Device Risk: Control the IoT and OT devices targeted by threats like Mirai
Last week, a new variant of the Mirai botnet was reported by Palo Alto Network’s Unit 42. What makes this Mirai evolution special is the addition of a dozen new exploits and backdoor (built in manufacturer default) accounts that target enterprise devices like smart TVs and conference room presentation systems. These new targets make the latest Mirai variant worth discussing beyond the chronicled updates by the NJCCIC and extensive collaborative research presented at Usenix 2017.
Smart TVs and conference room presentation systems are among
the latest Mirai variant device targets
Mirai targets fundamental weaknesses in common Internet of Things (IoT) and Operational Technology (OT) device deployments: Weak default passwords and public Internet exposure. The OWASP IoT project top 10 lists “Weak, Guessable, or Hardcoded Passwords” as the #1 cyber risk to IoT in 2018. Old habits die hard—the underlying problem has existed for decades.
Simplicity is why Mirai is an effective botnet. Its massive distributed denial of service (DDoS) attack in 2016 left a swath of the U.S. east coast unable to access the Internet. At the time, Mirai was considered the largest botnet in history, peaking at over 600,000 devices. Although many suspected nation-states, the young hackers behind the botnet were eventually identified and ordered to pay $8.6 million in damages and later avoided prison time by supporting cyber defense work with the FBI. The Mirai source code was shared online, resulting in widespread access and subsequent evolution of the threat. Mirai proliferated, largely, because of its practicality.
What’s the impact?
Automated threats like Mirai have two major areas of impact:
- The overarching concern is a massive DDoS attack (a threat to widespread system availability). These attacks have disrupted major infrastructure providers and the Internet accessibility of entire nations.
- General loss of device control is an ancillary cybersecurity problem that’s hard to quantify. Direct damage to devices through CPU burnout, leach of resources, exposure to lateral movement, and the generic hygiene risk of having zombie devices contributing to network attacks are all undesirable outcomes. Compromised devices are at the mercy of the botmasters and may be locked out for ransom or enslaved into crypto-mining.
What’s the problem?
Here’s the rub: There’s a Device Visibility and Control problem when it comes to managing devices and default credentials. MITRE notes in CWE-259: “A hard-coded password typically leads to a significant authentication failure that can be difficult for the system administrator to detect.”
It’s true—technical detective controls for the device configuration problem are limited to extensive manual testing and blackbox / brute-force checking of logins. So there’s a gap: Default credential configuration issues may not be covered by automated vulnerability assessments (VA), IT Audit, device deployment process, or automated SCAP-based compliance solutions. Most of the devices targeted by Mirai are unmanaged devices that run without agents in enterprise environments.
The root problems are 1) off-the-shelf IoT device makers have insufficient Product Security practices that must be baked into the software development lifecycle (SDLC), and 2) network operators have the challenge of isolating such devices from exposure.
Automated threats like ransomware and the Mirai botnet
leverage common credentials and known exploits
General Guidance for IoT Device Control
The OWASP IoT Project Top 10 goes into more detail: Weak passwords, insecure network services, missing updates and lack of hardening should be avoided.
As always, the Center for Internet Security (CIS) Top 20 Controls provide guidance: Control starts with the Asset Inventory, followed by secure configuration and continuous vulnerability assessment. Later CIS controls suggest further limitation of the exposure of network ports and services. All of these safeguards are required when addressing the risk from automated threats like Mirai.
Proposed Solutions: Forescout Security Policy Templates (SPT): VR Mirai
Last week, Forescout extended its device control set by releasing SPT v19.0.3. Included in the release is the VR Mirai Vulnerability Response. The example technical policies created with this template evaluate whether the devices in the policy scope are vulnerable to Mirai and will add them to the correct group. It will detect potentially vulnerable devices. Once vulnerable devices are detected, controls can be applied to proactively prevent security breaches, data leakage and DDoS attacks. This policy evaluates both managed and unmanaged devices. No credentials are required for device login.
Proposed Solutions: the Forescout IoT Posture Assessment Plugin
If you can’t beat ’em, join ’em. The Mirai doorknob-rattling technique proved so simple and effective that, in 2017, Forescout was inspired to create the IoT Posture Assessment plugin based upon the same techniques used by Mirai and other automated threats.
IoT Posture Assessment brings a practical device configuration control to Forescout deployments. In terms of managing technical risks, device configuration controls like this can close coverage gaps. In today’s convergent IT, OT, and/or IoT environment, implementing the practical control of checking devices for default credentials is a necessary part of a layered, threat-based defense.
Forescout’s IoT Posture Assessment plugin helps customers proactively identify such vulnerable IoT devices in their network before an attack actually takes place. The plugin checks if the devices in the managed network have any common, widely-known and easily exploitable factory default passwords. In addition, the administrator has the capability of scanning for custom login credentials on devices in their environment. We note that the latest IoT Posture Assessment Library (PAL v19.0.3) will be able to detect IoT devices potentially vulnerable to the new credential pairs exploited by this newest Mirai variant.
What does this latest Mirai variant really mean for enterprises and end users?
Putting the damages and potential impact of the latest threat, breach, or other malicious act is never easy. But, to put the latest Mirai variant in perspective, imagine an executive-level meeting in which confidential, pre-market information is shared with board members globally via a wireless presentation system, such as WePresent. If that system were to become compromised, any sensitive information shared during those meetings could become compromised—resulting in data leakage, intellectual property (IP) theft, and ultimately, bankruptcy—or at a minimum, reputational damage. In another scenario, imagine a critical TV display in an emergency room is compromised—the same TV that’s connected to sensitive patient data. Now, hackers have access to personally identifiable information (PII) that they can sell on the Dark Web or leverage in public extortion attempts. Or, imagine what would happen if the monitors used by airports across the world were compromised, suddenly blacking out all flight information—or worse—replacing real flight information with false data. Or, imagine a heavily attended public event such as a concert or the Olympics, where compromised monitors go dark, the lights go out, and widespread panic ensues. These one-off scenarios could be devastating in and of themselves, but then imagine if the attackers focused their efforts on the larger DDoS Internet infrastructure—much like Mirai did to Dyn DNS in 2016—and successfully took entire countries offline, much in the way that Estonia, Liberia, and other countries were taken offline last year.
The potential damage extends beyond taking over small business conference room monitors—it spans to global, physical damage.
Additional Reading & Support: