent actually being infected by this type of InfoStealers and others already at a reactive level when unfortunately we are already

contaminated. Within prevention, we have here in the first place, which is very important and not only to prevent infestation-type attacks, but other types of attacks. In fact, we have seen that the first one is to reinforce or basically to reinforce or prohibit that in organizational environments they do not have the ease or the ability for the different users to download software that is outside the baseline of the organization. So, as we mentioned, this is one of the controls that will not only help me prevent infestile attacks, but other types of attacks that, in fact, we recently saw, we attended a case of ransomware where the company ended up contaminated by a topic of these. Do not download software pirata or crack, that's

where most of these infestilers are embedded. In fact, we have seen cases that have security tools installed, but due to the need for use, many times they deactivate it to download the crack and there they are already contaminated. The issue of user training in phishing issues is still very important. In the course of the day we have seen many of the talks that today the phishing issue, first the reliable old one has been used for a long time, but today it is a little more difficult to detect precisely by the tools of artificial intelligence that make it much more difficult to detect this type of threats where the infestilers are embedded. We must continue working on these issues. The issue of the double

authentication factor will obviously always help. The issue of hunting and blocking those styles from commitment indicators is quite important, you can find many lists of that. If you want, we also have a list of commitment indicators that you can implement in the environments of the organization. We are here willing to share them with you too. And keep the paths safely, not in the browsers, which is part of the risk. Mitigation, in the event that we are already affected, obviously isolate the asset, validate and scan that it really does not have the threat, reset all the cookies, the passwords, reset and change the credentials of the credit card or change the credit card because these data is also being stolen. And this is very important, that

in organizational environments sometimes they overlook it or do not see valuable information because many times it is not functional, but it is quite important that they take it into account. Constant monitoring in the DIVD and NADAR web of the different forums where they are offering this information, including the Telegram channels. And finally, motivate them to implement all this knowledge that we provide them today under the research we did. in the environments of their organizations and obviously at a personal level because there is also a personal risk that they can steal our credit card, make fraud, etc. Thank you very much. I don't know if you have any questions. The commitment indicators of the infestors, is there

any super secret public database? Well, to repeat, if there is any public data base or feed of 3D intelligence where I can get the compromise indicators that you mention? Yes, look, let's say that each of the houses today, let's say this is emerging, obviously you understand that each one is put in, I don't know, techniques or differences in polymorphism issues and these things, however, let's say that they all have specific bases and there are rules of the art with certain patterns and others. um of the channels in the sense of Telegram, that is, buy the logs and others, that is, for you to have access to the main information and that was part of that monitoring that we do, you have to have direct access to, in some

way, to finance these activities by the matter of being able to get to the data, precisely to prevent, there is no other way because many of these logs come from there. But as for commitment indicators, if you put tags or labels on total virus and others, you find things related to Redline, with Luma, with Raccoon, with whoever you want. And the same on the internet, there are a lot of indicators about it. - Another question? I go first here, I'm going there. - Thanks. Thank you Jaime and Joani for the talk. I have a question. You mention that the information that these Infostellers sell is from corporate computers. Yes. But how do you know that… For this research it was only in a corporate environment, in the

top 10. from Merco, which tells me which are the top 10 of the main companies and about those domains we did the research. But it doesn't mean that it was corporate teams. Yes, it's about corporate teams. How do you know that it was actually, that the information was played? By the domain, because we know that the domain is corporate, it is not my machine. Yes, but I finish the question. Exactly. to corporate mail. There are a series of additional patterns that we had in this specific monitoring that gave us, let's say, or allowed us to discern what was personal and what was corporate. Exactly. So I wanted to know a little bit what those indicators had been that had led you to think that it was a corporate machine

and not a personal machine accessing a corporate mail or a corporate portal. I understand you. It's just that if I tell you, I have to kill you, I'm not lying. No, look, what happens is the following: there are certain patterns where we can see what is achievable from the outside and what is achievable from the inside. What is achievable from the inside we can label it as: "Hey, this is a corporate environment." There is another series of patterns in relation to The type of, let's say, these info-stealers collect additional information to what hardware and others are and with that type of patterns and certain elements that come out of what are the lines of a

