In part three of this three-part series, Microsoft dissects these twinned threats and what organizations can do to reduce or eliminate their risk.

Every year, Microsoft releases the "Microsoft Digital Defense Report" as a way to illuminate the evolving digital threat landscape and help the cyber community understand today's most pressing threats. Backed by intelligence from trillions of daily security signals, this year's report focuses on five key topics: cybercrime, nation-state threats, devices and infrastructure, cyber-influence operations, and cyber resiliency.

In this article, we break down part three of the report on nation-state threats and the rise of cyber mercenaries. Read on to learn how you can better protect your organization from this growing trend.

**3 Core Nation-State Trends**

Nation-state threats took center stage in 2022 with the launch of Russia's cyber war on Ukraine. This behavior has continued into 2023. We're also seeing nation-state actors elsewhere increase activity and leverage advancements in automation, cloud infrastructure, and remote access technologies to attack a wider set of targets. More specifically, here are three core nation-state threat trends that emerged in 2022.

**Increased Focus on IT Supply Chains**

In 2022, we saw nation-state cyber threat groups move from exploiting the software supply chain to exploiting the IT services supply chain. These actors often targeted cloud solutions and managed services providers to reach downstream customers in government, policy, and critical infrastructure sectors, such as what we saw in the Nobelium attacks. Over half (53%) of nation-state attacks targeted the IT sector, nongovernmental organizations (NGOs), think tanks, and the education sector.

**Emergence of Zero-Day Exploits**

As organizations work to collectively strengthen their cybersecurity posture, nation-state actors are pursuing new and unique tactics to deliver attacks and evade detection. One prime example is the identification and exploitation of zero-day vulnerabilities. Zero-day vulnerabilities are a security weakness that, for whatever reason, have gone undiscovered. While these attacks start by targeting a limited set of organizations, they are often quickly adopted into the larger threat actor ecosystem. It takes only 14 days, on average, for an exploit to be available in the wild after a vulnerability is publicly disclosed.

**Cyber Mercenaries On the Rise**

Private-sector offensive actors are growing increasingly common. Also known as cyber mercenaries, these entities develop and sell tools, techniques, and services to clients — often governments — to break into networks and Internet-connected devices. While often an asset for nation-state actors, cyber mercenaries endanger dissidents, human rights defenders, journalists, civil society advocates, and other private citizens by providing advanced surveillance-as-a-service capabilities. Rather than being developed for defense and intelligence agencies, these capabilities are offered as commercial products for companies and individuals.

**Responding To Nation-State Threats**

The sophistication and agility of nation-state attacks is only going to continue to grow and evolve. It's up to organizations to stay informed of these trends and evolve their defenses in parallel.

*   **Know your risks and react accordingly:** Nation-state groups' cyber targeting spanned the globe in 2022, with a particularly heavy focus on US and British enterprises. It's important to stay up to date on the latest attack vectors and target areas of key nation-state groups so that you can identify and protect potential high-value data targets, at-risk technologies, information, and business operations that might align with their strategic priorities.
    

*   **Protect your downstream clients:** The IT supply chain can act as a gateway to the digital ecosystem. That's why organizations must understand and harden the borders and entry points of their digital estates, and IT service providers must rigorously monitor their own cybersecurity health. Start by reviewing and auditing upstream and downstream service provider relationships and delegated privilege access to minimize unnecessary permissions. Remove access for any partner relationships that look unfamiliar or have not yet been audited. From there, you can implement multifactor authentication and conditional access policies that make it harder for malicious actors to capture privileged accounts or spread throughout a network.
    

*   **Prioritize patching of zero-day vulnerabilities:** Even organizations that are not a target of nation-state attacks have a limited window to patch zero-day vulnerabilities, so don't wait for the patch management cycle to deploy. Once discovered, organizations have, on average, 120 days before a vulnerability is available in automated vulnerability scanning and exploitation tools. We also recommend documenting and cataloging all enterprise hardware and software assets to determine risk and decide when to act on patches.
    

_**Read more:**_ _**Key Cybercrime Trends (Part 1)**_ _**and**_ _**Trends In Device and Infrastructure Attacks (Part 2)**_

Microsoft Digital Defense Report: Nation-State Threats and Cyber Mercenaries

Cyberattckers can easily exploit a command-injection bug in the popular device, but Belkin has no plans to address the security vulnerability.

The Wemo Mini Smart Plug V2, which allows users to remotely control anything plugged into it via a mobile app, has a security vulnerability that allows cyberattackers to throw the switch on a variety of bad outcomes. Those include remotely turning electronics on and off, and the potential for moving deeper into an internal network, or hop-scotching to additional devices.

Used by consumers and businesses alike, the Smart Plug plugs into an existing outlet, and connects to an internal Wi-Fi network and to the broader Internet using Universal Plug-n-Play (UPNP) ports. Users can then control the device via a mobile app, essentially offering a way to make old-school lamps, fans, and other utility items "smart." The app integrates with Alexa, Google Assistant, and Apple Home Kit, while offering additional features like scheduling for convenience. 

The flaw (CVE-2023-27217) is a buffer-overflow vulnerability that affects model F7C063 of the device and allows remote command injection, according to researchers at Sternum who discovered it. Unfortunately, when they tapped the device maker, Belkin, for a fix, they were told that no firmware update would be forthcoming since the device is end-of-life.

"Meanwhile, it's safe to assume that many of these devices are still deployed in the wild," they explained in an analysis on May 16, citing the 17,000 reviews and the four-star rating the Smart Plug has on Amazon. "The total sales on Amazon alone should be in the hundreds of thousands."

Igal Zeifman, vice president of marketing for Sternum, tells Dark Reading that's a low estimate for the attack surface. "That's us being very conservative," he notes. "We had three in our lab alone when the research started. Those are now unplugged."

    

The Wemo Smart Plug turns regular lamps and such into "smart" devices.

He adds, "If businesses are using this version of the Wemo Plugin inside their network, they should stop or (at the very least) make sure that the Universal Plug-n-Play (UPNP) ports are not exposed to remote access. If that device plays a critical role or is connected to a critical network or asset, you are not in great shape."  

**CVE-2023-27217: What's in a Name?**

The bug exists in the way the firmware handles the naming of the Smart Plug. While "Wemo mini 6E9" is the default name of the device out of the box, users can rename it as they wish using what's designated in the firmware as the "FriendlyName" variable — changing it to "kitchen outlet" for example or similar.

"This option for user input already had our Spidey senses tingling, especially when we saw that changing the name in the app came with some guardrails, \[specifically a 30-character limit\]," Sternum researchers noted. "For us, this immediately raised two questions: 'Says who?' and 'What happens if we manage to make it more than 30 characters?'"

When the mobile app didn't allow them to create a name longer than 30 characters, they decided to connect directly to the device via pyWeMo, an open-source Python module for the discovery and control of WeMo devices. They found that circumventing the app allowed them to get around the guardrail, in order to successfully input a longer name.

"The restriction was only enforced by the app itself and not by the firmware code," they noted. "Input validation like this should not be managed just on the 'surface' level."

Observing how the overstuffed 'FriendlyName' variable was handled by the memory structure, the researchers saw that the metadata of the heap was being corrupted by any name longer than 80 characters. Those corrupted values were then being used in subsequent heap operations, thus leading to short crashes. This resulted in a buffer overflow and the ability to control the resulting memory re-allocation, according to the analysis.

"It's a good wake-up call about the risk of using connected devices without any on-device security, which is 99.9% of devices today," Zeifman says.

**Watch Out for Easy Exploitation**

While Sternum isn't releasing a proof-of-concept exploit or enumerating what a real-world attack flow would look like in practice, Zeifman says the vulnerability isn't difficult to exploit. An attacker would need either network access, or remote Universal Plug-n-Play access if the device is open to the Internet.

"Outside of that, it's a trivial buffer overflow on a device with an executable heap," he explains. "Harder bastions have fallen."

He noted that it's likely that attacks could be carried out via Wemo's cloud infrastructure option as well.

"Wemo products also implement a cloud protocol (basically a STUN tunnel) that was meant to circumvent network address traversal (NAT) and allow the mobile app to operate the outlet through the Internet," Zeifman says. "While we didn't look too deeply into Wemo's cloud protocol, we wouldn't be surprised if this attack could be implemented that way as well."

In the absence of a patch, device users do have some mitigations they can take; for instance, as long as the Smart Plug is not exposed to the Internet, the attacker would have to obtain access to the same network, which makes exploitation more complicated.

Sternum detailed the following common-sense recommendations:

*   Avoid exposing the Wemo Smart Plug V2 UPNP ports to the Internet, either directly or via port forwarding.
*   If you are using the Smart Plug V2 in a sensitive network, you should ensure that it is properly segmented, and that device cannot communicate with other sensitive devices on the same subnet.

**IoT Security Continues to Lag**

As far as broader takeaways from the research, the findings showcase the fact that Internet of Things (IoT) vendors are still struggling with security by design — which organizations should take into account when installing any smart device.

"I think this is the key point of this story: This is what happens when devices are shipped without any on-device protection," Zeifman notes. "If you only rely on responsive security patching, as most device manufacturers do today, two things are certain. One, you will always be one step behind the attacker; and two, one day those patches will stop coming."

