Internet of Threats
Not a day without threats and attacks
Reports of the threat of cyber attacks on the basis of new and not newly revealed information system vulnerabilities cannot be surprising in the modern world.
September 28, 2018, security researchers have discovered the new Torii IoT botnet, superior in functionality to Mirai and many variations of it. Botnet features include data theft and remote command execution. According to researchers at Avast, malware has been active at least from December 2017.1
(Botnet is a network of computers that are infected with malware, allowing attackers to remotely control them and, in particular, to carry out DDoS attacks through them. Note: malware was discovered almost a year after its activity began.)
04.10.2018. On the underworld marketplaces, usernames and passwords were offered for Facebook user accounts. The cost of information varied from $ 3 to $ 12, and payment was accepted in virtual currency (mainly bitcoin and bitcoin cash). According to the report of the British company Money Guru, logins/passwords were sold on underworld websites not only for Facebook accounts, but also for other services. For example, sellers asked about $ 2 for credentials for Reddit user accounts, $ 3 for Twitter, $ 6 for Instagram, $ 8 for Pinterest.2
18.10.2018. Two billion devices were vulnerable to the threat of Blueborne, open a year ago. Specialists pointed out that Blueborne threats were especially dangerous for industrial enterprises, and the Internet of Things devices could be the basis for a new landscape of such attacks.3
25.10.2018. A new botnet appeared on the Web, attacking vulnerable devices from the Internet of Things sphere, as well as SSH servers and Linux-based systems for further DDoS attacks.4
13.11.2018. The creator of the IoT botnet distributed a backdoor for ZTE routers, in which another backdoor was hidden to crack those who used it. According to experts from NewSky Security, the hacker under the pseudonym Scarface was among the top 20 most significant figures on the cybercrime scene in the field of Internet of Things. The infection of competitor botnets with backdoors had a definite meaning. By infecting the script-kiddy system (inexperienced hackers), such a big player as Scarface could gain control over the small botnets they had created or destroy them to eliminate competition.5
(Backdoor is a defect in the algorithm that is intentionally embedded in it by the developer and allows getting unauthorized access to data or remote computer control. Note: single attackers compete with each other. The question is for what? Only for the main roles on the cybercrime scene?).
These are just five reports of vulnerabilities and attacks. These messages appear almost daily.
Cyber attack and vulnerability statistics
In October 2018, Cisco announced the results of a cybersecurity study among small and medium-sized businesses, which was attended by 1,816 respondents from 26 countries. According to the study, it turned out that:
- more than 53% of small enterprises were subjected to cyber attacks in 2018, and 20% of them claimed damages in the amount of $ 1 to 2.5 million.
- 53% of respondents stated that their companies were subject to invasions, which entailed significant financial costs.
- 40% of respondents (enterprises with 250-499 employees) had 8-hour downtime as a result of serious attacks in 2017.
- 39% of respondents stated half of the systems suffered as a result of a serious attack.6
Not only small companies suffer from cyber attacks, but also large ones, and even some countries. For example, the APT group BlackEnergy has been attacking Ukraine for several years now. In particular, during the world's first power outage that occurred as a result of a cyber attack (in December 2015), 230 thousand people were left without electricity.
ESET announces the discovery of the APT group BlackEnergy successor. The group of intruders, called GreyEnergy, is aimed at espionage and reconnaissance and, quite possibly, is preparing for future attacks with the goal of cyber sabotage. "Over the past three years, GreyEnergy has been participating in attacks on energy companies and other targets of particular importance in Ukraine and Poland," – ESET specialists say.7
The abbreviation APT (advanced persistent threat), which means, on the one hand, targeted cyber attack, and on the other, a group of people with specialized knowledge and considerable resources, speaks about how serious the threats and consequences of attacks can be. The purpose of the attack can be theft of information, interfering with activities or even suspending structure work of a victim of the attack. Another option is to create conditions for the attack in the future, when the damage may be maximized.
Ordinary users can also suffer from cyber attacks.
19.10.2018. 10 thousand people suffered from the attack of the network fraudster. The criminal business of an attacker named Investimer, engaged in fraud in the cryptocurrency market, was distinguished by a wide range of used malware and a rich set of methods of illegal earnings.8
22.10.2018. In the Global Threat Index report for September, Check Point noted that the number of attacks by miners of cryptocurrency on Apple iPhone devices increased by almost 400%. The attacks were carried out with the help of malware Coinhive, which occupied the top line in the Global Threat Index rating since December 2017.
Check Point researchers also analyzed the most exploited vulnerabilities. The vulnerability of CVE-2017-7269 retained first place, affecting 48% of organizations worldwide. The second place went to the problem of CVE-2017-5638 with a global coverage of 43%, and the third one, with a slight lag, went to the possibility of code injection due to the incorrect configuration of PHPMyAdmin on the web server. This vulnerability was identified in 42% of companies.9
So, some of the most exploited vulnerabilities have been identified in almost half of the organizations around the world. If a company does not have one vulnerability, it may well have another, or even several ones. And then a cyber attack is only a matter of time.
That is why some cybersecurity experts decode the abbreviation "Internet of Things" as "Internet of Threats".
The number of vulnerabilities for individuals and companies using the Internet of Things (IoT) and even more so the Industrial Internet of Things (IIoT) is much more than for other companies, as well as for citizens who do not live in smart homes and use the minimum number of Internet connections . This is largely due to the fact that the number of devices through which attackers can conduct a cyber attack increases. In particular, these are sensors, devices for boundary (fog) calculations, actuators, etc.