personal team, is what tells us what a corporate team is. Okay, okay. And the other thing, let's say, how do you… - that 100% of the information, a certain part, is garbage information or that it is information that is no longer useful. Why? Because if it is information that we collected three months ago, but the company changes passwords every two months, then the password that I had initially, obviously it will no longer serve me. That on the one hand. But indeed, a lot of information is useful and in fact we have seen it in several of the attacks that we have attended in the region. Why? Because it is indeed the access vector that we managed to identify with which they entered the

organization environment and then they did other types of things. And what you mention is true, what we put here, which is information in gross, not necessarily everything is completely legitimate and usable and that it works, that is, not everything that I see there, especially in credit markets, it helps me to enter. Why? Because if there are policies, let's say that changed, but what we have also seen is that unfortunately and due to bad security practices that we have, if you have a password, in general, similar patterns are taken. So if you create dictionaries with similar patterns, we have seen that there are also income. But in other cases we have seen, and what we see

mainly is deficiencies in password policies. That is, we do not see that there is a regularity in exchange and as a result of it, let's say, it is the security problem that can be seen. In other cases, there are also many forums where they do not offer so much information, but the price of access to the company is quite large. If that is so, it is very large, it is highly likely that it is possible that it is factual. And there are also other things, which is the reputation of each threat actor in the forums and that kind of thing. And finally, since the volume is big, obviously there is a margin where many things

can be garbage, but since the volume is so big, there are things that are usable. We have seen that too. And just to complement the issue of reuse, unfortunately as users we use the same password, not only in corporate environments but also in personal ones, and that is also around there, something that I put at the personal level is also the same password at the corporate level. That also happens in some cases. Jaime, William, thank you. Maybe complementing Leo's question, last year more or less 560,000 accounts were offered through these channels and by validating with the main companies, the ones that were in the top, they validate and there is information from two or three years ago, how to believe in

reality and not in the fiction of what is being sold today. Because precisely many of the passwords that were there, although they have high strength, many companies when they validated it said, "two years ago I don't have that account anymore, we already modified them, we already knew." That's a question, I have several. Yes, let's say it also depends a lot on the focus of the search. If I go looking for information of two years, obviously there will be information that will not be useful because effectively the organization is no longer using it. and there is a very high false positive factor. However, we have also seen cases where precisely due to bad policies we have seen that there are passwords and users who are

usually burned inside the teams or who are users who use a lot of administrative type that have been around for two or three years. So let's say that there, if it comes, that's why at some point in the talk we mentioned that in some cases the companies, despite doing that monitoring, do not pay much attention to it, because if indeed there is a high degree that many of those do not work, but only one is needed to enter. And that is where the organizations must be given the ball to validate if they are really useful or not. It is also a dual work between organizations. Let's say that more than that, the question is, you were suddenly taken the work of validating that they were not already previously

listed, they are new. The vast majority of credentials in this case, especially those that have a greater risk and in many cases we say that we use monitoring in which the information was imported recently. We took, as you could see there, issues that were from the 2023 Court, perhaps if there are good policies in terms of change and others, they do not represent a risk. We couldn't guarantee that. We took this and it was also to show what happened in all that panorama of threats that were seen towards 2023, taking the last semester. And something important, also relevant, the vast majority of InfoStealer topics today come from the logs that are sold on Telegram. There

are a lot of topics in Russian Market, but let's say that there are many of them that come as part of combos and this kind of thing. InfoStealer, which fortunately maybe we can't show it, saves information of when the probe or the malicious binary was installed in the computer system. From that trend we can get to look at how relevant that information is. And the other thing you mention to me, I have actually met many companies that actually get upset and say: "It is that in our organization there will never be a password or a password of these characteristics." etc. etc. Well, but if you are telling me that, Why am I here, attending an

incident precisely for that? Do you understand me? So, those issues of absolutism, that I have my network segmented or this password does not have these characteristics and the truth is that there is a very popular adage in security and it is that you do not trust, you simply test. And when you go and test and do the simple audit, it turns out that it works. So, it's a topic that is difficult to touch, but we have seen it in the reality of organizations. It is a reality, it is more methodological, the question is more about the methodological, and within that methodological, when that classification is made that you present, where there is a malware that

enters to be ranked, That comparison is being made by the number of devices and why not do it by the percentage of participation per country? That is, it is more the number of people in Brazil and comparatively, it can be less the impact in Brazil than in Colombia and in another country and that helps us to take more measures or to be more focused on taking effective measures. Have you seen that or why did you make that decision to rank it by the number of accounts? You are right, if this or that has an opportunity we could mention, come on. what is the population or how there are studies that so much technology is implemented between one country

