Chris Swagler | June 14th, 2022

Researchers have shown how ransomware can spread throughout companies using vulnerable Internet-of-Things (IoT) gear. A security company created a proof-of-concept (PoC) strain of next-generation malware called R4IoT. Once the malware gains access to IoT devices—physical objects embedded with technology that allow it to communicate with other devices on a system or across the internet—it spreads laterally through IT networks, deploying ransomware and cryptocurrency miners while exfiltrating data, before exploiting operational technology (OT) systems to physically disrupt critical business operations, including pipelines or manufacturing equipment.

This malware demonstrates threat actors’ evolving nature and changing tactics regarding ransomware in the last couple of years. Threat operators aren’t just encrypting data and demanding a ransom payment to decrypt companies’ systems. Cybercriminals are stealing important information, leaking part or all of it publicly, and threatening companies with DDoS attacks if they don’t pay up.

Some good news is that it’s only conceptual malware, created in a lab to demonstrate how criminals can use IT, OT, and IoT to spread ransomware. If threat actors can identify and exploit IoT vulnerabilities in a victim’s environment, it will bring major challenges to businesses in the real world. None of the exploits are difficult and were performed in a lab where all the variables were controlled. Discovering the connection point between the IT and OT network may require some persistence, which points to the commoditization of exploits.

Ransomware-as-a-Service groups produce intricate malware and distribute it to affiliates who deploy it at specified targets. The idea seems to be that someone creates complex malware and someone with lower skills deploys the malware. The lab has seen “bits and pieces” of code like the proof-of-concept exploited in the wild.

As an initial access point, one exploit sample in the PoC targets a network-attached storage device. The information comes from a real-world botnet known as BotenaGo, which has more than 30 exploits for various types of IoT devices and was active last year. In early 2020,  Snake ransomware began to raise concerns among industrial control systems operators. One of the most important factors is that the threat operators go for the easiest target and it’s easier to carry out phishing or valid credentials attacks. As numerous IoT devices expand, so does the attack surface for companies and ransomware groups who target IT equipment missing out on numerous potential points of entry. IoT and OT currently account for 44% of all devices in companies’ networks. When the IT and OT devices surpass 50%, it becomes the tipping point for cybercriminals to start targeting the devices for ransomware attacks.

Cybercriminals can utilize, for example, a vulnerable Axis network-connected camera as an entry point. According to researchers, Axis and Hikvision account for 77 percent of the IP cameras utilized by 1,400 global customers, and Axis cameras alone account for 39% of the total. It’s an indication that using IP camera vulnerabilities as a reusable point of entry to numerous companies (what initial access brokers do) is possible. The threat operators exploit three critical vulnerabilities in the lab’s Axis camera to gain remote command execution and take control of the device.

The criminals change the root directory from read-only to read-and-write mode, allowing larger files to be uploaded and stored, creating new users with root privileges to keep control of the camera, and scanning the network for a connected Windows machine with remote desktop services (RDP). Cybercriminals use a dictionary attack against accounts with high privileges to obtain RDP credentials and established an SSH tunnel between the threat operators’ computers and the RDP boxes after locating the Windows machines. This establishes communication channels for the R4IoT executables and files to be sent. The programs, including a command-and-control agent for future malware and data exfiltration, a crypto miner, and an executable to launch DDoS attacks against critical IoT and OT assets, allow lateral movement in the network by attacking domain controllers.

The study provides a reality check for companies regarding the interconnectedness between their IT, OT, and IoT networks, and how malware can spread across all three environments. It essentially comes down to what companies can do to mitigate the risks. First, identify all the devices in the network and prioritize the vulnerabilities currently being exploited. It’s not the IT stuff on companies’ networks, but everything: IoT, OT, medical devices for hospitals, or whatever companies have connected to the network. Implement security controls, including network segmentation and multi-factor authentication, after identifying all connected devices. Additionally, patch device vulnerabilities, and avoid using default or obvious passwords. Pay attention to the entire environment and define what companies need to accomplish based on the type of device.

With the possibility of ransomware evolving to target vulnerable IoT for future attacks, it’s important for companies to always remain ahead of the current threat landscape and keep backups of their networks to avoid paying ransoms. At SpearTip, our certified engineers work continuously at our 24/7/365 Security Operations Center handling cyber incident responses and are ready to respond at a moment’s notice. Our IT remediation team immediately goes to work reclaiming companies’ networks by isolating the ransomware and recovering business-critical assets needed to operate. The ShadowSpear Platform is cutting-edge technology that delivers a cloud-based solution collecting endpoint logs and detecting sophisticated unknown and advanced ransomware threats through data normalization and visualizations.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.