Why Cyber Attackers Prefer Targeting IoT Devices

The research firm Forrester recently published a report titled “2023 IoT Security Status Report” explaining some factors that lead cyber attackers to prefer targeting IoT devices.

The growth rate of IoT attacks is significantly faster than mainstream attacks. Kaspersky’s Industrial Control Systems Cyber Emergency Response Team (Kaspersky ICS CERT) found that in the second half of 2022, 34.3% of servers in the global industrial sector were subjected to cyber attacks. In the first half of 2021, there were 1.5 billion cyber attacks on IoT devices, with over 40% of OT systems being attacked. SonicWall Capture Labs’ cybersecurity researchers recorded 112.3 million instances of IoT malware attacks in 2022, an increase of 87% compared to 2021.

Ritesh Agrawal, CEO of Airgap Networks, a global provider of security isolation and information exchange systems, pointed out that although IoT endpoints may not be critical business points, they are easily compromised and used to spread malware directly to the most valuable systems and data of enterprises. He recommends that businesses adhere to basic cybersecurity measures for each IoT endpoint—discovery, segmentation, and identity management.

In a recent interview with industry media, Agrawal advised businesses to look for solutions that do not require mandatory upgrades and will not disrupt the IoT network during deployment. These are two of the network security design goals he and his co-founders identified when creating Airgap Networks.

IoT devices are targeted by cyber attacks because they are easy targets, and in industries where uptime is critical for survival, they can quickly lead to a large number of ransomware attacks. The manufacturing sector is particularly hard hit because cyber attackers know that no factory can afford the consequences of prolonged downtime, so the ransom they demand is two to four times that of other targets. 61% of intrusion attempts and 23% of ransomware attacks primarily target OT systems.

The research firm Forrester studied why IoT devices have become such high-value targets and how they are used to launch broader and more destructive cyber attacks within enterprises. They identified the following four key factors:

Most traditional IoT devices currently installed did not prioritize security during their design. Many lack options for firmware refresh or loading new software agents. Despite these limitations, there are still effective ways to protect IoT endpoints.

First, security measures must cover blind spots in IoT sensors and networks. Shivan Mandalam, Director of IoT Security Product Management at CrowdStrike, stated in a recent interview, “Businesses must eliminate blind spots associated with unmanaged or unsupported legacy systems. As the visibility and analytical capabilities of IT and OT systems improve, security teams can quickly identify and address issues before adversaries can exploit them.”

Leading cybersecurity vendors currently using IoT security systems and platforms include AirGap Networks, Absolute Software, Armis, Broadcom, Cisco, CradlePoint, CrowdStrike, Entrust, Forescout, Fortinet, Ivanti, JFrog, and Rapid7. At the 2022 Fal.Con conference, CrowdStrike launched the enhanced Falcon Insight, including Falcon Insight XDR and Falcon Discover for IoT, aimed at bridging security gaps within and between industrial control systems (ICS).

Manufacturers with relatively weak cybersecurity often use default administrative passwords on IoT sensors. They typically use default settings because IT teams do not have time to set every detail or are unaware of the option to do so. Forrester points out that many IoT devices do not require users to set a new password upon initialization, nor do they require enterprises to enforce the setting of new passwords. Forrester also notes that management credentials in older devices are often unchangeable.

As a result, Chief Information Security Officers, security teams, risk management professionals, and IT teams have known credentials for both new and old devices on their networks.

Leading vendors providing cybersecurity solutions to enhance password and identity-level security for IoT endpoints include Armis, Broadcom, Cisco, CradlePoint, CrowdStrike, Entrust, Forescout, Fortinet, Ivanti, and JFrog. Ivanti is a leader in this field, successfully developing and launching four IoT security solutions: Ivanti Neurons for RBVM, Ivanti Neurons for UEM, healthcare Ivanti Neurons supporting IoMT, and Ivanti Neurons for securing industrial IoT based on the company’s acquisition of Wavelink.