IoT devices should be equipped with "the same level of endpoint security that we expect other assets to have, our desktops, laptops, servers, etc.," he says. "If your heart monitor is less secure than the gaming laptop, something has gone horribly wrong – and it has."

Unpatched Wemo Smart Plug Bug Opens Countless Networks to Cyberattacks

Threat actors seen using Go-language implementation of the red-teaming tool on Intel and Apple silicon-based macOS systems.

Heads up: threat actors are now deploying a Go-language implementation of Cobalt Strike called Geacon that first surfaced on GitHub four years ago and had remained largely under the radar.

They are using the red-teaming and attack-simulation tool to target macOS systems in much the same way they have used Cobalt Strike for post-exploit activity on Windows platforms the past few years.

Security researchers at SentinelOne reported the activity this week after spotting several Geacon payloads appearing on VirusTotal in recent months. SentinelOne's analysis of the samples showed some were likely related to legitimate enterprise red-team exercises, while others appeared to be artifacts of malicious activity.

One malicious sample submitted to VirusTotal on April 5 is an AppleScript applet titled "Xu Yiqing's Resume\_20230320.app" that downloads an unsigned Geacon payload from a malicious server with a China-based IP address.

SentinelOne found the application is compiled for macOS systems running on either Apple or Intel silicon. The applet contains logic that helps it determine the architecture of a particular macOS system so it can download the specific Geacon payload for that device. The compiled Geacon binary itself contains an embedded PDF that first displays a resume for an individual named Xu Yiqing before beaconing out to its command and control (C2) server.

"The compiled Geacon binary has a multitude of functions for tasks such as network communications, encryption, decryption, downloading further payloads, and exfiltrating data," SentinelOne said.

In another instance, SentinelOne discovered a Geacon payload embedded in a fake version of the SecureLink enterprise remote-support application. The payload appeared in VirusTotal on April 11 and targeted only Intel-based macOS systems. Unlike the previous Geacon sample, SentinelOne found the second one to be a bare-bones, unsigned application likely built with an automated tool. The app required the user to grant access to the device camera, microphone, administrator privileges, and other settings typically protected under macOS's Transparency, Consent, and Control framework. In this instance, the Geacon payload communicated with a known Cobalt Strike C2 server with an IP address based in Japan.

"This is not the first time we have seen a Trojan masquerading as SecureLink with an embedded open-source attack framework," SentinelOne said. The security vendor pointed to its discovery last September of an open-source attack framework for macOS called Sliver embedded with a fake SecureLink as another example. "\[Its\] a reminder to all that enterprise Macs are now being widely targeted by a variety of threat actors," SentinelOne said.

**Sudden Interest**

Attackers have long used Cobalt Strike for a variety of malicious post-exploit activities on Windows systems including for establishing command-and-control, lateral movement, payload generation, and exploit delivery. There have been instances where attackers have occasionally used Cobalt Strike to target macOS as well. One example is a typosquatting attack last year where a threat actor attempted to deploy Cobalt Strike on Windows, Linux, and macOS systems by uploading a malicious package dubbed "pymafka" to the PyPI register.

In other instances, attackers have also used a macOS focused red-teaming tool called Mythic as part of their attack chains.

The activity involving Geacon itself started shortly after an anonymous Chinese researcher using the handle "z3ratu1" released two Geacon forks last October — one private and likely for sale called "geacon\_pro" and the other public, called geacon-plus. The pro version includes some additional features like anti-virus bypassing and anti-kill capabilities, says Tom Hegel, senior threat researcher at SentinelOne.

He ascribes the sudden attacker interest in Geacon to a blog that z3ratu1 posted describing the two forks and his attempts to market his work. The original Geacon project itself was largely for protocol analysis and reverse engineering purposes, he says.

**Mac Attacks**

The growing malicious use of Geacon fits in with a broader pattern of growing attacker interest in macOS systems.

Earlier this year, researchers at Uptycs reported on a novel new Mac malware sample dubbed "MacStealer" that, in keeping with its name, stole documents, iCloud keychain data, browser cookies, and other data from Apple users. In April, the operators of "Lockbit " became the first major ransomware actor to develop a Mac version of their malware, setting the stage for others to follow. And last year, North Korea's notorious Lazarus Group become among the first known state-backed groups to begin targeting Apple Macs.

SentinelOne has released a set of indicators to help organizations identify malicious Geacon payloads.

Attackers Target macOS With 'Geacon' Cobalt Strike Tool

Partnership will provide SAP customers with comprehensive exposure management capabilities and in-depth visibility of attack surfaces.

