What if ransomware evolved to hit IoT in the enterprise?

Proof-of-concept lab work demos potential future threat


Forescout researchers have demonstrated how ransomware could spread through an enterprise from vulnerable Internet-of-Things gear.

The security firm's Vedere Labs team said it developed a proof-of-concept strain of this type of next-generation malware, which they called R4IoT. After gaining initial access via IoT devices, the malware moves laterally through the IT network, deploying ransomware and cryptocurrency miners while also exfiltrating data, before taking advantage of operational technology (OT) systems to potentially physically disrupt critical business operations, such as pipelines or manufacturing equipment.

In other words: a complete albeit theoretical corporate nightmare.

"It basically comes out of our observation of the evolving nature of the threat actors that are involved in ransomware — they have been changing tactics in the past couple of years," said Daniel dos Santos, head of security research at Forescout's Vedere Labs.

Intruders aren't just encrypting data and demanding a ransom payment to decrypt corporate systems, he told The Register. Instead, miscreants are also stealing sensitive information, publicly leaking some or all of it, and then also launching DDoS attacks on businesses if they don't pay up.

These types of increasingly destructive attacks, combined with the growing number of internet-connected devices led the researchers to consider: what if ransomware exploited IoT gear to get into a corporate network. Usually, organizations are infected by someone opening a booby-trapped email, intruders using stolen or phished login credentials, or a public-facing server is exploited. R4IoT specifically targets IoT equipment.

The good news is that this is only conceptual malware, developed in a lab to show how criminals could combine the worlds of IT, OT, and IoT to spread ransomware. We're told this wouldn't be too hard to do in the real world, provided one is able to identify and exploit IoT vulnerabilities in a victim's environment.

"None of the exploits are difficult, per se," dos Santos said. "We, of course, did it in a lab where we controlled all the variables. If you're doing that for real ... [it's] definitely doable and doesn't require a high level of sophistication."

Finding the connection point between the IT and OT network may require some persistence, he added. But that also speaks to the evolving nature of ransomware and the commoditization of exploits, according to dos Santos.

"You have these ransomware-as-a-service gangs, for instance, that develop very complex pieces of software, very complex malware, and distribute that to affiliates who then just deploy that at specific targets," he said. "The idea here could be the same: somebody develops a complex malware, and then somebody else who has lower skills is responsible for deploying that."

In fact, Vedere Labs has seen "bits and pieces" of code like its proof-of-concept exploited in the wild, he added.

How far in the future is this?

One of the exploit examples in the PoC targets a network-attached storage device as an initial entry point. This came from a real-world botnet called BotenaGo that sports more than 30 exploits for several types of IoT devices that was active late last year. Additionally, the Snake ransomware started raising concerns for industrial control systems' operators in early 2020.

"But putting it all together — I don't think that will take a very long time," dos Santos said. "One of the main variables is also that the attackers go for the lowest hanging fruit. And so far, it's still easier to pull off attacks with phishing or valid credentials."

As the number of IoT devices increases, enterprises' attack surface grows, and ransomware gangs that only focus on IT equipment are missing out of a massive number of potential points of entry. Right now, IoT and OT represent 44 percent of the total devices in enterprise networks, according to Forescout. 

The tipping point for criminals to start targeting these devices for ransomware attacks, "will probably be when the IT and OT devices surpass 50 percent," dos Santos said. "And that is really soon. That is a matter of one to two years."

R4IoT's path from IoT to IT and OT

Here's how the attack works. First, a miscreant uses a vulnerable Axis network-connected camera as the entry point. The researchers chose Axis because it and Hikvision account for 77 percent of the IP cameras used across Forescout's 1,400 global customers. Axis cameras alone made up 39 percent of those observed.

"This means that weaponizing IP camera exploits as a reusable point of entry to many organizations (exactly what initial access brokers do) is feasible," dos Santos wrote in a report due to go live today.

The Axis camera in the lab has three critical vulnerabilities, and the attacker exploits those to gain remote command execution and take over the device. 

The criminal then performs a series of actions to change the root directory from read-only to read-and-write mode, which allows larger files to be uploaded and stored, creates a new user with root privileges to maintain control over the camera, and scans the network for a connected Windows machine with remote desktop services (RDP). 

After finding the Windows machine, the miscreant obtains RDP credentials using a dictionary attack against accounts with high privileges, and creates an SSH tunnel between the attacker's computer and the RDP box. This provides the communication channel to send the R4IoT executables and files. 

The programs allow lateral movement in the network by attacking domain controllers and also include a command-and-control agent for future malware and data exfiltration, a crypto miner, and an executable that launches DDoS attacks against critical IoT and OT assets. 

'Reality check' time

This research should provide a "reality check" for enterprises about the interconnectedness between their IT, OT, and IoT networks, and how malware can move between all three of these environments, according to dos Santos. 

"Takeaways are regarding mitigation," he said. "It's not just the attack is there, everybody run for the hills because it's terrible. We don't want to just scare people. It's really about what you can do about it."

We don't want to just scare people. It's really about what you can do about it

This boils down to the things that organizations can do to mitigate risk. First, identify all of the devices in the network and prioritize vulnerabilities under active exploitation. 

"Not just the IT stuff on your corporate network, but everything that surrounds that, whether that's IoT, OT, medical devices for hospitals, or whatever else you have connected to the network," dos Santos said. 

"And identify means not just knowing that they are connected, but also what software they are running what security policies are attached to them, and then you can build a risk profile for those devices," he added.

After identifying all of the connected devices, then implement security controls such as network segmentation and multi-factor authentication. Also patch device vulnerabilities whenever possible, and don't use default or obvious passwords, dos Santos said. 

"Pay attention to the whole ecosystem," he said. "And then by type of device you can define what you actually need to do as an organization." ®


Other stories you might like

  • AMD targeted by RansomHouse, attackers claim to have '450Gb' in stolen data
    Relative cybercrime newbies not clear on whether they're alleging to have gigabits or gigabytes of chip biz files

    If claims hold true, AMD has been targeted by the extortion group RansomHouse, which says it is sitting on a trove of data stolen from the processor designer following an alleged security breach earlier this year.

    RansomHouse says it obtained the files from an intrusion into AMD's network on January 5, 2022, and that this isn't material from a previous leak of its intellectual property.

    This relatively new crew also says it doesn't breach the security of systems itself, nor develop or use ransomware. Instead, it acts as a "mediator" between attackers and victims to ensure payment is made for purloined data.

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • If you didn't store valuable data, ransomware would become impotent
    Start by pondering if customers could store their own info and provide access

    Column Sixteen years ago, British mathematician Clive Humby came up with the aphorism "data is the new oil".

    Rather than something that needed to be managed, Humby argued data could be prospected, mined, refined, productized, and on-sold – essentially the core activities of 21st century IT. Yet while data has become a source of endless bounty, its intrinsic value remains difficult to define.

    That's a problem, because what cannot be valued cannot be insured. A decade ago, insurers started looking at offering policies to insure data against loss. But in the absence of any methodology for valuing that data, the idea quickly landed in the "too hard" basket.

    Continue reading
  • Zscaler bulks up AI, cloud, IoT in its zero-trust systems
    Focus emerges on workload security during its Zenith 2022 shindig

    Zscaler is growing the machine-learning capabilities of its zero-trust platform and expanding it into the public cloud and network edge, CEO Jay Chaudhry told devotees at a conference in Las Vegas today.

    Along with the AI advancements, Zscaler at its Zenith 2022 show in Sin City also announced greater integration of its technologies with Amazon Web Services, and a security management offering designed to enable infosec teams and developers to better detect risks in cloud-native applications.

    In addition, the biz also is putting a focus on the Internet of Things (IoT) and operational technology (OT) control systems as it addresses the security side of the network edge. Zscaler, for those not aware, makes products that securely connect devices, networks, and backend systems together, and provides the monitoring, controls, and cloud services an organization might need to manage all that.

    Continue reading

Biting the hand that feeds IT © 1998–2022