In an August 5th post titled “Corporate IoT: A Path to Intrusion,” Microsoft’s Security Response Center outlines a major and under-reported vulnerability in corporate networks: The IoT.
The short of it is that earlier this year MSRC stumbled upon suspicious activity they have since attributed to an entity referred to as STRONTIUM, but better known to the public as “Fancy Bear” or APT28 – a known Russian cyberhacking group. What MSRC discovered was that the group was exploiting IoT devices on the edges of targeted networks as points of ingress. Specifically, the devices that first drew their attention to the problem were a VOIP phone, a printer, and a video decoder.
The process by which the group managed to do this was simple enough:
“Once the actor had successfully established access to the network,” the post explains, “a simple network scan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data. After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets. They were also seen enumerating administrative groups to attempt further exploitation. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting. Analysis of network traffic showed the devices were also communicating with an external command and control (C2) server.”
But how did STRONTIUM hackers gain access to the IoT devices in the first place, I hear you ask? Simple: Two still operated behind their factory-default passwords, and the third was still running an old firmware version (with a known vulnerability).
Although MSRC doesn’t know exactly what STRONTIUM was after, the article points to a broad operation that extends far beyond those three devices. In the past year alone, Microsoft reports having delivered nearly 1400 nation-state notifications to targets of the group. 1 in 5 were NGOs, think tanks, and political organizations, but 4 in 5 were government (including military/defense), IT, healthcare, engineering, and education entities. Oddly enough, MSRC also reports having discovered attacks on “Olympic organizing committees, anti-doping agencies, and the hospitality industry.”
Furthermore, ARS Technica reports that the problem may be much worse than has generally been reported by the mainstream press:
“Last year, the FBI concluded the hacking group was behind the infection of more than 500,000 consumer-grade routers in 54 countries. Dubbed VPNFilter, the malware was a Swiss Army hacking knife of sorts. Advanced capabilities included the ability to monitor, log, or modify traffic passing between network end points and websites or industrial control systems using Modbus serial communications protocol. The FBI, with assistance from Cisco’s Talos security group, ultimately neutralized VPNFilter.”
This leads us to conclude that IT departments and device operators require more training and diligence to mitigate this growing vulnerability. MSRC kindly offers the following to-do list (pay particular attention to #4, and #8):
- Require approval and cataloging of any IoT devices running in your corporate environment.
- Develop a custom security policy for each IoT device.
- Avoid exposing IoT devices directly to the internet or create custom access controls to limit exposure.
- Use a separate network for IoT devices if feasible.
- Conduct routine configuration/patch audits against deployed IoT devices.
- Define policies for isolation of IoT devices, preservation of device data, ability to maintain logs of device traffic, and capture of device images for forensic investigation.
- Include IoT device configuration weaknesses or IoT-based intrusion scenarios as part of Red Team testing.
- Monitor IoT device activity for abnormal behavior (e.g. a printer browsing SharePoint sites…).
- Audit any identities and credentials that have authorized access to IoT devices, users and processes.
- Centralize asset/configuration/patch management if feasible.
- If your devices are deployed/managed by a 3rd party, include explicit Terms in your contracts detailing security practices to be followed and Audits that report security status and health of all managed devices.
- Where possible, define SLA Terms in IoT device vendor contracts that set a mutually acceptable window for investigative response and forensic analysis to any compromise involving their product.
Futurum Research provides industry research and analysis. These columns are for educational purposes only and should not be considered in any way investment advice.