Forescout researchers have shown how ransomware can spread from vulnerable Internet of Things devices in an organization.
The security firm’s Vedere Labs team said it has developed a proof-of-concept strain of this type of next-generation malware, which they call R4IoT. After initial access via IoT devices, the malware moves laterally through the IT network, deploying ransomware and cryptocurrency miners while exfiltrating data before leveraging OT (operational technology) systems to potentially critical business processes such as pipelines or physically disrupting the manufacturing equipment.
In other words, a complete, albeit theoretical, corporate nightmare.
“It basically stems from our observation of the evolving nature of the threat actors involved in ransomware — they’ve changed tactics in recent years,” said Daniel dos Santos, head of security research at Forescouts Vedere Labs.
Intruders don’t just encrypt data and demand a ransom payment to decrypt corporate systems, he said The registry. Instead, rogues also steal sensitive information, disclose some or all of it publicly, and then launch DDoS attacks on companies too if they don’t pay.
These types of increasingly destructive attacks, combined with the growing number of internet-connected devices, prompted researchers to consider: What if ransomware exploited IoT devices to penetrate a corporate network? Typically, organizations are infected by someone opening a booby-trapped email, intruders using stolen or phished credentials, or exploiting a publicly accessible server. R4IoT specifically targets IoT devices.
The good news is that this is only conceptual malware created in a lab to show how criminals can combine the worlds of IT, OT and IoT to proliferate ransomware. We were told that this wouldn’t be too difficult in the real world, provided one is able to identify and exploit IoT vulnerabilities in a victim’s environment.
“None of the exploits are difficult per se,” said dos Santos. “Of course we did it in a lab where we controlled all the variables. If you really do this… [it’s] definitely doable and doesn’t require a great deal of sophistication.”
Finding the connection point between the IT and OT networks may require some perseverance, he added. But that also speaks to the evolving nature of ransomware and the commercialization of exploits, according to dos Santos.
“You have, for example, these ransomware-as-a-service gangs that develop very complex software and very complex malware and distribute it to partners who then just use it on specific targets,” he said. “The idea here could be the same: someone develops complex malware, and then someone else with lesser skills is responsible for deploying it.”
In fact, Vedere Labs has seen “bits and pieces” of code like its proof-of-concept being exploited in the wild, he added.
How far in the future is that?
One of the exploit samples in the PoC targets a network attached storage device as the first point of entry. This came from a real botnet called BotenaGo which contains more than 30 exploits for various types of IoT devices that were active late last year. Additionally, in early 2020, the Snake ransomware started raising concerns among industrial control system operators.
“But putting everything together – I don’t think it’s going to take very long,” said dos Santos. “Also, one of the main variables is that the attackers aim for the lowest hanging fruit. And so far, it’s still easier to launch attacks using phishing or valid credentials.”
As the number of IoT devices grows, the attack surface for businesses grows, and ransomware gangs that only focus on IT devices miss a huge number of potential entry points. According to Forescout, IoT and OT currently account for 44 percent of all devices in enterprise networks.
The tipping point for criminals to target these devices for ransomware attacks “will likely be when IT and OT devices exceed 50 percent,” dos Santos said. “And that’s really soon. That’s a matter of a year or two.”
R4IoT’s journey from IoT to IT and OT
This is how the attack works. First, a rogue uses a vulnerable network-connected Axis camera as an entry point. The researchers chose Axis because it and Hikvision make up 77 percent of the IP cameras used by Forescout’s 1,400 customers worldwide. Axis cameras alone accounted for 39 percent of those observed.
“This means that using IP camera exploits as a reusable entry point is feasible for many organizations (exactly what initial access brokers do),” dos Santos wrote in a report should go live today.
The Axis camera in the lab has three critical vulnerabilities and the attacker exploits them to gain remote command execution and takeover the device.
The criminal then performs a series of actions to change the root directory from read-only to read-write mode, which allows uploading and saving of larger files, creates a new user with root privileges to keep control of the camera , and scans the network for a connected Windows machine running Remote Desktop Services (RDP).
After locating the Windows machine, the rogue obtains RDP credentials using a dictionary attack against high-privilege accounts and creates an SSH tunnel between the attacker’s machine and the RDP box. This provides the communication channel to send the R4IoT executables and files.
The programs enable cross-network movement through attacks on domain controllers and also include a command-and-control agent for future malware and data exfiltration, a crypto-miner and an executable that launches DDoS attacks on critical IoT and OT assets.
Time for the reality check
According to dos Santos, this research should provide companies with a “reality check” on how their IT, OT and IoT networks are interconnected and how malware can move between all three environments.
“Takeaways relate to mitigation,” he said. “It’s not just the attack there, everyone’s running to the mountains because it’s terrible. We don’t just want to scare people. It’s really about what you can do about it.”
We don’t just want to scare people. It’s really about what you can do about it
This boils down to what organizations can do to mitigate risk. First, identify all devices on the network and prioritize actively exploited vulnerabilities.
“Not just the IT stuff on your corporate network, but everything that surrounds it, whether it’s IoT, OT, medical devices for hospitals, or whatever else you have connected to the network,” dos Santos said.
“And identifying means not only knowing that they’re connected, but also what software they’re running, what security policies are associated with them, and then you can create a risk profile for those devices,” he added.
After identifying all connected devices, implement security controls like network segmentation and multi-factor authentication. Also patch device vulnerabilities whenever possible and don’t use default or obvious passwords, dos Santos said.
“Pay attention to the entire ecosystem,” he said. “And then you can use the device type to define what you actually need to do as an organization.” ®