Most Internet of Things (IoT) attack news has focused on botnets and cryptomining malware. However, these devices also provide an ideal target for staging more damaging attacks from inside a victim’s network, similar to the methodology used by UNC3524. Described in a Mandiant report, UNC3524 is a smart new tactic that exploits insecurity in the network, IoT, and operational technology (OT) devices to achieve long-term persistence within a network. This type of Advanced Persistent Threat (APT) is likely to increase in the near future, so it is important for businesses to understand the risks.
A critical blind spot
Specially crafted IoT and OT devices that are connected to the network and prohibit the installation of endpoint security software can be easily compromised and used for a wide variety of malicious purposes.
One reason is that these devices are not monitored as closely as traditional computing devices. My company has found that over 80% of organizations cannot identify the majority of IoT and OT devices in their networks. There is also confusion as to who is responsible for their management. Is it IT, IT security, network operations, facilities, physical security, or a device vendor?
As a result, unmanaged devices regularly exhibit high and critical level vulnerabilities and lack firmware updates, hardening, and certificate validation. My company analyzed millions of IoT, OT, and network devices that are deployed in large organizations, and we found that 70% had vulnerabilities with a Common Vulnerability Scoring System (CVSS) score of 8-10. we found, 50% are using default passwords and 25% are end of life and no longer supported.
Compromising and Maintaining Persistence Across IoT, OT, and Network Devices
Taken collectively, all of these issues play directly into the hands of attackers. Since network, IoT, and OT devices do not support agent-based security software, attackers can install specially compiled malicious tools, modify accounts, and activate services within these devices undetected. They can then maintain persistence because vulnerabilities and credentials are not managed and firmware is not updated.
Staging attacks in the victim’s environment
Due to the low security and low visibility of these devices, they provide an ideal environment for staging secondary attacks on more valuable targets inside the victim’s network.
To do this, an attacker will first enter the corporate network through traditional approaches like phishing. Attackers can also gain access by targeting an Internet-connected IoT device, such as a VoIP phone, smart printer or camera system, or an OT system such as a building access control system. Since most of these devices use default passwords, this type of breach is often trivial to achieve.
Once on the network, the attacker will move laterally and stealthily to search for other vulnerable and unmanaged IoT, OT and network devices. Once these devices have been compromised, the attacker only needs to establish a communication tunnel between the compromised device and the attacker’s environment at a remote location. In the case of UNC3524, the attackers used a specialized version of Dropbear, which provides a client-server SSH tunnel and is compiled to run on the Linux, Android, or BSD variants that are common on these devices.
At this point, the attacker can remotely control the victim devices to attack IT, cloud or other IoT, OT and network device assets. The attacker will likely use ordinary and expected network communication, such as API calls and device management protocols, to avoid detection.
Response to surviving incidents
The same issues that make network, IoT, and OT devices an ideal place to stage secondary attacks also make them well suited to survive incident response efforts.
One of the main value propositions of the IoT, especially for sophisticated adversaries, is that the model significantly complicates incident response and resolution. It’s very difficult to completely kill attackers if they’ve established persistence on just one of the hundreds or thousands of vulnerable, unmanaged devices that reside in most corporate networks – even if malware and kits of attacker tools are completely removed from the corporate IT network, command-and-control channels are disrupted, software versions are updated to remove previously exploitable vulnerabilities, and individual endpoints are physically replaced.
How to Reduce Business Risk
The only way for enterprises to prevent these attacks is to have complete visibility, access and management across their disparate IoT, OT and network devices.
The good news is that device-level security is simple to achieve. While new vulnerabilities will constantly emerge, most of these security issues can be addressed through password, login, and firmware management, as well as basic device hardening. That said, companies with a large number of devices will be challenged to secure them manually. Companies should therefore consider investing in automated solutions.
The first step companies should take is to create an inventory of all specially crafted devices and identify vulnerabilities. Next, organizations must remediate at scale the risks of weak passwords, outdated firmware, foreign services, expired certificates, and high-to-critical vulnerabilities. Finally, organizations must continuously monitor the environmental drift of these devices to ensure that what is fixed stays fixed.
These are the same basic steps companies follow for traditional IT assets. It’s time to show the same level of attention to IoT, OT and network devices.