(Kevin Townsend – SecurityWeek) – Ransomware is a category of extortion. Its sole purpose is to extract money from the victim. As industry got better at avoiding ransom demands, the attackers added another level of extortion – data blackmail to create ‘double extortion’.
As defenders get better at fending off double extortion, the attackers will evolve again. The most obvious path will be to attack operational technology (OT) rather than just IT. Attacks against OT are more difficult to achieve, but the effect is equally more difficult to mitigate. The evolution of cyber extortion makes this more than just a possible development.
Forescout’s Vedere Labs has published a proof of concept (PoC) for a ‘ransomware’ attack that uses IoT for access, IT for traversal, and OT (especially PLCs) for detonation. It is called R4IoT and is described as the next generation of ransomware.
The worrying aspect of this PoC is that it requires nothing new. IoT access was chosen because of the growth in IoT devices that generally receive less defensive attention than other parts of the network. Such access is likely to increase.
Traversal through and across IT is known and understood, but not always seen because of the current tendency for attackers to ‘live off the land’. Crossing from IT to OT is increasingly possible because of the ongoing convergence of the two networks, necessitated by the digital transformation of modern business. Throughout the PoC, existing vulnerabilities and exploits have been used.
Future attacks against the OT of critical industries are inevitable, if only because critical industries (think Colonial Pipeline) are more likely to pay the extortion, and pay rapidly. The Forescout POC is designed to demonstrate how easily criminal gangs can deliver this type of extortion – but it is worth also noting that nation states could use the process to deliver wipers against the critical infrastructure.
This would be technically more difficult and require a knowledge of the targeted network. Adversarial nations are thought to have been inside critical networks on surveillance missions for years – so, they may already have that knowledge.
The two most important aspects emerging from the Forescout work are the likelihood of increased incursions via IoT devices, and the potential to disrupt the OT network for extortion purposes without requiring specialist APT-level sophistication.
Criminals are already taking note of the potential of IoT, and exploits can be bought on the dark web. “Lemon Duck is a Monero cryptomining botnet that uses IoT devices as entry points to infect computers, the Conti ransomware group targets devices such as routers, cameras and NAS with exposed web interfaces to move internally in affected organizations, variants of the Trickbot malware use routers as a proxy to contact C&C servers, and the Cyclops Blink malware (linked to the state-sponsored Sandworm group) exploits routers for initial access,” notes the report.
The growing threat from IoT comes from the number of devices that are being installed with little perception that they are an integral part of the network. They are neither defended nor patched with the rigor applied to the rest of the network. But since they are usually exposed to both the internet and the internal infrastructure, they can provide easy access for criminals.
The IT side of the operation is not discussed in detail within the report because the issues are well known if not yet well solved. Instead, the report focuses on IoT and OT embedded devices. “One thing that ties together both the initial access and impact possibilities brought by embedded IoT and OT devices is the increasing number of supply chain vulnerabilities affecting millions of these devices at the same time,” says the report. The researchers call out Project Memoria affecting TCP/IP stacks, BadAlloc affecting RTOSes, Access:7 affecting a popular IoT management platform and vulnerabilities in the BusyBox application used by many Linux devices.
Nevertheless, the progress of R4IoT ransomware is briefly described. It maps the different machines on the network, and uses the NTLM hash of the administrator’s account and the WMI functionality within impacket to connect to each. There it disables Windows firewall and Windows Defender, and drops other R4IoT executables (a crypto miner and a Memoria executable that will launch DoS attacks against critical IoT/OT assets). A modified version of the Racketeer toolkit provides C&C Server/Agent functionalities. On demand from the C&C Server, the C&C Agent can encrypt or decrypt files on the infected machine, can exfiltrate files and launch arbitrary executables with admin privileges.
The drama of the report focuses on the damage that can be done if an attacker succeeds in gaining access to IT via an IoT device, and then gains access to the OT via IT/OT convergence. Some harm could be done at Purdue Level 2 and above because those are regular Windows/Linux machines. But Forescout focuses on attacking the PLCs, since the effect is more dramatic, immediate and difficult to mitigate. It looks at internally delivered DoS attacks since PLCs are rarely exposed to the outside world.
There are more than half a million devices running TCP/IP stacks vulnerable to Project Memoria in organizations in almost every industry vertical. Exploiting these devices with similar and simple denial of service attacks gives the attackers the ability to disrupt many types of organizations.
Once the PLCs are effectively taken down by the DoS, the damage is done. Critical parts of the companies’ functioning can be halted, whether that’s a conveyor belt or an infusion pump.
“The protection window has passed,” Daniel dos Santos, head of security research at Forescout Vedere Labs told SecurityWeek. “To give an extreme example, if it is connected to a poor gas pipeline and measuring pressure conditions, things could explode. That’s the main issue with OT – if the attacker reaches that point and can cause the device to go offline or to change some settings in the device, the physical danger becomes much more present; and probably much more critical than any danger to the data.”
R4IoT is not some new development in malware. It uses exploits that already exist. More worryingly, the proof of concept shows that it could be used at scale by less sophisticated hackers using ransomware-as-a-service. The implication is that critical industries must prepare themselves now for a new wave of ransomware attacks specifically targeting OT.
Traditional rapid response to IT ransomware, such as taking the systems off-line, won’t work with OT. It is what dos Santos describes as ‘death by suicide’. You may stop further progress of the attack, but you are self-inflicting the end purpose of the attack. Organizations need to prepare their response now – and this can only be built on zero trust segmentation and improved visibility into both IT and OT with something like anomaly detection.
“R4IoT,” continues dos Santos, “is the first work to analyze how ransomware can impact IoT, and delivers a full proof-of-concept from initial access via IoT to lateral movement in the IT network, and subsequent impact on the OT network. Threat actors are exploiting a broader threat surface than before, and we see hacking groups discuss IoT access on forums today. It has become imperative to arm organizations with knowledge to extend their proactive defenses and ensure IoT devices have adequate segmentation from their critical IT and OT infrastructure.”
Critical industries must prepare themselves for a new wave of ransomware attacks specifically targeting OT
The Colonial Pipeline is working on a restart plan after a ransomware attack triggered the company to halt all pipeline operations on May 7, 2021.
How Open Source Intelligence can be applied to reconnaissance on critical infrastructure. In many cases it’s possible to narrow a search to specific buildings like power plants, wastewater plants, or chemical and manufactured facilities. The research consists of 26,000 exposed devices in United States.