Given the importance of these issues, the European Union Agency for Network and Information Security in November 2017 released a report on the extensive study "Baseline Security Recommendations for IoT in the context of Critical Information Infrastructures".10
In the course of the study, experts were asked, in particular, to evaluate 10 attack scenarios in terms of criticality. On the basis of data collected from expert interviews, the average criticality of attack scenarios was assessed. For different scenarios, we got the following estimates:
- Attack on IoT control system – 88.89%
- Attack on sensors, changing the indicators ??they read, or threshold indicators ??and settings – 84.72%
- Attack on devices, input of control commands – 81.94%
- Attack on the network link between controllers and actuators – 73.61%
- Attack on information transmitted via the network – 73.61%
- Attack on actuators, changing or resetting their normal values ??– 69.44%
- The use of protocol vulnerabilities – 62.50%
- Stepping stones attack (attack from intermediate hosts that were compromised beforehand) – 58.33%
- Power supply manipulation – 58.33%
In addition, experts rated the following three attack scenarios as the most dangerous:
- Scenario 1: IoT control system compromise
- Scenario 2: IoT device value manipulation
- Scenario 3: the introduction of botnets/commands.
Scenario 3, for example, involves using a certain vulnerability inside the device to enter commands through it and obtain administrator rights in order to create a botnet consisting of this and other vulnerable IoT devices. Such an attack scenario can be implemented using the Mirai botnet mentioned at the beginning of the article. This botnet has conducted some of the most powerful DDoS attacks in recent history and has proven its ability to attack various objects: from the KrebsOnSecurity website dedicated to cybersecurity to the telecommunications infrastructure of the entire country. Therefore, the impact of the Mirai attack on infrastructures with hazardous energy resources can reach extremely critical levels.
IIoT: security problems are much more
The research cited above is devoted to the Internet of Things (IoT), while we are more interested in the Industrial Internet of Things (IIoT). How applicable to it are the above estimates and scenarios?
Some experts believe that the only difference between these concepts is their areas of use. While IoT is most commonly used for consumer purposes, IIoT is used in industry – in manufacturing, supply chain management, and management systems.11
However, the reality is somewhat more complicated. An IoT device may have the same functionality as a IIoT device, and yet not be considered an industrial product. The IIoT devices, networks, and control systems are subject to significantly more stringent and much more extensive requirements than similar components of IoT. And above all, it relates to security. After all, the violation of the process of large-scale production can lead to the fact that the cost of unreleased products will amount to millions of dollars a day. Disruption of the electrical network affects the economic activity of millions of people and jeopardizes national security. Therefore, substantially enhanced security measures are used in IIoT solutions – secure and robust system architectures, specialized chipsets, encryption and authentication, threat detection systems, etc.
In addition, IIoT has requirements such as:
- compatibility with numerous production and management systems already existing in the enterprise
- suitability for scaling with increased production
- high accuracy of all measurements and reactions to events
- frequent reprogramming capability, flexibility and adaptability
- high speed, minimal delays in detecting deviations, their assessment, decision making and response
- high reliability in harsh environments
- resistance to failure of individual devices and subsystems
- suitability to increase the level of automation up to the complete elimination of personnel intervention in the workflow
- ease of maintenance and repair, during which sensors can be replaced, firmware updates, gateways and servers may be configured.12
Obviously, with the fulfillment of some of the requirements listed above, additional threats arise that are not typical of IoT. For example, during maintenance and repair, sensors may be replaced, firmware updates, gateways and servers may be configured. Sensors are the second most hazardous component. New software may have new vulnerabilities, not yet identified by cybersecurity experts. Due to errors made during the configuration of gateways and servers, additional vulnerabilities may occur. They may also arise due to frequent reprogramming, performed, for example, with each change or modification of a product that becomes more and more diverse, and sometimes it is generally done for individual orders. Compatibility with the existing production and management systems at the enterprise means, inter alia, interaction with outdated software products, in the development of which much less stringent security requirements are taken into account. And this is only a small part of the additional threats characteristic of IIoT.
Measures to prevent attacks
In the above-cited study "Baseline Security Recommendations...", a detailed list of security measures and best practices aimed at mitigating threats, vulnerabilities and risks characteristic of IoT devices and environments is presented.
Basic IoT security measures can be divided into three main categories.
Policies. The first set of security measures relates to policies designed to ensure information security and to make it more specific and reliable. They must comply with the activities of the organization and contain well-documented information. Security tools should be provided during the development of IoT devices/applications, implemented during their production and deployment, and maintained throughout the entire life cycle of an entire IoT system at all levels.
Organizational, technological measures and work with staff. All enterprises must have organizational information security criteria. Their personnel policies should help ensure the safe management of processes and information. Organizations must ensure that their contractors and suppliers are also responsible for information security in their areas of competence. The organization should be prepared for possible security-related incidents (area of ??responsibility, assessment and response).
Technical measures. Obviously, to reduce the vulnerability of IoT, security measures and the practice of their application should apply to all technical devices. It should take into account the peculiarities of the IoT ecosystem, in particular, scalability. Given the huge number of devices involved in IoT, in providing some security measures, it may be necessary to introduce specialized components, such as gateways, into the ecosystem architecture.
All these measures and best practices for their application are discussed in detail in the study cited above.
Instead of conclusion
It should be noted that cybersecurity issues cannot be resolved once and for all. To maintain the effectiveness of the security system, it must not only be continuously monitored, but also regularly updated. For example, intruders, keeping up with the technical progress, have begun to actively use machine-learning technologies. Therefore, the modern cybersecurity platform can no longer do without the use of artificial intelligence.13