Today, Nozomi Networks Labs released its new security research report featuring trends analysis of public OT/IoT cybersecurity incidents over the past six months, as well as real-world telemetry data from Nozomi Networks deployments. The report focuses on findings based on ICS vulnerabilities, data from IoT honeypots, and attack statistics from OT environments. This blog reveals a snapshot of the overall report.
Threat Landscape Trends
There are three main categories of OT/IoT cyber incidents: opportunistic, targeted, and accidental. A review of publicly-disclosed attacks over the past six months finds opportunistic attacks remain the most prevalent and continue to flood traffic via DDOS attempts, enumerate common weaknesses and vulnerabilities for initial access, and trial and error malware strains regardless of network domains and target systems.
Targeted attacks continue to tailor exploitation to a specific, well-researched victim organization, location, or both. Threat actors are also continuing to pursue living off the land techniques to evade security and extend their reconnaissance efforts to increase the severity of potential exploitation, disruption, and/or damage. Finally, accidental impacts – human error or attacks slipping out of scope to impact OT and IoT – though not always publicly reported, are still fairly common and will become more costly as interoperability continues to drive organizational missions and business decisions.
Since the beginning of the year, we have continued to see high-profile cyber activity from several types of threat actors, mainly featuring ransomware gangs deploying living-off-the-land techniques. These techniques are easily accessible, capable of evading detection, highly adaptive, and supportive of automation.
The manufacturing, energy, healthcare, water and wastewater sectors in particular have been impacted, as well as government and city services disrupted. In addition to ransomware, Distributed Denial of Service (DDoS) attacks emerged as well as new variants of the 2016 Mirai botnet. Industrial control systems were directly impacted in at least three of the incidents in this time period.
Governments around the world have also been working to enhance cybersecurity legislation and critical infrastructure policy at the national level in the first half of the year, including the U.S. National Cybersecurity Strategy and its subsequent implementation plan, the European Union NIS 2 Directive, and the Security of Critical Infrastructure Act in Australia.
Findings from Real-World OT/IoT Deployments
Based on telemetry data collected from OT and IoT environments covering a variety of use cases and industries worldwide, we continue to track a high volume of network scanning indications in water treatment facilities, cleartext password alerts across the building materials industry, program transfer activity in industrial machinery, OT protocol packet injection attempts in oil and gas networks, and more.
Overall, activity related to poor authentication and password hygiene topped the list of critical alerts for a second consecutive reporting period – though activity in that category declined 22% over the previous six months. Specific to malware, denial-of-service (DOS) activity remains one of the most prevalent attacks against OT systems. This is followed by the remote access trojan (RAT) category commonly used by attackers to establish control over compromised machines. Distributed denial of service (DDoS) threats are the top threat In IoT network domains. Malicious IoT botnets remain active this year with as threat actors continue to use default credentials in attempts to access chained IoT devices.
“Trojan” and “Dualuse” are some of the most commonly detected alerts across OT & IOT environments. “Ransomware” remains a frequently recognized malware category across Enterprise/IT domains, causing significant damage to normal business operations all over the globe. When analyzing cross-domain malware, “Phishing” alerts are the most prevalent threat activity falling under multiple domains, commonly used to steal sensitive information and establish initial access, sometimes deploying malware to infect targets.
The most triggered customer alerts vary depending on the industry. While Water Treatment facilities witnessed higher numbers of generic network scanning alerts typically associated with authorized scanning or threat actor probing, customers in Oil and Gas were more likely to experience alerts related to OT protocol packet injection. OT protocol packet injection involves a correct protocol packet injected in the wrong context, such as a correct protocol message being sent in the wrong sequence. As a whole, many sectors share similar common alert types like poor credential management, cleartext password identification, and TCP flood alerts.
ICS Vulnerabilities Remain High
As reported and catalogued by CISA and the U.S. National Vulnerability Database, there continue to be thousands of known vulnerabilities in OT/ICS machines and devices. Threat actors continue to aggressively probe Enterprise/IT, OT, and IoT networks across the globe and are growing in capacity and sophistication of capabilities and enhanced TTPs. They continue to look for new access points – in networked communications, hardware, software, supply chain intrusions, and vendor access and management and more. Even when IT attacks don’t cross into OT systems, too often OT networks and processes are hampered by attacks on the IT systems they’ve come to rely upon.
The report found that the number of vulnerabilities discovered in OT and IoT devices so far in 2023 remains high, many of which are considered critical and/or easily exploitable. Manufacturing and Energy and Water/Wastewater remain the most vulnerable industries. Food & Agriculture and Chemicals move into the top five replacing Transportation and Healthcare which were among the top 5 most vulnerable sectors in our previous six-month reporting period. In the first half of 2023:
- CISA released 641 Common Vulnerabilities and Exposures (CVEs)
- 62 vendors were impacted
- Out-of-Bounds Read and Out-of-Bounds Write vulnerabilities remained in the top CWEs – both are susceptible to several different attacks including buffer overflow attacks
Data from IoT Honeypots
Nozomi Networks’ distributed IoT honeypots witnessed between hundreds and thousands of unique attacker IP addresses daily. Some of the commands used after stealing credentials are generic and are commands used to get to the right shell or admin terminal. Others are quite interesting, featuring a hardcoded public SSH key that attackers are adding to a list of “trusted keys.” Trusted keys are used to maintain persistent access, providing a way to connect via SSH to the compromised machine later.
From January through June 2023, Nozomi Networks honeypots found:
- An average of 813 unique attacks daily – the highest attack day hit 1,342 on May 1st
- Top attacker IP addresses were associated with China, the United States, South Korea, Taiwan and India
- Brute-force attempts remain a popular technique to gain system access – default credentials are one of the main ways threat actors gain access to IoT
Threat actors continue to pursue the greatest ROI for their efforts in terms of financial gains or produced disruptions. Opportunistic attacks persist while tailored OT and IoT threat activity is a distinct risk for owners and operators of processes that tolerate little-to-no downtime. In a world where increased technology dependence is met with inherent risks, increased levels of automation and the adoption of machine learning and artificial intelligence capabilities have captured the attention of cyber defenders as well as adversaries.
Nozomi Networks Labs is dedicated to continuously tracking the evolving threat landscape of industrial and critical infrastructure security. We invite you to read the full report to learn more about what to watch for in the remaining half of 2023, including:
- A high number of vulnerabilities discovered in OT and IoT devices, with several considered critical and/or easily exploitable.
- Healthcare, energy, and manufacturing continuing to be highly targeted sectors by threat actors as ransomware continues to plague organizations.
- Generative AI models being used to aid cybersecurity defenders as well as threat actors
- Opportunistic attacks: exploiting vulnerabilities, abusing credentials, and phishing attempts for initial access, DDOS attempts, and trojan execution.