As head of the security research team at Nozomi Networks Labs, today I’m proud to introduce our review of the OT/IoT threat landscape for the first half of 2020 (1H). During this time, our team saw an increase in threats to OT and IoT networks, especially IoT botnet, ransomware and COVID-19-themed attacks.
These attack types align with global computing and socio-economic trends. The rapid rise in IoT devices and connections, the worldwide COVID-19 pandemic, and the increasing growth and sophistication of cyber criminals using ransomware for financial gain are the significant drivers.
Our report provides an overview of the most active threats we saw in 1H, insight into their tactics and techniques, and recommendations for protecting your critical networks. Read on to learn some of the report’s highlights.
The latest Nozomi Networks OT/IoT Security Report finds IoT botnets, shifting ransomware and COVID-19 themed attacks have increased the security stakes for enterprises worldwide.
IoT Malware Threats are Growing Rapidly
IoT malware threats are growing and will be an important component of the threat landscape for the foreseeable future. Several factors are contributing to this unprecedented growth, including:
- Exponential growth in the number of IoT devices.
- The insecure deployment of IoT devices that are directly accessible through the internet.
- A lack of security updates for IoT devices, leaving devices vulnerable to common (non-zero-day) exploits by many threat actors.
- The lack of visibility into IoT device security posture experienced by many asset owners.
IoT devices are an easy and plentiful target for attackers. Popular examples of IoT
malware observed in 2020 1H are shown above. See full Infographic.
One of the interesting botnets is Dark Nexus, discovered in April 2020. Its code development process is quite intriguing. Dark Nexus operators frequently issue new updates similar to releases you see with commercial software. Additionally, Dark Nexus operators brazenly hawk their DDoS mitigation services on the open internet.
From a technical point of view, what stands out about Dark Nexus when compared to competing botnets is the elaborate mechanisms it uses to profile the processes running on the infected device. The goal of these mechanisms is to identify suspicious processes that might hinder the smooth execution of the malware.
While Dark Nexus initially infected only a few thousand devices, numbers can fluctuate quickly, and defenders should keep an eye on this type of threat.
Shifting Ransomware Escalates Enterprise Risk
Ransomware attacks targeting a variety of industry verticals remain commonplace. What is changing is the significance of the targets. Ransomware gangs have shifted their focus to larger, more critical targets with deeper pockets, including manufacturers, energy operators, local municipalities, and others.
Ransomware operators typically encrypt files and demand ransom payments from affected parties. Now they also exfiltrate company data and threaten to leak it publicly, as a way to apply more leverage.
Ransomware attackers are demanding higher ransoms and aiming at larger, more critical organizations. They are now deploying a two-pronged approach that combines data encryption with data theft. See full Infographic.
See our report to learn details about these ransomware threats:
- Maze, Ryuk, Sodinokibi, DoppelPaymner, SNAKE/EKANS
COVID-19-Themed Malware Take Advantage of Remote Work and a Climate of Anxiety
The COVID-19 global pandemic has provided threat actors with more vectors and opportunities for exploitation. The attack surface for most companies has greatly expanded with the fast switch to work-from-home policies. Some companies have infrastructure that allows remote work, such as VPNs and work laptops. Many others were not prepared and had to quickly come up with solutions, opening the door to security risks.
Furthermore, the climate of anxiety and uncertainty caused by COVID-19 makes targets more susceptible to social engineering attacks. Threat actors primarily used phishing emails in the initial attack phase to lure users into giving up personal information or executing malicious software.
An example is the Chinoxy Backdoor malware family. It embeds a document containing information related to COVID-19 assistance in a .rtf file exploiting CVE-2017-11882. The exploit is used to drop malicious binaries in the machine, which use HTTP over port 443 for C&C communication.
When threat actors gain access to systems and exfiltrate network data, they always leave a trail. That’s good news because the trail can be identified and quickly acted on if you have clear visibility into what’s happening in your OT/IoT networks.
The COVID-19 global pandemic has provided threat actors with more opportunities for exploitation, particularly remote access and social engineering focused attacks. Cybercrimes increased dramatically. See full Infographic.
ICS Vulnerabilities Remain a Challenge
Vulnerabilities discovered in ICS systems provide attackers with opportunities to disrupt or manipulate data, which can impact physical processes and be extremely dangerous. It is therefore important to take the trends in vulnerabilities and weaknesses into account when evaluating security risks.
The number of vulnerabilities tracked by ICS-CERT in the first half of 2020 grew significantly compare to 2019. A reasonable course of action for asset owners is to reduce exposure by addressing easy-to-mitigate vulnerabilities first. Over time, more and more vulnerabilities can be mitigated.
Improper input validations and buffer overflow vulnerabilities lead the 2020 chart in terms of numbers. While the former falls into the easy-to-mitigate category, the latter is more difficult to address. Buffer overflowsrequire firmware updates from vendors, the replacement of old equipment, or other mitigations. Unfortunately, this group will likely continue to represent a significant percentage of the vulnerabilities discovered for the next few years.
Overall, a multi-pronged strategy of monitoring, vulnerability elimination and vulnerability mitigation is recommended
Shifting OT/IoT Threats Call for High Cyber Resiliency
We expect that attacks from IoT botnets, ransomware and COVID-19-themed malware will continue to grow, though they will shift and adapt in the second half of the year. Given that threats are increasing and constantly changing, it’s important to maintain high cyber resiliency and fast response capabilities.
In this regard, security gaps related to people, processes and technology have a large impact. For example, the separation of IT and OT in organizations with increasingly connected IT, OT, and IoT systems can lead to blind spots. But, with the right technology and a focus on best practices, you can increase visibility and operational resiliency.
We encourage you to subscribe to Nozomi Networks Labs and utilize our cybersecurity community resources to stay on top of the latest threats.
Supply Chain and Persistent Ransomware Attacks Reach New Heights
- 7 trends defining today’s threat landscape
- 18 specific threats you need to know about
- Recent vulnerability research and exploitation trends
- 7 types of vulnerabilities under active exploitation
- 10 recommendations for securing OT/IoT networks
Nozomi Networks Community Tools
- Webpage: Nozomi Networks Labs
- GitHub: Nozomi Networks
- Blog: Dark Nexus IoT Botnet: Analyzing and Detecting its Network Activity
- Blog: Snake Ransomware is Raising Concerns for Industrial Controls Systems
- Blog: COVID-19 Chinoxy Backdoor: A Network Perspective
- Webpage: COVID-19 Malware: Community Support
- “Gartner Says 5.8 Billion Enterprise and Automotive IoT Endpoints Will Be in Use in 2020,” Gartner, August 2019.
- “2020 Unit 42 IoT Threat Report,” Palo Alto Networks, March 2020.
- “Digital Assets and Data Management – Managing Enterprise Risks and Leveraging Data in a Digital World,” BakerHostetler, April 2020.
- “FBI: Covid-19 Cyberattacks Spike 400% in Pandemic,” MSSPAlert, April 2020.
Security Research Manager, Nozomi Networks
Alessandro Di Pinto is an Offensive Security Certified Professional (OSCP) with an extensive background in malware analysis, ICS/SCADA security, penetration testing and incident response. He holds GIAC Reverse Engineering Malware (GREM) and GIAC Cyber Threat Intelligence (GCTI) certifications. Alessandro co-authored the research paper “TRITON: The First ICS Cyber Attack on Safety Instrument Systems” and “Analyzing the GreyEnergy Malware: from Maldoc to Backdoor”.