Microsoft last Monday warned in a blog that Russian hackers known as Strontium are targeting corporate IoT networks to gain access into organizations.
In April, security researchers in the Microsoft Threat Intelligence Center discovered the group’s attempts to compromise a VOIP phone, an office printer and a video decoder across multiple customer locations.
Further investigation of the Microsoft revealed Strontium used these devices to enter corporate networks. In two of the cases, devices were deployed without changing the default manufacturer’s passwords, while in the third case the latest security update had not been applied to the device.
“While much of the industry focuses on the threats of hardware implants, we can see in this example that adversaries are happy to exploit simpler configuration and security issues to achieve their objectives. These simple attacks taking advantage of weak device management are likely to expand as more IoT devices are deployed in corporate environments,” the blog said.
At the conclusion of its investigation, Microsoft informed the manufacturers of the three devices.
Monitoring the threat actors
Over the last twelve months, Microsoft has delivered nearly 1, 400 nation-state notifications to those who have been targeted or compromised by Strontium.
One in five notifications of Strontium activity were tied to attacks against non-governmental organisations, think tanks, or politically affiliated organizations around the world. The remaining 80% of attacks have largely targeted organisations in the following sectors: government, IT, military, medicine, education and engineering.
Microsoft have also observed and notified Strontium attacks against Olympic organizing committees, anti-doping agencies, and the hospitality industry. The “VPN Filter” malware has also been attributed to the group by the FBI.
In 2018, hundreds of thousands of home and small business networking and storage devices were compromised and loaded with the so-called “VPN Filter” malware. The FBI took subsequent actions to disrupt this botnet, although the devices would remain vulnerable to re-infection unless proper firmware or security controls were put in place by the user.
There were also multiple press reports of cyberattacks on several devices during the opening ceremonies for the 2018 Olympic Games in Pyeong Chang. Microsoft cited officials did confirm a few days later that they were a victim of malicious cyber-attacks that prevented attendees from printing their tickets to the Games and televisions and internet access in the main press centre simply stopped working.
Better integration of IoT devices
According to Microsoft, IoT devices must be identifiable, maintained, and monitored by security teams particularly in large complex enterprises.
Some IoT devices may even communicate basic telemetry back to the device manufacturer or have means to receive software updates. In most cases however, the customers’ IT operation centre don’t know they exist on the network.
“We are calling for better enterprise integration of IoT devices, particularly the ability to monitor IoT device telemetry within enterprise networks,” the blog said.
“Today, the number of deployed IoT devices outnumber the population of personal computers and mobile phones, combined. With each networked IoT device having its own separate network stack, it’s quite easy to see the need for better enterprise management, especially in today’s bring-you-own-device world.
Microsoft lists down 12 actions to protect corporate IoT devices. These are:
- Require approval and cataloguing of any IoT devices running in your corporate environment.
- Develop a custom security policy for each IoT device.
- Avoid exposing IoT devices directly to the internet or create custom access controls to limit exposure.
- Use a separate network for IoT devices if feasible.
- Conduct routine configuration/patch audits against deployed IoT devices.
- Define policies for isolation of IoT devices, preservation of device data, ability to maintain logs of device traffic, and capture of device images for forensic investigation.
- Include IoT device configuration weaknesses or IoT-based intrusion scenarios as part of Red Team testing.
- Monitor IoT device activity for abnormal behaviour (e.g. a printer browsing SharePoint sites…).
- Audit any identities and credentials that have authorized access to IoT devices, users and processes.
- Centralize asset/configuration/patch management if feasible.
- If your devices are deployed/managed by a 3rd party, include explicit Terms in your contracts detailing security practices to be followed and Audits that report security status and health of all managed devices.
- Where possible, define SLA terms in IoT device vendor contracts that set a mutually acceptable window for investigative response and forensic analysis to any compromise involving their product.