and another to be able to be more assertive with that. And that's why you saw that many of those elements are presented separately. So that's the reason. But obviously what you mention is completely valid because we can't compare some of our countries with a geography like Brazil, which can even take two or three countries or even more. But yes, obviously. And at that same point, just to polish the report, which is interesting, by chance, did you do some study of companies that had presence in several regions and that presence necessarily allows another country in which it is making presence? Not on a regular basis, but within the organizations that we include in the study, many of them have

subsidiaries in several countries. So, it is not completely covered, but we can estimate that this is also happening, that through the country X it can end up affecting me. Why? Because of the subsidiaries they have in one country or another. We already had three incidents of ransomware that occurred in another country. Finally, the million dollar question, right? If today the big companies have tools such as SDR, tools that analyze behavior and that are more sophisticated in the analysis, why does it happen? In the same way as the issues of obfuscation evolve within organizations. If there was a tool that covered everything, then no incidents would occur. So basically, in fact, Redline has a module where, additionally, it can include

obfuscation techniques that simply make me change the binary. or simply make the hash different, so the EDR behavior level, for example, will not detect it, much less an antivirus. In other cases, what we have seen is that the user simply needs to download the AnyDesk, because he needs it for the organization and he is the technician who has the permissions in the organization, he takes away the permissions and installs it and in theory the AnyDesk works, but underneath a Festiller is running. Hello guys, of the recommendations that you gave to prevent this type of attack focused on the end user, which do you consider to be the main or the key recommendation and why? Well, let's say they are all

functional, but as users we must be careful first in terms of downloading pirated software or with cracks, we also install our antivirus, And an important issue, so we take longer and longer, we do not keep our passwords and we do not use the autofills to prevent that in some way if we end up contaminated with this, it will filter our information. And the issue of training, do not you consider it fundamental? Yes, indeed, being aware, as you mentioned, being aware of these things makes one understand what is happening and there is a lot of ignorance to not be able to have the punctual safeguards. So when you have good practices, even at the biological level of hygiene, your exposure to diseases versus those who do

not have it is different. And in the field of of our digital identities and the use of computer equipment happens the same. So when you are aware and not only you enter and "oh, he sent me this here or let me save the password here" then I pure wisdom and for being, let's say, let's say more lazy or have it more functionally, then I save my passwords or this kind of thing. So if you have a health in the use of devices, in that kind of thing, in seeing a WS when you get a message, this kind of situations, then let's say that in some way it is quite important. Something I always recommend is

that one does not even have to trust in your own computer equipment, that is, do not store credentials, do not store them in text or anything like that, nor use the libraries of the of the browsers and others, because that, as I said at the beginning, comes with its price. And the price is that many times that's what goes and attacks easily. You may get infected with one of these things, but if you have good practices to a certain extent, the impact is reduced. For example, many people trust the issue of password hackers. They are good, obviously they will help us and we can not, let's say, that it mitigates the risk of not reusing

passwords. Good afternoon. A question, before I go to the Deep Web, if I want to know if a company is being vulnerable, a roadmap before the Deep Web to know if the data of a company X is vulnerable. What do I mean? Are there pages, are there tools that tell me their data at this moment can be vulnerable? Or reports, exactly, or should I go to the Deep Web definitively? No, not necessarily. Nowadays there are many services within the surface internet. One of them, and I recommend you to look for it, is the Hive Impounded. H-I-V-E dot com. What is that? It's a big database that brings you to a repository of the surface internet, to which you can enter normally. There you can check, for example, how

safe your password is. And in other cases, for example, you can check your own email. Because they are storing everything that has been a big database of sales in that illegal market of the deep internet. And it will show you if you were possibly at some point part of a Google Docs with which you can make some searches, let's say intentional or with a specific purpose within the internet of your specific company and others. And depending on the types of information that you get, you can see or have a, let's say, a dictation of how exposed or not the organization is to that kind of thing. I already entered a little in the technical issue, There are many ways to help each other nowadays,

but that's what you can do. And there are a lot of sites where you can also check domains, check things related to credentials, and this kind of stuff. You don't necessarily have to go to the deep internet. Thank you very much, Jaime. Thank you, William. A round of applause for them.