IoT attacks are getting more frequent. Last April, security researchers of the Microsoft Threat Intelligence Center discovered attempts by a group called, “STRONTIUM” to compromise Internet of Things (IoT) devices (a VoIP phone, an office printer, and a video decoder) across multiple customer locations.
Microsoft said on its official blog that it had found out that “an actor” had used these devices to gain initial access to corporate networks. In two of the cases, the passwords for the devices were deployed without changing the default manufacturer’s passwords, and in the third instance the latest security update had not been applied to the device.
We attribute the attacks on these customers using three popular IoT devices to an activity group that Microsoft refers to as STRONTIUM.
Over the last 12 months, Microsoft revealed, it had issued about 1400 nation-state notifications about this IoT attacks to those who have been targeted or compromised by STRONTIUM.
One in five notifications of STRONTIUM activity were tied to attacks against non-governmental organisations, think tanks, or politically affiliated organisations around the world. The remaining 80 percent of STRONTIUM attacks have largely targeted organisations in the following sectors: government, IT, military, defense, medicine, education, and engineering.
The Microsoft team said these initial devices were points of entry from where the Group “established a presence on the network and continued looking for further access.” After a successful entry across the network, a simple network scan to look for other insecure devices allowed it to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data.
After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets. As the actor moved from one device to another, it would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting, said Microsoft. Analysis of network traffic showed the devices were also communicating with an external command and control (C2) server.
Since we identified these IoT attacks in the early stages, we have not been able to conclusively determine what STRONTIUM’s ultimate objectives were in these intrusions.
Microsoft said it was sharing the information about these IoT attacks “to raise awareness of these risks across the industry.”
Further, Microsoft has given ways to find if your network has been compromised by this particular hack.