Traditionally, ransomware crews have directly targeted IT systems using methods such as email attachments, phishing, and web scripts. Researchers such as Forescout are predicting the next generation of ransomware will be targeted directly through the Internet of Things (IoT) devices. Taking advantage of lax security, and directly attacking IT devices and operational technology (OT).
Researchers are developing protocols to test this for of ransomware, calling the new approach “Ransomware for IoT,” or R4IoT. The protocol relies on exploiting known vulnerabilities and configuration errors in IoT devices like routers and IP cameras to gain initial access to a network, after which an attacker could spread laterally to traditional IT devices and then an organization’s OT devices. At this time it “works at large-scale on a wide variety of devices impacted by TCP/IP stack vulnerabilities” and is not limited by operating systems or device type.
Be careful what you plug in
It’s the IP cameras, routers, and printers, PLCs (programmable logic controllers), and whatever else you have in terms of IoT and OT. Imagine tying them all together and you have a larger attack surface, that is very hard to patch, and very hard to manage for any security team.
The R4IoT test example study involved an IP camera that was incorrectly exposed to external connections. By exploiting a series of critical vulnerabilities to hijack the camera’s root directory, the security team were able to effectively turn it into a proxy server running a Remote Desktop Protocol cracker. That allowed them to steal credentials and gain access to a connected Windows machine.
Not only did this allow lateral deployment of a rogue’s gallery of malware like encryptors and crypto miners, but the execution of a custom network scanner, Memoria, that identifies “critical IoT/OT assets in the network that may contain critical vulnerabilities.” Memoria launches denial-of-service attacks against those devices, shutting down PLCs that control physical processes.
A blueprint for next-gen ransomware attacks
Although commercial ransomware crews are known to have discussed using IoT devices as an initial access vector, R4IoT’s methodology is unique.
Usually the farthest attackers can get is the typical Windows computer that manages those devices, which we usually call an engineering workstation, or a data historian, or something like that, which is a SCADA (supervisory control and data acquisition) system, which is kind of the interface between the OT and the rest of the organization. What the protocol tested does different is that when one of those devices is reached, the network is scanned for the level one (process control equipment) and take those offline.
Ransomware attacks on IoT devices like the R4IoT attack approach could possibly be commoditized on the black market in the future. They are potentially much more disruptive to a company’s infrastructure than traditional phishing attacks. Organizations should have precautions to include IoT and OT devices in their patching, segmentation, and network monitoring strategies, or future attackers could have even more leverage to push ransom demands.
You have to rethink the whole security strategy, putting IoT and OT at the same level as IT.