As we head into 2021, many organizations have been transforming their business offerings and operations to survive in the “new normal” economy.
Operational systems, which are at the heart of value and revenue creation, are more vital than ever. Securing these systems from the constantly changing threat landscape, is an additional challenge. As we saw with the recent Oldsmar water facility attack, criminals are targeting critical infrastructure and industrial systems.
To help security teams and operators of OT and IoT environments, we have produced a new security report. It provides an overview of the most significant threats and vulnerability trends of recent months, as well as actionable insights and recommendations for securing operational systems.
The latest Nozomi Networks OT/IoT Security Report finds supply chain and persistent ransomware attacks have increased security risks for enterprises worldwide.
Supply Chain Threats and Vulnerabilities
SolarWinds was the most notable cyber operation of 2020. The supply chain attack resulted in the infection of thousands of primarily U.S.-based organizations. This attack, plus recent vulnerability trends, means that now is the time for asset owners to re-evaluate the attack surfaces of their OT/IoT systems, and reassess supply chain risks.
The SolarWinds attack involves an advanced threat actor, likely a nation state, that compromised a SolarWinds network monitoring product widely used to manage IT infrastructure.
Victims of the attack include U.S. government agencies plus critical infrastructure and manufacturing operations. The damage is sophisticated espionage, with unknown impacts in the future.
Although the SolarWinds threat actor(s) carefully selected just a few targets to receive the malicious payload that allows them to have further access within compromised networks, all infected organizations now face the significant challenge of sanitizing their networks. For example, many credentials might need to be updated.
The SolarWinds attack also reflects the most important recent vulnerability trend, which is supply chain research and exploitation. It is an example of a threat actor very carefully selecting a widely used software as its supply chain target. This attack highlights the risks to end users who have limited agency over the software used within their networks.
Another type of software supply chain threat is embedded component risk, as exemplified by the Ripple20 vulnerabilities.
Ripple20 consists of 19 vulnerabilities identified in the TCP/IP stack from Treck. At the time of exposure, there was high concern about the risks that these vulnerabilities posed to IoT devices. However, later in the year, additional research showed that there is little chance that many targets meet the requirements needed for exploitation by a motivated actor.
Attack surface reduction and network segmentation are two best practices to counter supply chain risks. In addition, OT and IoT network monitoring is a key technology that helps define the attack surface and detect anomalous activity indicative of an advanced threat.
Persistent Ransomware Attacks Reach New Heights
Persistent ransomware threat actors dominate the threat landscape, doggedly targeting organizations they believe can pay lucrative ransoms. And, they are not just demanding financial payments, but are exfiltrating data and deeply compromising networks for future nefarious activities. Sadly, targets included healthcare organizations researching and producing vaccines for COVID-19 .
The sophistication of ransomware criminals is increasing, with more of them using combinations of strategies and threat vectors. A prime example is the Ryuk ransomware group, which is estimated to be behind a significant percentage of all ransomware attacks in 2020.
- Phishing email
- BazaarLoader execution
- Cobalt Strike deployment
- Domain discovery
- ZeroLogon against DC (domain controller)
- Additional asset discovery
- Ransomware deployment
Amazingly, depending on the targeted network, the length of time from initial infection to ransomware execution can be as fast as a couple of hours.
Recommendations for Securing OT/IoT Environments
In a threat landscape where ransomware organizations are attacking companies indiscriminately it’s vital to understand the vulnerabilities under active exploitation, seven of which are described in our report. This risk is heightened by the fact that advanced threat groups are utilizing non-zero-day vulnerabilities to conduct sophisticated attacks.
Organizations should focus on identifying unpatched software and implementing update or mitigation policies. Subscription to threat intelligence services helps by providing current OT and IoT threat and vulnerability intelligence.
In considering how to respond to the threat landscape, simply knowing attack and vulnerability numbers for a given timeframe is not the way to assess risk. It provides a very skewed representation of the actual risks faced by an organization.
Instead, security teams should continuously improve security fundamentals, and assess how these measures behave against the major emerging threats. Our OT/IoT Security Report summarizes the major threats and risks to OT and IoT environments, speeding up your understanding of the current threat landscape. We also provide ten recommendations that give you actionable insights on ways to improve defenses against this threat landscape.
As cyber threats evolve, we encourage you to subscribe to Nozomi Networks Labs and utilize our cybersecurity community resources to stay up-to-date.
Supply Chain and Persistent Ransomware Attacks Reach New Heights
- 7 trends defining today’s threat landscape
- 18 specific threats you need to know about
- Recent vulnerability research and exploitation trends
- 7 types of vulnerabilities under active exploitation
- 10 recommendations for securing OT/IoT networks
- The current threat landscape
- Supply chain threats to OT and IoT environments
- Ransomware risks, particularly for pandemic-related targets
- Protecting your critical OT/IoT networks
- Alessandro Di Pinto, Security Research Manager
- Ivan Speziale, Security Researcher
- Chris Grove, Technology Evangelist
Nozomi Networks Community Tools
- Webpage: Nozomi Networks Labs
- GitHub: Nozomi Networks
- Blog: Hard Lessons from the Oldsmar Water Facility Cyberattack Hack
- Blog: New Reolink P2P Vulnerabilities Show IoT Security Camera Risks
- Blog: New Threat Intelligence Reveals Misuse of DNS Protocol
Nozomi Networks Solution
Security Research Manager, Nozomi Networks
Alessandro Di Pinto is an Offensive Security Certified Professional (OSCP) with an extensive background in malware analysis, ICS/SCADA security, penetration testing and incident response. He holds GIAC Reverse Engineering Malware (GREM) and GIAC Cyber Threat Intelligence (GCTI) certifications. Alessandro co-authored the research paper “TRITON: The First ICS Cyber Attack on Safety Instrument Systems” and “Analyzing the GreyEnergy Malware: from Maldoc to Backdoor”.