Security update: IoT, industrial systems under sophisticated attack
Internet of Things and Industrial Internet of Things devices are under sustained malware and ransomware attack, say a number of recent security reports.
According to the 2020 SonicWall Cyber Threat Report from threat intelligence firm SonicWall Capture Labs, overall malware attacks hit 9.9 billion in 2019 – a year-on-year decrease of six percent.
However, IoT malware attacks were up by five percent year on year, at 34.3 million. “With a deluge of new IoT devices connecting each day, increases in IoT malware attacks should not only be expected, but planned for,” says the company.
While attack volumes are falling slightly overall, SonicWall warns they being replaced by more surgical hits on softer targets – attacks that the company describes as “more evasive with higher degrees of success, particularly against the healthcare industry, and state, provincial, and local governments”.
Among these are malware variants not seen before by security teams, says the report.
Cryptojacking malware – enabling the hijacking of devices’ processors and energy to mine for cryptocurrencies – hit 64.1 million incidents in 2019, while the firm noted an increase in ransomware attacks on state and local governments, as well as large corporations: a total of just under 188 million incidents.
The researchers also observed a 52 percent year-on-year increase in Web app attacks in 2019, pushing total attack volume past 40 million for the first time.
Meanwhile, a separate report warns that the manufacturing, utilities, and other industrial sectors are in cybercriminals’ sights.
According to cybersecurity specialists Dragos, organised criminals are increasingly targeting ransomware attacks at industrial control systems (ICS) using file-encrypting malware, followed by demands for cryptocurrency payments.
For example, the new EKANS or ‘Snake’ malware includes ICS-specific elements, which lock critical files and terminate those functions. Infected files are renamed by appending a random five-character sequence to the original file extension.
It follows a trend observed in other ransomware families, such as Ryuk and MEGACORTEX, where self-propagation is avoided in favour of large-scale network compromise. EKANS was first observed in commercial malware repositories in late December 2019.
As the attacks are targeted and intended for financial gain, Dragos warns that cybercriminals take their time in compromising networks before launching the ransomware.
The firm advises organisations to separate ICS devices from the wider network where possible. They should also make regular backups of important files and systems and store them in a secure location that is not accessible from the regular network. For ICS operations, backups should include the last known-good configuration data and project files.
“EKANS and its presumed parent MEGACORTEX represent a unique and specific risk to industrial operations not previously observed in ransomware malware operations,” says Dragos.
“While some organisations have the emergency recourse of falling back into manual-mode operations, the costs and inefficiencies of doing so are still substantial.”
Meanwhile, enterprise IoT security company Armis has announced the discovery of five zero-day vulnerabilities in implementations of the Cisco Discovery Protocol (CDP) – a network protocol used to reveal information about locally attached Cisco equipment.
CDP is implemented in virtually all Cisco products, including switches, routers, IP phones, and IP cameras – many of which are unable to work properly without it and do not offer the ability to switch it off.
According to Armis, four of the vulnerabilities are related to Remote Code Execution (RCE), and the other is a Denial of Service (DoS) vulnerability that can also lead to: eavesdropping on voice or video calls, and on video feeds from IP phones and cameras.
The reports demonstrate that the security challenge is real, often financially motivated, and becoming increasingly targeted and sophisticated.