Hackers have many types of attack vectors at their disposal when launching a cyberwar; there are over 170,000 known vulnerabilities that can be exploited in attacks against a wide range of devices and systems. So many that it raises the question of where do threat actors start in choosing what vulnerabilities to exploit? When the hacker group Anonymous announced they were declaring a cyberwar against Russia in response to their invasion of Ukraine it presented a real-life answer to which cyber weapons would you choose to go to war with. And no surprise, the attacks involved exploiting vulnerable IP cameras. Starting in early March, Anonymous has hacked into hundreds of IP cameras in Russia, including inside the Kremlin, and has used that access to distribute messages to the Russian people, gain military reconnaissance, and move laterally to impact other systems. Those efforts are continuing and expanding as this blog is being written.
The lesson from Anonymous’s choice of cyber weaponry is clear: cyber hygiene of IoT devices should be a top priority for minimizing the number and impact of cyber attacks. If Anonymous is currently leveraging vulnerable IoT devices like IP cameras, more than likely cyber criminals trying to attack your organization will try to do the same.
In dissecting Anonymous’s targeting of IoT devices, let’s start with why IoT and not just IT systems. Historically, many cyber attacks were aimed at datacenters and IT devices and therefore most cyber defenses were designed to secure IT systems. But starting about 4 years ago the number of cyber vulnerabilities impacting IoT devices started to exceed that those aimed at IT systems, a trend that continues today. Hackers also know that agent-based IT security solutions do not work on IoT devices; they have non-standard operating systems and can’t support agents running on them, making them harder to defend. IoT devices existing at 5x to 20x the scale of IT devices in organizations. And many IoT systems are managed by the line of business, such as facilities, physical security, manufacturing, and so forth – teams that traditionally have not had to be responsible for cyber security. Because IP-based IoT devices are network connected, they also offer threat actors opportunities to laterally move into corporate networks. In short, lower defenses, larger size of attack surface, and a direct path to data exfiltration and deployment of malware make IoT devices attractive to hackers of all kinds, including Anonymous.
IoT of course has a broad range of device types, from IP cameras to printers to smart building systems and hundreds more. But within the IoT landscape the IP cameras are the low-hanging fruit for cyber attacks. Palo Alto Network’s Unit 42 in 2021 report that the least secure devices in an organization were the IP cameras (33% of security issues), followed by printers (24% of security issues). In other words, if you are concerned about IoT cyber security, start with the IP cameras (like threat actors will).
While this example of IoT being exploited by threat actors comes from today’s events, there has been too many warning signs to call this a wake-up call. In the 2018 suspense novel “The President is Missing” a major plot theme involves terrorists leveraging IoT cyber vulnerabilities. In 2018 a Las Vegas casino had it’s “high roller” database stolen, through cyber criminals exploiting a vulnerable fish tank thermometer. And across this past year we’ve seen gas pipelines, water control systems, and healthcare devices compromised and exploited; IoT stories like these are on the rise. It’s also worth noting the ironic twist to Anonymous leveraging vulnerable IoT devices; this technique has been heavily used by the Russians themselves who have been running botnets off of IoT devices for quite some time to deploy malware, distribute spam, and perform data exfiltration.
Ready to defend yourself against Anonymous or any other hacker looking to exploit your IoT devices? Check out the Viakoo Action Platform, the leading IoT cyber hygiene solution, with automated firmware updating for vulnerability remediation, certificate management to extend Zero Trust to IoT, and automated password policy enforcement. Sign up here for a demo and see how quickly and easily you can reduce your IoT attack surface.