Forescout Proof-of-Concept ransomware attack affects IoT and OT

A new proof-of-concept ransomware attack from Forescout Technologies raises troubling implications for IoT and operational technology security.

Forescout Technologies’ Vedere Laboratories released research on Wednesday showcasing the proof-of-concept attack in which a hypothetical attacker uses a vulnerable IP camera to compromise an organization’s IT infrastructure and uses the access to shut down technology hardware. operational (OT). The attack uses pre-existing vulnerabilities and does not include new exploits.

However, Daniel dos Santos, head of security research at Vedere Labs, wrote that it was “the first and only work to date to combine the worlds of IT, OT and IoT ransomware” into a single complete proof of concept.

The attack works by compromising major network-connected security cameras, particularly those sold by Axis and Hikvision. According to Forescout, these two vendors are responsible for 77% of IP cameras used in corporate networks. Additionally, Forescout claimed in its report that more than half a million devices use the default VLAN 1 configuration, which means the cameras were not properly configured for network segmentation.

Therefore, using a vulnerability such as 2017’s Devil’s Ivy, hackers can use these IoT devices to gain access to a poorly protected corporate network. In a demo video, Forescout showed that after exploiting vulnerabilities in a camera, hackers can run a command to gain access to a Windows machine. From there, they can run other commands that locate additional machines connected to the camera, find machines with weak credentials and open remote desktop protocol ports, and establish an SSH tunnel.

The attacker then uses this access to open a remote desktop session, install malware, and disable network firewalls and virus protection. With this access, the attacker can elevate privileges, install ransomware and cryptocurrency miners, and launch malicious executables targeted at OT systems.

Forescout’s video demonstration featured a simulated ransomware attack on a hospital. In this example, Forescout accessed an IP camera, used it to access the fictional hospital’s network, gained access to the camera, located a programmable logic controller used to control a hospital’s HVAC system, and used elevated privileges to install ransomware and stop CVC.

While the simulated attack is too specific to be directly applicable to a single organization, the new research shows how various types of network-connected hardware can be used together with devastating consequences.

Dos Santos told SearchSecurity that one of the motivations for the proof-of-concept attack was to illustrate to organizations how vulnerabilities — like the Nucleus:13 flaws discovered by Forescout last fall — can be used in practice by threat actors to compromise OT networks. The second motivation was to highlight the dangers and the changing landscape of ransomware.

“Ransomware moves very, very quickly,” he said. “And we wanted to have a longer-term view of what attackers might do very soon so that organizations can proactively prepare and defend themselves instead of just reacting to attacks. It’s a long-term view of attention to OT and IoT.”

Dos Santos recommended implementing proper network segmentation and using both NIST’s cybersecurity framework and zero-trust architecture.

Ransomware attacks on OT networks and industrial control systems (ICS) have become a growing concern in the infosec community. Earlier this year, security vendor ICS Dragos’ Year in Review 2021 report showed that ransomware was the leading cause of breaches in the industrial sector and caused significant disruption even when OT and ICS networks were not directly targeted. or infected.

Alexander Culafi is a Boston-based writer, journalist, and podcaster.

Comments are closed.