How APTs Are Achieving Persistence Through IoT, OT, and Network Devices

Most news about Internet of Things (IoT) attacks has been focused on botnets and cryptomining malware. However, these devices also offer an ideal target for staging more malicious attacks from within a victim’s network, similar to the method used by UNC3524. Described in a Mandiant report, UNC3524 is a smart new tactic that exploits the uncertainty of network, IoT, and operating technology (OT) devices to achieve long-term network sustainability. This type of advanced persistent threat (APT) is likely to increase in the near future, so it is important for companies to understand the risks.

A critical blind spot

Purpose-built IoT and OT devices that are network-connected and do not allow the installation of endpoint security software can be easily compromised and used for a wide range of malicious purposes.

One reason is that these devices are not monitored as closely as traditional IT devices. My company has found that more than 80% of organizations are unable to identify the majority of IoT and OT devices in their networks. There is also confusion about who is responsible for managing them. Is it IT, IT security, network operations, facilities, physical security or a device provider?

Consequently, unmanaged devices regularly have high and critical vulnerabilities and lack firmware updates, hardening, and certificate validation. My company has analyzed millions of IoT, OT, and networking devices implemented in large organizations, and we found that 70% have vulnerabilities with a Common Vulnerability Scoring System (CVSS) score of 8 to 10. Further, we found , 50% use default passwords, and 25% are at the end of their lifespan and are no longer supported.

Compromise and maintenance of persistence on IoT, OT and network devices

Overall, all of these issues play directly into the hands of the attackers. Because network, IoT, and OT devices do not support agent-based security software, attackers can install specially crafted malicious tools, modify accounts, and turn on services on these devices without being detected. They can then maintain persistence because vulnerabilities and credentials are not managed and the firmware is not updated.

Staging of attacks in the victim environment

Due to the low security and visibility of these devices, they are an ideal environment for staging secondary attacks on more valuable targets inside the victim’s network.

To do this, an attacker will first enter the corporate network through traditional approaches such as phishing. Attackers can also gain access by targeting an Internet-facing IoT device such as a VoIP phone, smart printer or camera system or an OT system such as a building access control system. Since most of these devices use default passwords, this type of breach is often trivial to achieve.

Once the attacker is on the network, he will move sideways and insidiously to seek out other vulnerable, unmanaged IoT, OT, and network devices. Once these devices have been compromised, the attacker simply needs to establish a communication tunnel between the compromised device and the attacker’s environment at a remote location. In the case of UNC3524, attackers used a specialized version of Dropbear, which provides a client-server SSH tunnel and is compiled to work on Linux, Android, or BSD variants common to these devices.

At this point, the attacker can remotely control the victim’s devices to go after IT, cloud, or other IoT, OT, and network device assets. The attacker is likely to use common, expected network communications such as API calls and device management protocols to avoid detection.

Events left behind

The same issues that make network, IoT, and OT devices an ideal place to stage secondary attacks also make them well-suited for surviving event efforts.

One of the most important value propositions of IoT, especially for sophisticated opponents, is that the model significantly complicates incident response and remediation. It is very difficult to completely kill attackers if they have established persistence on just one of the hundreds or thousands of vulnerable, unmanaged devices found in most business networks – even if the attacker’s malware and toolkits are completely removed from the company’s IT network. and control channels are disconnected, software versions are updated to eliminate previously exploited vulnerabilities, and individual endpoints are physically replaced.

How to reduce business risk

The only way for companies to prevent these attacks is to have complete insight into and access to and control over their various IoT, OT and network devices.

The good news is that device-level security is easy to achieve. While new vulnerabilities will constantly emerge, most of these vulnerabilities can be addressed through passwords, credentials, and firmware management, as well as through basic device hardening. With that said, companies with a large number of devices will be challenged to secure them manually, so companies should consider investing in automated solutions.

The first step companies should take is to create a directory of all custom-built devices and identify vulnerabilities. Next, companies should address large-scale risks related to weak passwords, outdated firmware, irrelevant services, expired certificates, and high-to-critical vulnerabilities. Finally, organizations need to continuously monitor these devices for environmental operation to ensure that what is solid remains solid.

These are the same basic steps that companies follow for traditional IT assets. It’s time to show the same level of care towards IoT, OT and network devices.


Leave a Reply

Your email address will not be published.