Why xIoT Devices Are Cyberattackers Gateway Drug for Lateral Movement

  /     /     /  
Publicated : 23/11/2024   Category : security


Why xIoT Devices Are Cyberattackers Gateway Drug for Lateral Movement


Detailing how extended IoT (xIoT) devices can be used at scale by attackers to establish persistence across networks and what enterprises should start doing about the risk.



Extended IoT devices (xIoT) stand as a perennial favorite for cyberattackers seeking to move laterally and establish persistence within enterprise networks. Theyve got everything the bad guys need for a foothold: Theyre grossly under secured, theyre present in large numbers (and in sensitive parts of the network), and, crucially, theyre typically not well monitored.
In an
upcoming session
at RSA, security researcher and strategist Brian Contos will walk his audience through the ways that these devices can be used to create very broad attacks against enterprise resources, along with what security strategists should be doing to counter the risk.
Ill be doing some xIoT hacking demonstrations, because everybody likes to see things broken into, says Contos, chief strategy officer for Sevco Security. But in the xIoT world its quite easy to compromise, so I wont focus on that but instead on how it can be used as a pivot point to attack on-prem devices, in-cloud devices, to steal sensitive data, maintain persistence, and evade detection.
His goal is to show the entire life cycle of the attack in order to demonstrate the weighty ripple effects that are in the offing from leaving xIoT devices unmanaged and unmonitored in enterprise environments.
As Contos explains,
xIoT devices
typically fall into three device categories that all proliferate significantly in business environments. The first are the enterprise IoT devices like cameras, printers, IP phones, and
door locks
. The second are operational technology devices like industrial robots, valve controllers, and other digital equipment that control physics in
industrial settings
. The third — and often least remembered — are general network devices like switches,
network attached storage
, and gateway routers.
The thing all of these devices have in common is that theyre all purpose-built devices, created for one specific purpose, he notes. Theyre network connected, and you cant install any additional stuff on them. So, you cant put a firewall or an IPS, or antimalware on them. So, all of the traditional IT controls dont necessarily fit well in this world of xIoT.
He says his research over the last couple years has shown that in the typical enterprise network, there are usually three to five xIoT devices per employee floating around. In some industries — such as oil and gas or manufacturing, that number can scale upward to more like five to six devices per employee. So a manufacturing company with 10,000 employees could easily be looking at 50,000 of these devices on their network.
And what youre going to find is that about half of those are running a default password, which takes all of a half a second for me to look up on Google, he says. If I Google, Whats the default password on an APC UPS system, it will tell me the default username is apc and the default password is apc. And I can tell you from experience, I have yet to have ever seen an APC UPS system in the wild that doesnt have apc-apc as the username and password.
On top of that, he explains that more than half of xIoT devices are also running critical-level CVEs that require little to no hacking expertise to leverage remotely and gain root privileges on the devices.
Because of the volume, if you dont get into the first 1,000 to 2,000 devices, chances are you are going to get into the next 1,000 to 2000, he says.
Contos hacking demonstrations will dive into how a different device from each of the xIoT device categories can be used for a myriad of attack purposes, from turning off power to destroying an asset, and exfiltrating sensitive data to expanding attack reach across a network. He will share information on xIoT hacking tools that nation-state actors have built and explain how the threat actors are putting serious money into investing in these kinds of attacks.
I want the audience to understand how easy it is and to understand this is a risk that requires some focus within their organization, he says.
As a part of the discussion, Contos will discuss countermeasures that include solid asset management, identity management, and patch management around xIoT, as well as compensating controls like segmentation and MFA in order to harden the xIoT attack surface. He also says he hopes to explain that defenses shouldnt be planned in a bubble. This is not the kind of security measure that should be developed by a special task force thats removed from cloud security and other security groups, in other words.
This should all be integrated because all of these devices touch each other, he says. It should be part of one larger approach.

Last News

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Why xIoT Devices Are Cyberattackers Gateway Drug for Lateral Movement