Forescout researchers have demonstrated how ransomware could spread through an enterprise from vulnerable Internet-of-Things gear.
The security firm’s Vedere Labs team said it developed a proof-of-concept strain of this type of next-generation malware, which they called R4IoT. After gaining initial access via IoT devices, the malware moves laterally through the IT network, deploying ransomware and cryptocurrency miners while also exfiltrating data, before taking advantage of operational technology (OT) systems to potentially physically disrupt critical business operations, such as pipelines or manufacturing equipment.
In other words: a complete albeit theoretical corporate nightmare.
“It basically comes out of our observation of the evolving nature of the threat actors that are involved in ransomware — they have been changing tactics in the past couple of years,” said Daniel dos Santos, head of security research at Forescout’s Vedere Labs.
Intruders aren’t just encrypting data and demanding a ransom payment to decrypt corporate systems, he told The Register. Instead, miscreants are also stealing sensitive information, publicly leaking some or all of it, and then also launching DDoS attacks on businesses if they don’t pay up.
These types of increasingly destructive attacks, combined with the growing number of internet-connected devices led the researchers to consider: what if ransomware exploited IoT gear to get into a corporate network. Usually, organizations are infected by someone opening a booby-trapped email, intruders using stolen or phished login credentials, or a public-facing server is exploited. R4IoT specifically targets IoT equipment.
The good news is that this is only conceptual malware, developed in a lab to show how criminals could combine the worlds of IT, OT, and IoT to spread ransomware. We’re told this wouldn’t be too hard to do in the real world, provided one is able to identify and exploit IoT vulnerabilities in a victim’s environment.
“None of the exploits are difficult, per se,” dos Santos said. “We, of course, did it in a lab where we controlled all the variables. If you’re doing that for real … [it’s] definitely doable and doesn’t require a high level of sophistication.”
Finding the connection point between the IT and OT network may require some persistence, he added. But that also speaks to the evolving nature of ransomware and the commoditization of exploits, according to dos Santos.
“You have these ransomware-as-a-service gangs, for instance, that develop very complex pieces of software, very complex malware, and distribute that to affiliates who then just deploy that at specific targets,” he said. “The idea here could be the same: somebody develops a complex malware, and then somebody else who has lower skills is responsible for deploying that.”
In fact, Vedere Labs has seen “bits and pieces” of code like its proof-of-concept exploited in the wild, he added.
How far in the future is this?
One of the exploit examples in the PoC targets a network-attached storage device as an initial entry point. This came from a real-world botnet called BotenaGo that sports more than 30 exploits for several types of IoT devices that was active late last year. Additionally, the Snake ransomware started raising concerns for industrial control systems’ operators in early 2020.
“But putting it all together — I don’t think that will take a very long time,” dos Santos said. “One of the main variables is also that the attackers go for the lowest hanging fruit. And so far, it’s still easier to pull off attacks with phishing or valid credentials.”
As the number of IoT devices increases, enterprises’ attack surface grows, and ransomware gangs that only focus on IT equipment are missing out of a massive number of potential points of entry. Right now, IoT and OT represent 44 percent of the total devices in enterprise networks, according to Forescout.
The tipping point for criminals to start targeting these devices for ransomware attacks, “will probably be when the IT and OT devices surpass 50 percent,” dos Santos said. “And that is really soon. That is a matter of one to two years.”
R4IoT’s path from IoT to IT and OT
Here’s how the attack works. First, a miscreant uses a vulnerable Axis network-connected camera as the entry point. The researchers chose Axis because it and Hikvision account for 77 percent of the IP cameras used across Forescout’s 1,400 global customers. Axis cameras alone made up 39 percent of those observed.
“This means that weaponizing IP camera exploits as a reusable point of entry to many organizations (exactly what initial access brokers do) is feasible,” dos Santos wrote in a report due to go live today.
The Axis camera in the lab has three critical vulnerabilities, and the attacker exploits those to gain remote command execution and take over the device.
The criminal then performs a series of actions to change the root directory from read-only to read-and-write mode, which allows larger files to be uploaded and stored, creates a new user with root privileges to maintain control over the camera, and scans the network for a connected Windows machine with remote desktop services (RDP).
After finding the Windows machine, the miscreant obtains RDP credentials using a dictionary attack against accounts with high privileges, and creates an SSH tunnel between the attacker’s computer and the RDP box. This provides the communication channel to send the R4IoT executables and files.
The programs allow lateral movement in the network by attacking domain controllers and also include a command-and-control agent for future malware and data exfiltration, a crypto miner, and an executable that launches DDoS attacks against critical IoT and OT assets.
‘Reality check’ time
This research should provide a “reality check” for enterprises about the interconnectedness between their IT, OT, and IoT networks, and how malware can move between all three of these environments, according to dos Santos.
“Takeaways are regarding mitigation,” he said. “It’s not just the attack is there, everybody run for the hills because it’s terrible. We don’t want to just scare people. It’s really about what you can do about it.”
We don’t want to just scare people. It’s really about what you can do about it
This boils down to the things that organizations can do to mitigate risk. First, identify all of the devices in the network and prioritize vulnerabilities under active exploitation.
“Not just the IT stuff on your corporate network, but everything that surrounds that, whether that’s IoT, OT, medical devices for hospitals, or whatever else you have connected to the network,” dos Santos said.
“And identify means not just knowing that they are connected, but also what software they are running what security policies are attached to them, and then you can build a risk profile for those devices,” he added.
After identifying all of the connected devices, then implement security controls such as network segmentation and multi-factor authentication. Also patch device vulnerabilities whenever possible, and don’t use default or obvious passwords, dos Santos said.
“Pay attention to the whole ecosystem,” he said. “And then by type of device you can define what you actually need to do as an organization.” ®