Forescout’s Vedere Labs has launched new research titled R4IoT (Ransomware for IoT), a proof-of-concept study demonstrating how next-generation ransomware can exploit IoT devices for initial access and lateral movement to IT and OT assets, with the intention to cause physical disruption to business operations. The R4IoT study is an information report that includes a detailed playbook describing how organizations can protect themselves against a new type of ransomware attack that leverages IoT devices, such as video cameras, to deploy ransomware.
The rapid expansion in the number of connected devices in organizations exponentially increases the risk posture of nearly every business across the globe, all related to the growth of IoT devices in corporate networks, converging IT and OT networks, and the rise of supply-chain vulnerabilities. This is the first work to combine the worlds of IT, OT, and IoT ransomware and to have a full proof-of-concept from initial access via IoT to lateral movement in the IT network and then impact in the OT network. Beyond just encryption, the proof-of-concept on IT equipment includes deployment of crypto-miner software and data exfiltration.
The proof-of-concept ransomware described in the R4IoT report exploits the first trend by using exposed vulnerable devices, such as an IP video camera or network-attached storage (NAS) device, as the initial access point to the network, and the second trend to hold OT devices hostage, thus adding another layer of extortion to an attack. A video by Vedere Lab demonstrates how IoT and OT exploits can be combined with a traditional attack campaign. The impact on OT is not limited to standard operating systems (e.g., Linux) or device types (e.g., building automation), does not require persistence or firmware modification on the targeted devices, and works at a large-scale on a wide variety of devices impacted by TCP/IP stack vulnerabilities.
It also shows that to mitigate this type of attack, organizations need solutions that allow for extensive visibility and enhanced control of all the assets in a network with three important observations – First, Identification and Protection are possible because hundreds of very similar attacks happen simultaneously. For instance, Conti had more than 400 successful attacks on US and international organizations.
That means it is possible to identify devices and vulnerabilities being actively exploited so their protection can be prioritized. Second, Detection is possible because most tools and techniques these actors use are well-known. It presents the top Tactics, Techniques and Procedures (TTPs) used by malware in 2021. Third, Response and Recovery are possible because attacks are not immediate and fully automated. The average dwell time of ransomware attackers was 5 days in 2021.
Implementing this mitigation requires extensive visibility and enhanced control of all assets in a network.