Avast_Blog_ViewPoints: RobbinHood ransomware’s implications are not limited to lockin
#1
Lightbulb 
Quote:
[Image: credential_stuffing.jpg]

An unprecedented collaborative effort is vital to stop the plundering of IoT systems

The Internet of Things (IoT) has come a long, long way since precocious students at Carnegie Melon University installed micro-switches inside of a Coca-Cola vending machine so they could remotely check on the temperature and availability of their favorite beverages.

That was back in 1982. Since then, IoT devices have become widely and deeply integrated into our homes, businesses, utilities and transportations systems. This has brought us many benefits. And yet our pervasive deployment of IoT systems has also vastly expanded the cyber attack surface of business networks, especially in just the past few years.

And now Covid-19 is having a multiplier effect on these rising IoT exposures. Nine months into the global pandemic an ominous dynamic is playing out. Remote work and remote schooling have spiked our reliance on IoT systems to a scale no one could have predicted; and much of this sudden, dramatic increase is probably going to be permanent. In response, threat actors are hustling to take full advantage.

This shift is just getting started. IoT-enabled scams and hacks quickly ramped up to a high level – and can be expected to accelerate through 2021 and beyond.

This surge can, and must, be blunted. The good news is that we already possess the technology, as well as the best practices frameworks, to mitigate fast-rising IoT exposures.

However, this will require a concerted, proactive effort by the business community —  enterprises and small- and mid-sized businesses alike. Individual citizens, consumers and workers have a big role to play as well. Each one of us will have to cooperate and make sacrifices. A lot is at stake. Here’s what all companies and individuals should fully grasp about our IoT systems under attack, post Covid-19.

The mainstreaming of IoT

IoT very clearly has gone mainstream. We’ve surrounded ourselves with embedded sensors continually transmitting data across the internet. IoT devices help remotely control our household appliances, power plants, smart buildings, factories, airports, shipyards, trucks, trains and military.

And we’re just getting started. On the immediate horizon, IoT systems will bring us autonomous vehicles and something called “digital twins” – virtual representations of physical objects infused with artificial intelligence. I recently heard Dr. Joe Alexander, a distinguished scientist at NTT Research, describe the astounding work he’s doing on a digital twin of a human heart that someday will crunch data to help diagnose and treat cardiac disease.

The challenge of the moment is that many companies already have their hands full trying to improve their security posture as they migrate their legacy, on premises, IT systems to the cloud. IoT risks have been a low-priority, subset concern. But now Covid-19 has shoved IoT exposures to the front burner.

“Too often we see companies with strong security policies and tools to protect employee corporate-owned endpoints lacking any security oversite for IoT and mobile devices,” Chris Sherman, senior industry analyst at Forrester told me.

Sherman opines that there is a huge IoT visibility gap that must be narrowed. I agree. Most companies have only a vague sense of all of the IoT sensors tied into their networks, and each device represents an access path beckoning intruders. The shutdown of businesses and schools due to Covid-19 added a sudden influx of tens of millions more consumer IoT devices connecting to corporate networks, intensifying this exposure.

A candy store for hackers

A recent Forrester workforce survey showed that by mid 2020, 58 percent of corporations worldwide had at least half of their employees working from home, where an average of 11 devices lurk -- connected to the internet. You can add to this all of the schools, colleges and universities forced by the pandemic to conduct classes remotely.

“We have an expansion of the number of devices in the IoT ecosystem, and we also have an increase in the time that consumer IoT devices are spending on the same network as work devices,” Sherman says.

To malicious hackers, it’s like getting dropped off at a candy store that’s giving away free treats. The operating systems of home IoT devices today typically get shipped with minimal logon security. Hacking collectives are very proficient at “exploiting weak authentication schemes to gain persistence inside of a targeted network,” Sherman says. “Once they gain a foothold, they can move laterally and gain access to other enterprise assets.”

IoT-enabled attacks on home and business IT networks are not just theoretical; they have been steadily escalating for at least the past three years.

The infamous Mirai botnet self-replicated by seeking out hundreds of thousands of home routers with weak or non-existent passwords. From there Mirai spread voraciously between other types of consumer IoT devices, as well as corporate computers. Mirai ultimately was used to carry out massive Distributed Denial of Service (DDoS) attacks.

IoT botnets today continue to carry out DDoS attacks and also routinely get deployed to distribute Banking Trojan malware as well as to carry out Man In The Middle (MITM) attacks. The VPNFilter botnet, for instance, compromised weakly protected home routers, which were then directed to steal logons from employees as part of go-deep breaches of targeted companies.

The breach of a CFO’s home smart speaker

Through the course of 2020, IoT-enabled attacks have manifested new wrinkles. In one very recent caper, the attackers targeted the CFO of a financial services firm, as he worked from home, Sherman says. The attackers successfully got a foothold on the exec’s MacBook. But try as they might, they were unable to achieve their main goal, which was to gain control of the MacBook’s microphone.

So they did the next best thing instead; they located and took control of a smart speaker tied into the exec’s home network via a Bluetooth connection. With control of the exec’s smart speaker secured, the attackers were able to achieve their objective to eavesdrop on the CFO’s private conversations.

This is a sign of IoT attacks to come. We’ve embedded helpful IoT devices in household appliances, environmental controls, health trackers, media and gaming devices, surveillance cams, building access systems, medical devices, even connected cars. Clearly motivated hackers are going to continue plundering these fresh attack vectors.

“Sometimes we don't even realize how many of our devices today have audio and video recording capabilities,” Sherman says. “Concern for IoT-assisted types of attack is especially high in the healthcare sector, where you have a lot of HIPAA-protected conversations being picked up by home devices.”

Mike Nelson, vice president of IoT security at DigiCert, pays very close attention to the systemic vulnerabilities of IoT systems deployed by the healthcare sector.

DigiCert is a leading supplier of digital certificates and related security services. It’s Nelson’s job to help companies address IoT risks – but he also has a very personal stake. As a Type 1 diabetic, Nelson continually gets readings on his smartphone transmitted from an IoT device he wears on his leg that continually monitors his blood sugar level.

A hacker mucking around, for whatever reasons, could purposefully or inadvertently alter or disrupt data flowing to such systems, with potentially devastating impact on diabetics like Nelson. The same holds true for any patient getting critical care, for any type of illness, that relies on data routed through IoT-enabled systems.

“Hospitals are onboarding data from wireless infusion pumps that provide critical treatments to patients,” Nelson observes. “These pumps connect to many different systems, including the network. If left unsecured, a malicious actor could come into the hospital, discover the device on the network, and take control of the device – potentially infusing lethal medication into a patient.”
...
Continue Reading
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
Find out if an USB device is fake with f...
Fake USB devices c...harlan4096 — 08:47
Windows 11 KB5048685 Update causes Wi-Fi...
The KB5048685 Upda...harlan4096 — 12:36
Windows 11: issue may prevent further in...
The latest version...harlan4096 — 08:47
Notepad++ v8.7.5 (2024-12-25)
Notepad++ v8.7.5 (...harlan4096 — 08:16
AdGuard for Mac 2.16.2
AdGuard for Mac 2....harlan4096 — 08:13

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>