How APTs Are Achieving Persistence Through IoT, OT, and Network Devices

To prevent these attacks, businesses must have complete visibility into, and access and management over, disparate devices.

Brian Contos, Chief Security Officer, Phosphorus Cybersecurity

June 23, 2022

4 Min Read
Advanced persistent threat APT
Source: Panther Media GmbH via Alamy Stock Photo

Most of the news about Internet of Things (IoT) attacks has been focused on botnets and cryptomining malware. However, these devices also offer an ideal target for staging more damaging attacks from inside a victim's network, similar to the methodology used by UNC3524. Described in a Mandiant report, UNC3524 is a clever new tactic that exploits the insecurity of network, IoT, and operational technology (OT) devices to achieve long-term persistence inside a network. This type of advanced persistent threat (APT) is likely to increase in the near future, so it's important for companies to understand the risks.

A Critical Blind Spot

Purpose-built IoT and OT devices that are network-connected and disallow the installation of endpoint security software can be easily compromised and used for a wide variety of malicious purposes.

One reason is that these devices are not monitored as closely as traditional IT devices. My company has found that more than 80% of organizations can't identify the majority of IoT and OT devices in their networks. There is also confusion about who is responsible for managing them. Is it IT, IT security, network operations, facilities, physical security, or a device vendor?

Consequently, unmanaged devices regularly have high- and critical-level vulnerabilities and lack firmware updates, hardening, and certificate validation. My company has analyzed millions of IoT, OT, and network devices that are deployed in large organizations, and we've found that 70% have vulnerabilities with a Common Vulnerability Scoring System (CVSS) score of 8 to 10. Further, we found, 50% use default passwords, and 25% are at end of life and no longer supported.

Compromising and Maintaining Persistence on IoT, OT & Network Devices

Taken collectively, all of these issues play directly into the hands of attackers. Because network, IoT, and OT devices don't support agent-based security software, attackers can install specially compiled malicious tools, modify accounts, and turn on services within these devices without being detected. They can then maintain persistence because vulnerabilities and credentials aren't being managed and firmware isn't being updated.

Staging Attacks Within the Victim Environment

Due to the low security and visibility of these devices, they are an ideal environment for staging secondary attacks on more valuable targets inside the victim's network.

To do this, an attacker will first get into the company's network through traditional approaches like phishing. Attackers can also gain access by targeting an Internet-facing IoT device such as a VoIP phone, smart printer, or camera system, or an OT system such as a building access control system. Since most of these devices use default passwords, this type of breach is often trivial to achieve.

Once on the network, the attacker will move laterally and stealthily to seek out other vulnerable, unmanaged IoT, OT, and network devices. Once those devices have been compromised, the attacker just needs to establish a communication tunnel between the compromised device and the attacker's environment at a remote location. In the case of UNC3524, attackers used a specialized version of Dropbear, which provides a client-server SSH tunnel and is compiled to operate on the Linux, Android, or BSD variants that are common on those devices.

At this point, the attacker can remotely control victim devices to go after IT, cloud, or other IoT, OT, and network device assets. The attacker will likely use ordinary, expected network communication such as API calls and device management protocols to avoid detection.

Surviving Incident Response

The same problems that make network, IoT, and OT devices an ideal place for staging secondary attacks also make them well-suited for surviving incident response efforts.

One of the main value propositions of IoT, in particular, for sophisticated adversaries is that the model significantly complicates incident response and remediation. It's very difficult to completely kill off attackers if they have established persistence on just one of the hundreds or thousands of vulnerable, unmanaged devices that reside in most business networks — even if the attacker's malware and toolkits are completely removed from the company's IT network, command-and-control channels are disrupted, software versions are updated to eliminate previously exploitable vulnerabilities, and individual endpoints are physically replaced.

How to Reduce Corporate Risk

The only way for businesses to prevent these attacks is to have complete visibility into, and access and management over, their disparate IoT, OT, and network devices.

The good news is that security at the device level is simple to achieve. While new vulnerabilities will constantly emerge, most of these security issues can be addressed through password, credential, and firmware management, as well as through basic device hardening. With that said, companies with large numbers of devices will be challenged to secure them manually, so companies should consider investing in automated solutions.

The first step companies should take is to create an inventory of all purpose-built devices and identify vulnerabilities. Next, companies should remediate risks at scale related to weak passwords, outdated firmware, extraneous services, expired certificates, and high- to critical-level vulnerabilities. Finally, organizations must continuously monitor these devices for environmental drift to ensure that what's fixed stays fixed.

These are the same basic steps companies follow for traditional IT assets. It's time to show the same level of care to IoT, OT, and network devices.

About the Author(s)

Brian Contos

Chief Security Officer, Phosphorus Cybersecurity

Brian Contos, Chief Security Officer of Phosphorus Cybersecurity, is a 25-year veteran of the information security industry. He previously served as CISO at Verodin (acquired by Mandiant), Chief Security Strategist at Imperva, and CISO at ArcSight. He began his infosec career with the Defense Information Systems Agency (DISA) and later Bell Labs.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights