The Russian hacking group known for stealing sensitive emails from the Democratic National Committee during the 2016 presidential election season has been cracking into printers, phones and video decoders to gain access to corporate networks, the Microsoft Security Response Center Team reported on Monday.
The group, known by a number of names including “Strontium,” “Fancy Bear” and “APT 28,” accessed the devices by using the manufacturer’s default password or exploiting an unpatched flaw, Microsoft discovered.
After cracking a device, the intruders accessed its corporate network and scanned for more insecure devices, moving across the net and compromising high-privilege accounts with high-value data.
As the intruders moved from one device to another, they dropped a simple shell script to establish persistence on the network, allowing extended access for continued hunting, Microsoft noted.
What were the hackers seeking?
“Since we identified these attacks in the early stages, we have not been able to conclusively determine what Strontium’s ultimate objectives were in these intrusions,” the MSRC Team’s report states.
“While much of the industry focuses on the threats of hardware implants, we can see in this example that adversaries are happy to exploit simpler configuration and security issues to achieve their objectives,” it continues. “These simple attacks taking advantage of weak device management are likely to expand as more IoT devices are deployed in corporate environments.”
IoT Is Not a Toy
The hackers in the Microsoft case launched an attack against a loosely guarded device — something with a default password or easy to guess password susceptible to a dictionary attack, explained Dean Weber, CTO of Mocana, a San Francisco maker of an IoT security platform.
In the consumer realm, such an attack wouldn’t have a lot of value by itself, since the device would be connected to a home network, “but if you’re talking about a device with access to the ICS-SCADA world, that’s a problem. Now you have access to the command and control structure for an industrial platform”.
“People think these devices are toys, which in essence they are, but if they enable an attacker to launch into a network and create havoc, then that toy can give them a lot of access,” Weber said.
The seriousness of the kind of attack described by Microsoft varies depending on the preparedness of an organization, observed Spencer Lichtenstein, senior director of technology at Onyx, a cyber and physical security advisory firm in Newport Beach, California.
“Corporations with up-to-date asset inventories can account for IoT devices much easier and therefore have an easier time securing them”.
“Understanding what you have as a company is the key to securing an item,” Lichtenstein continued. “This threat is more serious the less you understand about your IoT footprint, and the less control you have over your corporate network.”
IoT product flaws that invite hacker exploitation appear to be a growing problem.
IoT bug reports increased 384 percent in 2018 over the previous year, reported David Baker, CSO at Bugcrowd, a crowdsourcing security company based in San Francisco.
“With the sheer number and types of the devices being networked, you have the potential of a huge vulnerable attack surface” .
“There are IoT devices connected in our homes, at our work, everywhere,” Baker continued. “Combine that large vulnerable attack surface with common user misconfiguration errors, and cybercriminals can often make easy work of exploiting IoT devices.”
An IoT device can be attractive to a hacker because the devices often are invisible on the network and not maintained, noted Craig Williams, director for outreach at Cisco Talos, the threat intelligence unit of Cisco Systems, based in San Jose, California.
“If an attacker can compromise an unmaintained IoT device, it can effectively function as a door that an attacker can use to access the network for the foreseeable future”.
Security can be expensive, so developers of many IoT devices failed to give much thought to security, said Steve Durbin, managing director of theInformation Security Forum, a London-based authority on cyber, information security and risk management.
“They were created to provide and process information at the lowest possible cost”.
Paying Attention to Security
While some device makers have made strides in security by deploying features like automatic patching, most of the time the devices are designed as cheaply as possible, according to Williams.
“Unfortunately, if you buy a device where price was the primary concern, it is unlikely there is a team of software engineers behind it to design future firmware updates to protect against security issues,” he said.
IoT device makers frequently take shortcuts when designing their wares, observed Phil Neray, vice president of industrial cybersecurity at CyberX, a critical infrastructure and industrial cybersecurity firm based in Boston.
“Often what they’re doing is grabbing a few open source libraries and sticking them into their product”. “They’re not checking to see if those libraries have vulnerabilities and could be vulnerable to attacks. And they’re certainly not keeping them updated over time as patches are released for those libraries.”
Device makers are more conscious about the need for better security controls, but progress on actual improvements is hard to measure, Onyx’s Lichtenstein noted. “Many enterprise-level IoT devices — thermostats for buildings and ICS systems — are making progress and attracting investments, but relatively few ‘smart things’ like light bulbs or fridges have made any significant strides.”
On the government front, there has been some noticeable progress. The National Institute of Standards and Technology recently published a “core baseline” for IoT devices. It includes six security features buyers should look for when purchasing an IoT gadget: device identification, device configuration, data protection, logical access to interfaces, software and firmware updates, and cybersecurity event logging.
Still, the lack of security progress can be frustrating to practitioners, suggested Chris Morales, head of security analytics at Vectra, a San Jose, California-based provider of automated threat management solutions.
Researchers detailed the exploitation of webcams as backdoors to the networks they are connected to in a Vectra report released in 2016. “Yet, we are still hearing about the exact same problems. Nothing has changed and little has improved in IoT security.”