Microsoft has been registering this attack technique since April. The software company identifies the Strontium group as the author. Also known as APT 28 and Fancy Bear, it is believed to be associated with Russian intelligence.
According to Microsoft, hackers use IoT devices to attack corporate networks. Microsoft has been registering this attack technique since April. The software company identifies the Strontium group as the author. Also known as APT 28 and Fancy Bear, it is believed to be associated with Russian intelligence.
Microsoft claims to have discovered the attacks on “popular IoT devices at several customer locations.” The hacker group attempted to use a VOIP phone, an office printer, and a video decoder to access the affected companies’ networks.
“The investigation found that an actor had used these devices to gain initial access to corporate networks,” the Redmond-based company said. “In two cases, the passwords for the devices were provided without changing the manufacturer’s default passwords.” In the third case, the hackers could carry out a successful attack because the device was not provided with the latest security updates.
According to Microsoft, the hackers use the compromised IoT devices as an entry point into their targets’ internal networks, where they would look for other vulnerable systems.
“After gaining access to each IoT device, the actor ran tcpdump to sniff network traffic on local subnets,” the company said.
Microsoft says it identified and blocked these attacks in their early stages, so it couldn’t figure out what data the hackers were targeting.
Cyber espionage groups are increasingly using IoT devices
It is not the first time that the hacker group Strontium has been credited with an attack via IoT devices. The same group previously maintained a botnet containing tens of thousands of home routers running VPNFilter malware. Experts believe that Strontium is preparing to use the botnet to carry out DDoS attacks.
But alongside Strontium, other government-sponsored groups have also begun to focus on IoT devices, particularly routers. Examples are the LuckyMouse, Inception Framework, and Slingshot groups.
Microsoft plans to release more information about Strontium’s attacks at the Black Hat USA 2019 security conference later this week.
What companies can do
Microsoft recommends that companies take the following measures when dealing with IoT devices to protect themselves against attacks:
·Approval and cataloging of all IoT devices operating in the enterprise environment
·Development of a custom security policy for each IoT device.
·Never connect IoT devices directly to the internet or implement custom access controls
·If possible, set up a separate network for IoT devices.
·Conducting routine configuration/patch audits for deployed IoT devices.
·Define policies for isolating IoT devices, retaining device data, keeping logs of device traffic, and capturing images for forensic investigations.
·Build in vulnerabilities in the configuration of IoT devices or IoT-based intrusion scenarios for internal analysis.
·Monitor activity of IoT devices for abnormal behavior (e.g., a printer browsing SharePoint site).
·Verification of all identities and credentials authorized access to IoT devices, users, and processes.
·Central capture of asset, configuration, and patch management.
·For devices provided and managed by third parties, include contractual provisions in contracts regarding security practices and audits that report all managed devices’ security status and health.
·Build SLA terms into IoT device supply agreements that include a mutually acceptable window for investigative response and forensic analysis