Dr. Srinivas Mukkamala, Chief Product Officer at Ivanti, explained in a recent interview with industry media, “IoT devices are becoming a hot target for cyber attackers. According to a report released by IBM, IoT attacks accounted for over 12% of global malware attacks in 2021, up from 1% in 2019. To address this issue, businesses must implement a unified endpoint management (UEM) solution that can discover all assets on the corporate network, even Wi-Fi-connected toasters in the break room.”

Mukkamala said, “The combination of unified endpoint management (UEM) and risk-based vulnerability management solutions is essential for achieving seamless, proactive risk response to remediate vulnerabilities across all devices and operating systems in the enterprise environment.”

From hospital departments and wards to workshops, traditional IoT sensors are the cornerstone for these enterprises to obtain real-time data necessary for operations. Both the healthcare and service industries are high-value targets for cyber attackers, who aim to infiltrate IoT to launch lateral movements across the network. 73% of IoT-based intravenous infusion pumps are vulnerable, and 50% of IP voice systems are as well. Overall, in a traditional hospital, 50% of connected devices currently pose serious risks.

Forrester points out that one of the main reasons for these vulnerabilities is that these devices run unsupported operating systems that cannot be protected or updated. If cyber attackers compromise IoT devices and cannot patch them, it increases the risk of devices becoming “bricked.”

Forrester has observed that once IoT devices are connected to the internet, they immediately become a security risk. An anonymous cybersecurity vendor stated in an interview that one of their largest clients has been scanning the network to resolve IP addresses sent from outside the company. This IP address came from a surveillance camera in the lobby of a manufacturing plant. Cyber attackers have been monitoring personnel coming and going and attempting to blend in with employees to gain access to the plant’s internal network and implant their sensors. Undoubtedly, Forrester has observed that IoT devices have become channels for command and control attacks or become botnets, similar to the well-known Mirai botnet attack.

Some manufacturers are uncertain how to protect traditional IoT devices and their programmable logic controllers (PLC). Programmable logic controllers (PLC) provide the real-time data streams necessary for operating the business. IoT and PLCs are designed for easy integration, which is contrary to cybersecurity, making it difficult for any manufacturer without dedicated IT and security personnel to ensure their network security.

A Midwest-based automotive parts manufacturer suffered a massive ransomware attack that primarily targeted the company’s unprotected IoT sensors and cameras online. Cyber attackers used a variant of R4IoT ransomware, initially penetrating the company’s IoT, video surveillance, and programmable logic controllers (PLC) used for HVAC, power, and mechanical preventive maintenance.

After infiltrating the corporate network, cyber attackers moved laterally, searching for Windows-based systems and infecting them with ransomware. Cyber attackers also gained administrative privileges and disabled Windows firewalls and third-party firewalls, then installed the R4IoT executable file across the network.

This attack left the manufacturer unable to monitor parameters such as machine heat, pressure, status, and cycle time, and froze and encrypted all data files, rendering them unusable. Worse, the cyber attackers threatened the company that if they did not pay the ransom, all of the company’s pricing, customer, and production data would be published on the dark web within 24 hours.

The manufacturer had no choice but to pay the ransom, as their cybersecurity personnel were at a loss on how to respond to the cyber attack. Cyber attackers know that many manufacturers do not have dedicated cybersecurity and IT teams to respond to such threats and do not know how to address these threats. This is why manufacturing remains one of the hardest-hit industries. In short, IoT devices have become the preferred threat vector because they are unprotected.

Agrawal stated, “IoT presents significant pressure on enterprise security maturity. Extending zero trust to IoT is challenging because endpoints vary, and the environment is dynamic, filled with traditional devices.” When asked how manufacturers and other high-risk industry targets can begin to implement security measures, Agrawal suggested, “Accurate asset discovery, segmentation, and identity management remain the right answers, but how to deploy them alongside traditional solutions when most IoT devices cannot accept agents? This is why many enterprises adopt agentless network security like Airgap as the only viable architecture for IoT.”

Copyright Notice: This article is compiled by D1Net. Reprinting requires indicating the source at the beginning of the article as: D1Net. If not indicated, D1Net reserves the right to pursue legal responsibility. Cover image source from Shetu Network

(Source: D1Net)