2022 Threat Roundup: The Emergence of Mixed IT/IoT Threats
Rapid digitisation means that organisations are now more connected than ever. Most organisations now host a combination of interconnected IT, OT, IoT and sometimes IoMT devices in their networks, which has increased their attack surface. Forescout’s data shows that around 24% of connected devices in every organisation are no longer traditional IT. The growing number and diversity of connected devices in every industry presents new challenges for organisations in understanding and managing their risk exposure. In brief, we have entered the era of mixed IT/IoT threats, with cyberattacks growing in intensity, sophistication, and frequency.
The adoption of new connected devices in 2023 is likely to pose even greater challenges for cybersecurity professionals across the globe. To help organisations of all sizes prepare, Forescout’s Vedere Labs has analysed data gathered in 2022 about cyberattacks, exploits and malware and shared insights in our 2022 Threat Roundup.
Excerpted below are key findings and related insights for defenders, a brief outlook based on our observations, and strategic recommendations on how to protect your environment from the evolving threat landscape. For a detailed analysis of the attacks, exploits and malware observed in 2022, including a technical deep dive into several endemic and emerging malware threats, read the full report.
Key findings and insights for defenders
Here are seven takeaways from the report and corresponding actions your organisation can take to help prevent and mitigate the types of cyberattacks we observed in 2022. They are all cyber hygiene best practices.
- Attacks come from everywhere, but the top 10 countries account for 73% of malicious traffic. In these countries, attackers rely mostly on legitimate hosting providers (81% of attacks), but they also leverage bulletproof hosting (BPH) and compromised hosts on consumer and even business networks.
Insights for Defenders:
Some countries of origin carry notoriously risky traffic, such as Russia and China. If your organisation does not do business with, or in, a particular country, then blocking those IP ranges can help to reduce noise. However, judging IP addresses based solely on country of origin may be ineffective, since many attacks originate from American, European, and Asian countries that would hardly look suspicious on a corporate network.
Autonomous systems (ASs) are a better sign of risk than country of origin, since they are more specific. IPs belonging to known BPH providers and organisations that do not respond to abuse complaints should be treated with care. On the other hand, your own network may be the victim of abuse right now by malicious actors using it for further attacks. Pay attention to outbound suspicious communications, even if they are targeting known benign addresses. Subscribing to threat feeds can also help to detect compromises in your own network.
- Remote management protocols are the top target for initial access (43%), followed by web attacks (26%) and attacks on remote storage protocols (23%). (These statistics do not account for phishing, which is a very popular method for initial access but is not captured by our honeypots.)
Insights for Defenders:
Some services are naturally more complex to defend because they must by nature be exposed on the internet, such as web and email servers. However, unnecessary services often end up being exposed, too – and may be easy targets for exploitation. To minimise exposure:
- Inventory every device that has an exposed management protocol or database service.
- Disable those that are not required and focus on hardening the ones that still need to be exposed by requiring VPN connections were appropriate.
Adopting appropriate security solutions such as web application firewalls (WAFs) and host or network intrusion prevention systems (IPSs), as well as effective architectural choices such as DMZs and network segmentation, also helps reduce risk.
- Many of the attacks on these protocols rely on weak or default credentials. Popular generic usernames (such as “root” and “admin”) account for 87% of attempts, but the other 13% include dozens of highly specific usernames for applications and devices.
Insights for Defenders:
Accounts for specific services are being scanned all the time, so make sure to change default usernames and passwords whenever possible. Try to use complex, unique passwords for every service on every device. Rotate credentials at a regular interval to avoid leaked credentials remaining valid. Finally, enable two-factor authentication.
- Exploits are not limited to traditional applications. Three-quarters (76%) of exploits target software libraries such as Log4j, OpenSSH and TCP/IP stacks. Other popular targets include exposed services, such as databases, web applications/servers and email servers, as well as internet-facing network infrastructure, such as firewalls and routers. The vulnerabilities used by opportunistic attackers are also employed by sophisticated state-sponsored actors.
Insights for Defenders:
When deciding which vulnerabilities to patch and when, focus not only on CVSS and other severity metrics, but also consider the vulnerabilities that are actually being exploited. CISA keeps an up-to-date catalogue of known exploited vulnerabilities, which is a valuable resource for organisations of all sizes.
Out of these vulnerabilities, the ones affecting software components are the most difficult to eradicate because of their tendency to trickle down the supply chain. This is especially true for open-source components. When a vulnerability cannot be patched on all devices in the network, a risk assessment and mitigation plan including segmentation and close network monitoring is the best approach.
Besides focusing on the most exploited vulnerabilities for patching, it is important to know which are being exploited at a certain point in time to enable focused threat hunting exercises on a network, looking for signs of what is popular at that time.
- Critical infrastructure is a constant target. We have observed exploits for specific devices but also constant enumeration of popular OT protocols, including those used in industrial automation, building automation and utilities.
Insights for Defenders:
Monitoring the traffic to and from OT devices is nowadays as critical as monitoring IT traffic. Attackers are constantly probing these devices for weaknesses and many organisations will be blind to that because they believe they do not have OT assets to protect. The truth is that building automation and even protocols such as Modbus for industrial automation are now found in almost every organisation and are a target for attackers.
- After initial access, 95% of the post-exploitation activities we observed have to do with discovery of further information. Persistence and execution of further commands are also common, including the removal of artifacts related to rival malware.
Insights for Defenders:
Even after an initial breach, threat actors need to spend time getting situated in the target system, downloading further tools, executing them and persisting. Many of these actions provide more chances for detection and response, provided that proper endpoint introspection capabilities are available, which is a notorious problem on non-IT endpoints.
- Ransomware (53%), botnets (25%) and cryptominers (7%) are the most common malware observed. Large active botnet campaigns, such as Dota3, represent almost 90% of the IPs we observe dropping malware. Some malware remains endemic (such as WannaCry and Mirai variants). Emerging botnets (such as Chaos) are starting to cross the boundaries between IoT and IT.
Insights for Defenders:
Malware hashes are insufficient as IoCs because some malware is polymorphic, which means its hash is unique for each new victim. Therefore, it is better to also detect and hunt for TTPs and anomalous behaviour than to rely solely on IoCs.
Outlook: blurring the lines between IT and IoT
In 2022 Vedere Labs observed many open-source botnets; that is, botnets that use malware whose source code is available on Github or has been leaked and widely publicised. They can be quickly customised by inexperienced malware developers and used for their own purposes.
Relying on shared or leaked code, IoT botnets have evolved from brute-forcing Telnet credentials to exploiting a large number of CVEs, with the advantage that exploits last longer and persistent malware is harder to remove on IoT devices than in IT. The Chaos botnet is one of the latest developments in this long line of botnet evolution but it won’t be the last one. With its lateral movement and exploitation capabilities, Chaos could easily be used to drop ransomware or other malware instead of cryptominers and DDoS.
Ultimately, cybercriminals are often simply after money. In mid-2022, Forescout’s Vedere Labs developed R4IoT, a proof-of-concept that showed how IoT devices could act as an entry point for IT and further OT ransomware attacks. At the time, we assumed that the initial IoT attack – an exploit on an IP camera or NAS – would be carried out manually either by a ransomware group or by relying on an intermediary such as an IAB. After reviewing the 2022 data, we realise that a new wave of botnets has opened the doors to such an attack being carried out as part of an automated campaign.
Strategic recommendations: three pillars of cybersecurity
As the threat landscape continues to evolve and more organisations adopt cybersecurity not only for endpoints but also for the growing number of unsecured IoT devices, threat actors have consistently moved to devices that offer easier entry points. To protect your environment, we recommend organisations focus on three key pillars of cybersecurity:
- Risk and exposure management. Start by identifying every asset connected to the network and its security posture, including known vulnerabilities, credentials and open ports. Forescout also recommends mapping your environment to a security framework such as CIS. Then, change the default “easily guessable” credentials and use strong, unique passwords for each device. Next, unused services should be disabled and vulnerabilities patched to prevent exploitation. With your attack surface understood, you can now fully assess risk in your environment. Finally, focus on mitigating using a risk-based approach. Use automated controls that do not rely only on security agents and apply to the whole enterprise instead of silos like the IT network, the OT network, or specific types of IoT devices.
- Network security. Do not expose unmanaged devices directly on the internet, with very few exceptions such as routers and firewalls. Segment the network to isolate IT, IoT and OT devices, limiting network connections to only specifically allowed management and engineering workstations or among unmanaged devices that need to communicate. Segmentation should not happen only between IT and OT, but even within IT and OT networks to prevent lateral movement and data exfiltration. Restrict external communication paths and isolate or contain vulnerable devices in zones as a mitigating control if they cannot be patched or until they can be patched.
- Threat detection and response. Use an IoT/OT-aware, DPI-capable monitoring solution to alert on malicious indicators and behaviours, watching internal systems and communications for known hostile actions such as vulnerability exploitation, password guessing and unauthorised use of OT protocols. Anomalous and malformed traffic should be blocked, or at least alert its presence to network operators. Beyond network monitoring, extended detection and response (XDR) solutions are an important consideration. They collect telemetry and logs from a wide range of sources; including security tools, applications, infrastructure, cloud and other enrichment sources; correlate attack signals to generate high-fidelity threats for analyst investigation; and enable automated response actions across the enterprise.