How APTs are achieving persistence across network, IoT and OT devices

How APTs are achieving persistence across network, IoT and OT devices

Most Internet of Things (IoT) attack news has focused on botnets and crypto-mining malware. However, these devices also offer an ideal target for staging more damaging attacks from within the victim’s network, similar to the methodology used by UNC3524. Described in a client report, UNC3524 is a smart new tactic that exploits the insecurity of network, IoT, and operational technology (OT) devices to achieve long-term persistence within a network. This type of Advanced Persistent Threat (APT) is likely to increase in the near future, so it is important for companies to understand the risks.

A critical blind spot

Purpose-built IoT and OT devices that are connected to the network and do not allow the installation of endpoint security software can be easily compromised and used for a wide variety of malicious purposes.

One reason is that these devices are not monitored as closely as traditional IT devices. My company found that more than 80% of organizations are unable to identify the majority of IoT and OT devices on their networks. There is also confusion about who is responsible for managing them. Are you IT, IT security, network operations, facilities, physical security, or an appliance vendor?

As a result, unmanaged devices often have high and critical vulnerabilities and lack firmware updates, hardening, and certificate validation. My company has analyzed millions of IoT, OT, and network devices that are deployed in large organizations, and we have found that 70% have vulnerabilities with a Common Vulnerability Scoring System (CVSS) score of 8-10. we found that 50% use default passwords and 25% are end of life and no longer supported.

Compromise and maintain persistence across IoT, OT, and network devices

Taken together, all of these problems fall directly into the hands of attackers. Because network, IoT, and OT devices are not compatible with agent-based security software, attackers can install specially compiled malicious tools, modify accounts, and activate services within these devices without being detected. They can then maintain persistence because the vulnerabilities and credentials are not managed and the firmware is not updated.

Staging of attacks within the victim’s environment

Due to the low security and visibility of these devices, they are an ideal environment to perform secondary attacks on more valuable targets within the victim’s network.

To do this, an attacker will first enter the company network through traditional approaches such as phishing. Attackers can also gain access by targeting an Internet-facing IoT device, such as a VoIP phone, smart printer, or camera system, or an OT system, such as a building access control system. Since most of these devices use default passwords, this type of breach is usually trivial to pull off.

Once on the network, the attacker will move laterally and stealthily to seek out other vulnerable and unmanaged IoT, OT, and network devices. Once those devices have been compromised, the attacker only needs to establish a communication tunnel between the compromised device and the attacker’s environment at a remote location. In the case of UNC3524, the attackers used a specialized version of Dropbear, which provides a client-server SSH tunnel and is compiled to operate on the Linux, Android, or BSD variants that are common on those devices.

At this point, the attacker can remotely control victim devices to go after IT, cloud, or other network, IoT, and OT device assets. The attacker is likely to use normal and expected network communication, such as API calls and device management protocols, to avoid detection.

Survival Incident Response

The same issues that make network, IoT, and OT devices an ideal place to stage secondary attacks also make them well suited to surviving incident response efforts.

One of the main value propositions of IoT, in particular, for sophisticated adversaries is that the model significantly complicates incident response and remediation. It is very difficult to take down attackers entirely if they have established persistence on just one of the hundreds or thousands of vulnerable unmanaged devices that reside on most commercial networks, even if the attacker’s malware and toolsets are removed completely from the enterprise IT network, command and control channels are disrupted, software versions are updated to remove previously exploitable vulnerabilities, and individual endpoints are physically replaced.

How to reduce corporate risk

The only way companies can prevent these attacks is to have complete visibility, access, and management of their disparate network, IoT, and OT devices.

The good news is that device-level security is easy to achieve. While new vulnerabilities will constantly emerge, most of these security issues can be addressed through password, credential, and firmware management, as well as basic device hardening. That said, businesses with a large number of devices will be challenged with manually protecting them, so businesses should consider investing in automated solutions.

The first step companies need to take is to create an inventory of all purpose-built devices and identify the vulnerabilities. Next, companies must remediate risks at scale related to weak passwords, outdated firmware, strange services, expired certificates, and high-to-critical vulnerabilities. Finally, organizations must continually monitor these devices for environmental changes to ensure that what is fixed remains fixed.

These are the same basic steps companies follow for traditional IT assets. It’s time to show the same level of attention to network, IoT and OT devices.

Leave a Comment