In this PoC, the ransomware attack dubbed R4IoT uses vulnerable IoT devices (in this case, vulnerable security cameras) to gain access, IT for traversal, and OT, particularly PLCs for detonation.
Ransomware has become a significant threat in the industrial sector, causing widespread operational disruption. A new proof-of-concept ransomware attack devised by Forescout Technologies has concerned the infosec community even more because of the dire consequences for OT security.
Proof-of-Concept Research Reveals Next Generation of Ransomware
Operational Technology (OT) and Industrial Control System (ICS) networks have become the targets of interest among ransomware operators. Vedere Labs of Forescout Technologies claim that their new proof-of-concept attack can have challenging OT and IoT security implications.
In this PoC, the ransomware attack dubbed R4IoT uses vulnerable IoT devices (in this case, vulnerable security cameras) to gain access, IT for traversal, and OT, particularly PLCs for detonation.
The attack involves exploiting a flawed IP camera to compromise the IT infrastructure to gain access and shut down the OT hardware of the organization. It is worth noting that no new exploits were used in the attack, and just pre-existing flaws were enough to compromise such critical systems.
According to Vedere Labs, the only attack scenario that combines the IT, IoT, and OT ransomware in a single PoC. Researchers also released a video demonstration of the attack.
Attack Details
In the demonstration video, the researchers can be seen compromising mainstream network-connected security cameras, mainly from Hikvision and Axis, as these vendors provide 77% of the IP cameras currently used in enterprise networks. In fact, Forescout revealed in its report that over half a million devices are under threat because of using the default VLAN1 configuration.
Therefore, any vulnerability can be used against these devices to access an inadequately protected enterprise network. The video shows that threat actors first exploit the camera’s flaws and then execute a command to access a Windows device and later execute more commands to locate other devices/machines attached to the same camera.
PoC Video
As it can be seen in the video above, a simulated ransomware attack is used against a fictional hospital, and the Forescout team accessed an IP camera to access the hospital’s network and camera and searched for a programmable logic controller that controlled the facility’s heating, ventilation, and air conditioning (HVAC) system, escalated privileges to install ransomware and shut the system down.
The attacker will look for devices having weak credentials to establish an SSH tunnel by opening remote desktop protocol ports. They can now open a remote desktop session, disable network firewalls/antivirus solutions, and install malware. They can also gain privilege escalation, install ransomware and cryptocurrency miners, or launch malicious executables at OT systems.
Nevertheless, the head of security research at Forescout Vedere Lab Daniel dos Santos stated that the primary objective behind the demonstration of this PoC was to indicate how vulnerable organizational security was regarding OT networks and to highlight the evolving dangers and scope of ransomware attacks.
More IoT Vulnerability News
- DNS rebinding attack puts half a billion IoT devices at risk
- BotenaGo botnet malware targeting millions of IoT devices
- New malware found targeting IoT devices, Android TV globally
- Millions of IoT devices, baby monitors open to audio, video snooping
- IoT botnet of heaters & ovens can cause massive widespread power outages
