2022 Threat Roundup: The Emergence of Mixed IT/IoT Threats
Rapid digitization means that organizations are now more connected than ever. Most organizations now host a combination of interconnected IT, OT, IoT and sometimes IoMT devices in their networks, which has increased their attack surface. Forescout’s data shows that around 24% of connected devices in every organization are no longer traditional IT. The growing number and diversity of connected devices in every industry presents new challenges for organizations in understanding and managing their risk exposure. In brief, we have entered the era of mixed IT/IoT threats, with cyberattacks growing in intensity, sophistication and frequency.
The adoption of new connected devices in 2023 is likely to pose even greater challenges for cybersecurity professionals across the globe. To help organizations of all sizes prepare, Forescout’s Vedere Labs has analyzed data gathered in 2022 about cyberattacks, exploits and malware and shared insights in our 2022 Threat Roundup.
Excerpted below are key findings and related insights for defenders, a brief outlook based on our observations, and strategic recommendations on how to protect your environment from the evolving threat landscape. For a detailed analysis of the attacks, exploits and malware observed in 2022, including a technical deep dive into several endemic and emerging malware threats, read the full report.
Key findings and insights for defenders
Here are seven takeaways from the report and corresponding actions your organization can take to help prevent and mitigate the types of cyberattacks we observed in 2022. They are all cyber hygiene best practices.
| Key Finding | Insights for Defenders |
|---|---|
| Attacks come from everywhere, but the top 10 countries account for 73% of malicious traffic. In these countries, attackers rely mostly on legitimate hosting providers (81% of attacks), but they also leverage bulletproof hosting (BPH) and compromised hosts on consumer and even business networks. |
|
| Remote management protocols are the top target for initial access (43%), followed by web attacks (26%) and attacks on remote storage protocols (23%). (These statistics do not account for phishing, which is a very popular method for initial access but is not captured by our honeypots.) | Some services are naturally more complex to defend because they must by nature be exposed on the internet, such as web and email servers. However, unnecessary services often end up being exposed, too – and may be easy targets for exploitation. To minimize exposure:
|
| Many of the attacks on these protocols rely on weak or default credentials. Popular generic usernames (such as “root” and “admin”) account for 87% of attempts, but the other 13% include dozens of highly specific usernames for applications and devices. | Accounts for specific services are being scanned all the time, so make sure to change default usernames and passwords whenever possible. Try to use complex, unique passwords for every service on every device. Rotate credentials at a regular interval to avoid leaked credentials remaining valid. Finally, enable two-factor authentication. |
| Exploits are not limited to traditional applications. Three-quarters (76%) of exploits target software libraries such as Log4j, OpenSSH and TCP/IP stacks. Other popular targets include exposed services, such as databases, web applications/servers and email servers, as well as internet-facing network infrastructure, such as firewalls and routers. The vulnerabilities used by opportunistic attackers are also employed by sophisticated state-sponsored actors. |
|
| Critical infrastructure is a constant target. We have observed exploits for specific devices but also constant enumeration of popular OT protocols, including those used in industrial automation, building automation and utilities. | Monitoring the traffic to and from OT devices is nowadays as critical as monitoring IT traffic. Attackers are constantly probing these devices for weaknesses and many organizations will be blind to that because they believe they do not have OT assets to protect. The truth is that building automation and even protocols such as Modbus for industrial automation are now found in almost every organization and are a target for attackers. |
| After initial access, 95% of the post-exploitation activities we observed have to do with discovery of further information. Persistence and execution of further commands are also common, including the removal of artifacts related to rival malware. | Even after an initial breach, threat actors need to spend time getting situated in the target system, downloading further tools, executing them and persisting. Many of these actions provide more chances for detection and response, provided that proper endpoint introspection capabilities are available, which is a notorious problem on non-IT endpoints. |
| Ransomware (53%), botnets (25%) and cryptominers (7%) are the most common malware observed. Large active botnet campaigns, such as Dota3, represent almost 90% of the IPs we observe dropping malware. Some malware remains endemic (such as WannaCry and Mirai variants). Emerging botnets (such as Chaos) are starting to cross the boundaries between IoT and IT | Malware hashes are insufficient as IoCs because some malware is polymorphic, which means its hash is unique for each new victim. Therefore, it is better to also detect and hunt for TTPs and anomalous behavior than to rely solely on IoCs. |
Outlook: blurring the lines between IT and IoT
In 2022 Vedere Labs observed many open-source botnets; that is, botnets that use malware whose source code is available on Github or has been leaked and widely publicized. They can be quickly customized by inexperienced malware developers and used for their own purposes.
Relying on shared or leaked code, IoT botnets have evolved from brute-forcing Telnet credentials to exploiting a large number of CVEs, with the advantage that exploits last longer and persistent malware is harder to remove on IoT devices than in IT. The Chaos botnet is one of the latest developments in this long line of botnet evolution but it won’t be the last one. With its lateral movement and exploitation capabilities, Chaos could easily be used to drop ransomware or other malware instead of cryptominers and DDoS.
Ultimately, cybercriminals are often simply after money. In mid-2022, Forescout’s Vedere Labs developed R4IoT, a proof-of-concept that showed how IoT devices could act as an entry point for IT and further OT ransomware attacks. At the time, we assumed that the initial IoT attack – an exploit on an IP camera or NAS – would be carried out manually either by a ransomware group or by relying on an intermediary such as an IAB. After reviewing the 2022 data, we realize that a new wave of botnets has opened the doors to such an attack being carried out as part of an automated campaign.
Strategic recommendations: three pillars of cybersecurity
As the threat landscape continues to evolve and more organizations adopt cybersecurity not only for endpoints but also for the growing number of unsecured IoT devices, threat actors have consistently moved to devices that offer easier entry points. To protect your environment, we recommend organizations focus on three key pillars of cybersecurity:
- Risk and exposure management. Start by identifying every asset connected to the network and its security posture, including known vulnerabilities, credentials and open ports. Forescout also recommends mapping your environment to a security framework such as CIS. Then, change the default “easily guessable” credentials and use strong, unique passwords for each device. Next, unused services should be disabled and vulnerabilities patched to prevent exploitation. With your attack surface understood, you can now fully assess risk in your environment. Finally, focus on mitigating using a risk-based approach. Use automated controls that do not rely only on security agents and apply to the whole enterprise instead of silos like the IT network, the OT network, or specific types of IoT devices.
- Network security. Do not expose unmanaged devices directly on the internet, with very few exceptions such as routers and firewalls. Segment the network to isolate IT, IoT and OT devices, limiting network connections to only specifically allowed management and engineering workstations or among unmanaged devices that need to communicate. Segmentation should not happen only between IT and OT, but even within IT and OT networks to prevent lateral movement and data exfiltration. Restrict external communication paths and isolate or contain vulnerable devices in zones as a mitigating control if they cannot be patched or until they can be patched.
- Threat detection and response. Use an IoT/OT-aware, DPI-capable monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions such as vulnerability exploitation, password guessing and unauthorized use of OT protocols. Anomalous and malformed traffic should be blocked, or at least alert its presence to network operators. Beyond network monitoring, Threat Detection & Response solutions are an important consideration. They collect telemetry and logs from a wide range of sources; including security tools, applications, infrastructure, cloud and other enrichment sources; correlate attack signals to generate high-fidelity threats for analyst investigation; and enable automated response actions across the enterprise.