An Attacker’s IoT Paradise: Billions of Insecure Devices

Cybercrime , Endpoint Security , Fraud Management & Cybercrime

Trend Micro Envisions Maturing IoT Attacker Business Models

An Attacker's IoT Paradise: Billions of Insecure Devices
Industrial controllers for the pharmaceutical industry made by WAGO (Source: Pierre75000 via Wikipedia/CC)

Trend Micro published a threat report called Uncovering IoT Threats in the Cybercrime Underground that outlined many interesting discoveries about threat groups targeting IoT devices and offered predictions for the coming months.

See Also: Maintain a Clear Bill of (Third-Party Risk) Health

While the underground groups reflect differing interests, skills and languages, they have commonalities that should sound alarms to custodians of SCADA and ICS installations throughout the energy, communications, transportation and manufacturing sectors (see Could Large-Scale IIoT Failures Be on the Horizon?)

Each of these criminal online communities is highly interested in learning how to compromise all kinds of IoT devices. 

Each of these criminal online communities is highly interested in learning how to compromise all kinds of IoT devices. There are loads of tutorials and research that have been compiled on hacking techniques, vulnerability exploitation and even source code for script kiddies, allowing even the least-skilled hacker to do plenty of serious damage.

Although the Trend Micro researchers did not discover a concerted effort on the part of criminal groups to massively damage or compromise any critical large-scale IoT infrastructure, all indications are leading that way. Most of today’s mass infections are caused by exploitable vulnerabilities – as was the MikroTik case in Brazil – or by weak credentials – as in every Mirai attack (see IoT Botnets: Why the Next Mirai Could Be Worse)

The researchers were starting to see the first attempts to find ways to monetize device infections, which, if successful, would substantially boost systemic IoT attacks on commercial infrastructure where attackers could easily monetize their attacks. The researchers also tracked evidence of nation-states and more dangerous threat actors infecting IoT devices to use them as DDoS platforms and proxy agents.

Cybercriminals motivated by money are also finding similar uses for infected devices, giving life to advanced commercial attack scenarios. Their monetization model is going to continue to be based on extorting custodians of industrial targets under the threat of extended downtime, similar to the recent increase in ransomware attacks.

Key Findings

Here are a few of the researchers’ most interesting findings:

1. Modified PLCs (programmable logic controllers) and the HMIs (human machine interfaces) used to control PLCs are increasingly being discovered. Behind these are smart factories or other heavy equipment or machinery. These devices will be attacked more often to the point where the current policy of “availability first, then security second” will need to shift to a more secure configuration. The business model to monetize an attack against these devices is extortion.

In this kind of attack, the monetization comes from threatening the device’s owner with downtime. This way, the criminal can make money out of the attack without the need to understand how the device functions. Anyone with marginal hacking skills can conduct these attacks.

2. In the same way that the Mirai botnet has evolved to support more routers and has improved its capabilities, we will see more attacking toolkits that support more devices and are easier to use. As the art progresses, the expectation is that a top five list will emerge, with the leading kits mimicking the success of banking Trojans.

3. More and different kinds of devices will be joining the internet as the market for devices becomes more mature. That will be reflected in an extensive list of devices that each malicious toolkit will include in its arsenal. Sort of like: “Works well with refrigerators, toasters, set-top controllers, cameras and PlayStations.”

4. Because the possibilities for attackers are multiplying, we are now seeing more advanced threats, such as low-level rootkits and firmware infections, available in underground markets. New classes of devices that are susceptible to attack include virtual reality devices. Cryptocurrency mining kits and toolkits specifically designed for those targets are already available on underground markets.

5. The increase of mobile connectivity worldwide will allow for faster attacks and additional capabilities for hackers. The switch from 4G to 5G will offer attackers more avenues for exploitation or monetization. The likely principal targets are autonomous vehicles and control of remote medical devices, both of which offer rich monetization opportunities as the loss of life presents a clear and very present risk.

6. Within the next 18 months, a much more mature set of attacker business models, toolkits and malware-as-a-service packages will emerge, targeting the commercial IoT sectors across every industry and critical infrastructure backbone components.

A Target-Rich Environment

Unfortunately, the speed at which IoT is enabling innovation is far outpacing the ability of the security custodians to influence appropriate controls before these devices hit their markets.

This creates a classic target-rich environment for the bad guys – one that will require vigorous defense and oversight.