2023 in Review: Notable Cyber Trends in Latin America
Introduction
Of the many industry reports summarizing the year 2023 in cybersecurity, few mention what occurred in Latin America. So, we are addressing this information gap by analyzing the cyber threat landscape in the region over the past 12 months. What were the most significant threat actors? What regional trends do network defenders need to be aware of? And what will continue to be the major threats in Latin America in 2024?
Here are the 3 most significant cyber trends of 2023 in the region:
Ransomware: Like most areas of the world, Latin America experienced exponential increases in ransomware attacks. A report by ESET Security estimated that 69% of LATAM companies were affected. The prevalence of this threat has garnered support for multilateral efforts to combat ransomware. Recently, 50 national governments (including Colombia, Costa Rica, Dominican Republic, Mexico, and Uruguay) signed the International Counter Ransomware Initiative (CRI).
Increased attacks by foreign & domestic adversaries: Latin America was targeted in significant attacks by foreign and domestic cybercriminal groups. On the one hand, foreign advanced persistent threats (APTs) are increasingly focusing on Central and South America in state-sponsored espionage campaigns. On the other hand, Latin America is home to many criminally-motivated groups that primarily target countries within the region.
Banking trojans: Banking trojans, or malware that appears to be legitimate software but steals confidential financial data, are uniquely pervasive in Latin America. The number of banking trojan detections in the region increased by 50% this past year. Top affected countries included: Argentina, Brazil, Chile, Colombia, Ecuador, Mexico, and Peru.
Taking a Closer Look
Ransomware
Ransomware has become a crucial concern for organizations across the globe. Recent research shows that 96% of organizations in Latin America are deeply concerned about ransomware. Below are some of the top ransomware variants operating in the region:
SeigedSec: Hacktivist group active since February 2022; they targeted databases, internal documents, and user data from Colombian government and healthcare organizations in November 2023.
Nokoyawa: Russian group active since February 2022; group stole data from a Brazilian laboratory in early 2023.
ALPHV/BlackCat: Ransomware-as-a-Service (RaaS) operator active since November 2021; they recently published data stolen from large Mexican companies
Stormous: Arabic-speaking group active since 2021; has operated in conjunction with GhostSec hacktivists and targeted victims throughout Latin America (especially Cuba)
Vice Society: Active since 2022; primarily targets education, medical, and manufacturing sectors in Argentina, Brazil, Israel, and Switzerland
What Are Domestic Adversaries Doing in LATAM?
Latin America is home to numerous cybercriminal groups that have conducted significant operations and caused widespread damage. Let’s take a closer look at these domestic adversaries…
One of the region’s most sophisticated and active groups is BLIND EAGLE (APT-C-36). This threat actor often conducts espionage campaigns using multi-stage infection chains and open-source remote access trojan (RATs). BLIND EAGLE is also known for their localized targeting, often using tools to geolocate victims and abort attacks if a non-Colombian IP address or VPN is detected. This adversary started 2023 off with a bang by launching phishing campaigns against victims in Colombia and Ecuador and exploiting additional organizations in Colombia via files with double extensions and the Fsociety DLL. Several months later, BLIND EAGLE began using njRAT to attack victims in Chile, Colombia, Ecuador, Spain, and possibly Mexico.
Last year also saw the rise of new groups in the region. In May 2023, SCILabs published the activities of Red WinterDog, a new threat actor that primarily targets victims in Mexico. This adversary utilizes malvertising campaigns to gain a foothold onto victim systems, and exploits victims via browser injection and use of the PowerShell .NET framework. Additionally, the Israeli tech firm Perception Point announced the discovery of Manipulated Caiman, an adversary likely based in Latin America that targets banking customers in Mexico. Manipulated Caiman leverages complex spearphishing operations to geolocate victims and deploy malware. According to researchers, this threat actor has profited more than USD 55 million from their operations since the onset of their activities in 2021.
What Are Foreign Adversaries Doing in LATAM?
China
Chinese state-sponsored actors have been relatively active in Latin America compared to previous years. In February 2023, Microsoft’s threat intelligence team observed that the espionage group DEV-0147 attacked diplomatic entities in unspecified countries in South America. According to Microsoft, this series of campaigns marked a “notable expansion of the group’s data exfiltration operations that traditionally targeted government agencies and think tanks in Asia and Europe.”
Later last year, researchers uncovered a cyberespionage campaign (Operation Jacana) discovered against government agencies in Guyana. The adversary, believed to be aligned to the Chinese government, used the DinodasRAT backdoor to execute commands, manipulate Windows registry keys, and exfiltrate files.
Iran
Iranian APTs have also been active in the region. For example, in September 2023, the Iranian adversary Charming Kitten (aka Ballistic Bobcat, APT35) utilized the new Sponsor backdoor to compromise 34 organizations in Brazil, Israel, and the UAE. Specifically, the threat actors exploited vulnerable Microsoft Exchange servers to access victim systems and then deployed the Sponsor malware on disk.
Lebanon
Early last year, more than 700 devices in Central and South America (primarily in the Dominican Republic and Venezuela) were infected with spyware. Dark Caracal, a Lebanese cyber mercenary APT, targeted the victims with a modified version of Bandook malware. This new variant included several updates, including the use of DES for encryption of the second-stage payload and adding commands to enable the victim’s webcam, adding or removing files, screen recording, initiating an RDP session, and downloading other libraries.
Brazilian Banking Trojans: A Uniquely LATAM Problem
Our final notable trend of 2023 is the prevalence of banking trojans in the region. As of July 2023, 8 out of 13 active banking trojan families in the world are developed in Brazil. On a related note, Brazil is the global leader in the number of banking trojan detections (followed closely by Russia, China, and India, respectively). As a result, victims throughout Latin America are frequently targeted in banking trojan attacks. Although Brazilian banking trojans are most active in the region, there is growing evidence that the malware developers are selling their tools to overseas operators in Europe.
Conclusion
2023 was certainly not a quiet year for organizations in Latin America. From combatting ransomware attacks to confronting cyber adversaries to detecting banking trojan malware, the region’s network defenders faced many challenges. To build a resilient defense, users in the region must continue to explore and identify attack vectors. For example, spearphishing still remains to be the most commonly exploited method for initial access in the region.
Looking forward to 2024, Latin America should expect more of the same risks. Below are some of the primary threats we anticipate in the new year:
Ransomware will continue to be one of the primary threats to the public and private sectors in the region, as well as worldwide. However, victims will be less likely to pay the ransom and national incident response capabilities will likely be enhanced due to increased counter-ransomware initiatives.
Android devices, vulnerable systems, and human trust will be most commonly exploited for initial access during attacks.
There will likely be an uptick in cryptocurrency attacks due to widespread usage in Central America and the Caribbean. In 2021, El Salvador adopted Bitcoin as a legal form of currency – the increased reliance on cryptocurrency platforms could expose potential vulnerabilities for exploitation.
Cyberattacks from foreign state-sponsored APTs, especially those based in Russia and China, rise in Latin America as a result of current trade and defense agreements.
National cyber governance in the region will likely improve, especially in countries with stable democracies and security environments. Regional cyber leaders such as Brazil and Chile may increase support to other nations to enhance overall regional capabilities.
Approved for Public Release; Distribution Unlimited 23-02410-4. ©2024 The MITRE Corporation. ALL RIGHTS RESERVED.