Researchers show off how easy it is to control your smart tech

Traditionally, ransomware gangs have targeted IT systems with methods like email attachments, phishing, and web scripts. But a new report by Forescout’s Vedere Labs predicts that the next generation of ransomware will gain access via Internet of Things (IoT) devices  by taking advantage of lax security, and directly attack IT devices and operational technology (OT).

Forescout researchers developed a proof-of-concept attack vector, calling the new approach “Ransomware for IoT,” or R4IoT. The method relies on exploiting known vulnerabilities and configuration errors in IoT devices like routers and IP cameras to gain initial access to a network, after which an attacker could spread laterally to traditional IT devices and then an organization’s OT devices. The method detailed in the case study is general-purpose, meaning it “works at large-scale on a wide variety of devices impacted by TCP/IP stack vulnerabilities” and is not limited by operating systems or device type.

Be careful what you plug in

“It’s currently sitting at around 45% of the number of nontraditional wi-fi devices in an organization,” Daniel dos Santos, head of security research at Forescout, told IT Brew. “So close to half of what you have in an organization nowadays is not a laptop or a computer or something like that, right?”

“It’s the IP cameras, routers, and printers…PLCs [programmable logic controllers], and whatever else you have in terms of IoT and OT,” he added. “So if we put those things together, like a larger attack surface, that is very hard to patch, very hard to manage for the security teams.”

The R4IoT report case study involved an IP camera that was incorrectly exposed to external connections. By exploiting a series of critical vulnerabilities to hijack the camera’s root directory, Forescout researchers were able to effectively turn it into a proxy server running a Remote Desktop Protocol cracker. That allowed them to steal credentials and gain access to a connected Windows machine.

Not only did this allow lateral deployment of a rogue’s gallery of malware like encryptors and crypto miners, but the execution of a custom network scanner, Memoria, that identifies “critical IoT/OT assets in the network that may contain critical vulnerabilities.” Memoria launches denial-of-service attacks against those devices, shutting down PLCs that control physical processes—in the case study, an HVAC system.

A blueprint for next-gen ransomware attacks

dos Santos told IT Brew that while commercial ransomware groups are known to have discussed using IoT devices as an initial access vector, R4IoT’s methodology is unique.

Usually “the farthest they [attackers] can get is the typical Windows computer that manages those devices, which we usually call an engineering workstation, or a data historian, or something like that, which is a SCADA [supervisory control and data acquisition] system, which is kind of the interface between the OT and the rest of the organization,” dos Santos said. “What we did different is that when we reach one of those devices, we actually scan the network for the level one [process control equipment] and take those offline.”

Ransomware attacks on IoT devices like the R4IoT attack approach could possibly be commoditized on the black market in the future, according to dos Santos, as they are potentially much more disruptive to a company’s infrastructure than traditional phishing attacks. He cautioned that organizations should include IoT and OT devices in their patching, segmentation, and network monitoring strategies, or future attackers could have even more leverage to push ransom demands.

“You have to rethink the whole security strategy, putting IoT and OT at the same level as IT,” dos Santos added.