Nozomi Networks - Cyber threats in the first half of 2020
The OT/IoT threat landscape for the first half of 2020 saw an increase in threats to OT and IoT networks, particularly IoT botnet, ransomware and COVID-19 attacks. These attack types are in line with global computing and socio-economic trends. The rapid rise of IoT devices, the global COVID-19 pandemic and the increasing growth and sophistication of cybercriminals are key drivers. This blog post provides an overview of the most active threats observed over the last few months by the experts at Nozomi Networks, as well as insight into tactics and techniques and recommendations for protecting critical networks.
Which threats increased massively in the first half of the year?
IoT malware threats are on the rise and will be a major part of the threat landscape for the foreseeable future. Several factors are contributing to this unprecedented growth:
- Exponential growth in the number of IoT devices.
- The insecure use of IoT devices that are directly accessible via the internet.
- A lack of security updates for IoT devices, leaving the devices vulnerable to frequent attacks from many threat actors.
- The lack of insight into the security posture of IoT devices.
One of the most interesting botnets is Dark Nexus, which was discovered in April 2020. Dark Nexus operators frequently release new updates, similar to commercial software. In addition, the operators of Dark Nexus sell their DDoS mitigation services openly on the internet. From a technical perspective, Dark Nexus is distinguished from competing botnets by a sophisticated mechanism that profiles the processes running on the infected device. The goal of this mechanism is to identify processes that could hinder the smooth execution of the malware. While Dark Nexus initially infected only a few thousand devices, this number can quickly increase. Therefore, Dark Nexus should be urgently kept in mind.
Does ransomware still matter?
Ransomware attacks targeting a variety of industry verticals are still commonplace. What has changed are the targets. Ransomware gangs have shifted their focus to larger, more critical targets with deeper pockets, including manufacturers, energy companies and local municipalities, among others. Ransomware operators typically encrypt files and demand ransom payments from victims. Now they are also exfiltrating corporate data and threatening to publish it on the internet to exert even more pressure.
How is the COVID-19 pandemic being exploited for cybercrime?
The global COVID-19 pandemic provides cybercriminals with even more vectors and opportunities for exploitation. The attack surface for most companies has greatly increased with the rapid shift to a "home office" policy. Some companies have infrastructure in place to enable remote working, such as VPNs and work laptops. However, many other companies are not prepared for this and have to find solutions quickly, which has opened the door to security risks. In addition, the climate of fear and uncertainty caused by COVID-19 makes employees more vulnerable to social engineering attacks. Cybercriminals mainly used phishing emails in the first attack phase to trick users into revealing personal information or running malicious software.
One example is the Chinoxy Backdoor malware family. It embeds a document with information supporting COVID-19 in an .rtf file that exploits CVE-2017-11882. The exploit is used to drop malicious binaries on the machine that use HTTP over port 443 for C&C communication. When cybercriminals gain access to systems and steal network data, they always leave a trail. This is good news, because this trail can be identified, provided companies have clear insight into what is happening in their OT/IoT networks.
What are other challenges in IT security?
Vulnerabilities discovered in ICS systems provide attackers with the ability to manipulate data, which can impact physical processes and be extremely dangerous to industrial production. It is therefore important to consider vulnerability threat trends when assessing security risks. The number of vulnerabilities found by ICS-CERT in the first half of 2020 has increased significantly compared to 2019. A sensible approach for industry is to reduce exposure by addressing vulnerabilities that are easy to mitigate first. Over time, more and more vulnerabilities can be mitigated. Improper input validation and buffer overflow vulnerabilities top the list of 2020 vulnerabilities in terms of numbers. While the former falls into the category of easily mitigated vulnerabilities, the latter is more difficult to fix. Buffer overflows require firmware updates from manufacturers, replacement of old devices and other remediation. Unfortunately, this group will likely continue to account for a significant percentage of discovered vulnerabilities in the coming years.
What cyber threats are expected in the second half of the year?
We expect attacks from IoT botnets, ransomware and COVID-19 malware to continue to increase, although they will adjust in the second half of the year. In the face of increasing and ever-changing threats, it is important to ensure high cyber resilience and rapid response capabilities. Security breaches related to people, processes and technology can have a major impact, especially on IT and OT in organisations with increasingly interconnected IT, OT and IoT systems. However, with the right technology and a focus on best practice, visibility and operational resilience can be increased.
Translated from English with DeepL
Original by Alessandro Di Pinto, Head of Security Research at Nozomi Networks.
Correction and editing by Victor Rossner