**HERZLIYA,** **Israel****,** **May 16, 2023** **/PRNewswire/ --** XM Cyber, the leader in hybrid cloud security, today announced its strategic partnership with SAP. Leveraging the capabilities of XM Cyber's Exposure Management Platform and its attack-path technology, this partnership will help organizations utilizing SAP solutions, such as RISE with SAP and SAP eCommerce Cloud, to transition their data and processes to the cloud with less risk and without compromise. SAP customers can now use the company's exposure management technology to gain visibility into their entire attack surface, both on-premise and in the cloud, to detect and migrate malicious activity before it can occur.

According to XM Cyber's recent research, 71 percent of organizations have exposures in their on-prem networks that put their critical assets in the cloud at risk, highlighting the need for stronger hybrid security controls. In addition to offering the XM Cyber platform to customers, SAP is also utilizing XM Cyber to secure its own hybrid cloud and IT infrastructure. The platform provides SAP with continuous attack identification, remediation, monitoring, and validation capabilities.

"Many organizations continue to struggle with the security complexities associated with managing diverse on-premise and cloud environments," said Tim McKnight, EVP and Chief Security Officer at SAP. "An important part of our ecosystem is ensuring that our customers can securely scale and adapt their infrastructure as required. Partners like XM Cyber, with its attack-path modeling technology, are uniquely positioned to help us and our customers reduce risks within hybrid environments, enhancing resilience against attacks and increasing overall security posture."

XM Cyber's platform is now available for purchase in the SAP® Store, the online marketplace for solutions from SAP and its trusted partners. SAP Store provides customers with real-time access to over 2,300 innovative solutions to become intelligent enterprises and help digitally transform their business. SAP Partners can also benefit from this offer and add their own managed service offering. The offer extends to XM Cyber's continuous control monitoring capabilities which ensures existing security controls are well configured and helps enterprises automate compliance against standards such as ISO, NIST, SWIFT and GDPR.

"Through this strategic partnership, we are harnessing the combined expertise of SAP with our proven technology to help streamline the reduction of risk and the remediation of exposures within organizations," said Noem Erez, CEO and co-founder of XM Cyber. "Our goal is to provide security teams with the data and intelligence needed to quickly remediate the risks which matter most by offering an attacker's perspective with holistic attack path modeling."

During SAP Sapphire, taking place between May 16-17, XM Cyber will be showcasing their exposure management technology and demonstrating how organizations can protect themselves from cyber attacks targeting critical applications.

To learn more, please visit: https://store.sap.com/dcp/en/product/display-0000061477\_live\_v1

**About XM Cyber** 

XM Cyber is a leading hybrid cloud security company that's changing the way organizations approach cyber risk. XM Cyber transforms exposure management by demonstrating how attackers leverage and combine misconfigurations, vulnerabilities, identity exposures, and more, across AWS, Azure, GCP, and on-prem environments to compromise critical assets. With XM Cyber, you can see all the ways attackers might advance, and all the best ways to stop them, pinpointing where to remediate exposures with a fraction of the effort. Founded by top executives from the Israeli cyber intelligence community, XM Cyber has offices in North America, Europe, and Israel.

**About SAP**

SAP's strategy is to help every business run as an intelligent, sustainable enterprise. As a market leader in enterprise application software, we help companies of all sizes and in all industries run at their best: SAP customers generate 87% of total global commerce. Our machine learning, Internet of Things (IoT), and advanced analytics technologies help turn customers' businesses into intelligent enterprises. SAP helps give people and organizations deep business insight and fosters collaboration that helps them stay ahead of their competition. We simplify technology for companies so they can consume our software the way they want – without disruption. Our end-to-end suite of applications and services enables business and public customers across 25 industries globally to operate profitably, adapt continuously, and make a difference. With a global network of customers, partners, employees, and thought leaders, SAP helps the world run better and improve people's lives. For more information, visit www.sap.com.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE in Germany and other countries. Please see https://www.sap.com/copyright for additional trademark information and notices.

XM Cyber Announces Partnership With SAP to Deliver Robust Security for Hybrid Environments

LockBit, Babuk, and Hive ransomware used by Russian to target critical US organizations, DOJ says.

Russian national Mikahail Pavlovich Matveev has been charged by the US Department of Justice (DoJ) for launching ransomware attacks on critical organizations including law enforcement agencies, healthcare operations, and more.

Matveev is estimated by the DoJ to have demanded as much as $400 million in ransom payments from his victims over his years as a ransomware operator, and to have actually collected as much as $200 million in extortion money.

The DoJ alleges that Matveev used three ransomware variants in his cybercrimes. In June 2020, he was accused by the DoJ of conspiring to deploy LockBit against New Jersey law enforcement. In addition, Matveev used Hive against a nonprofit healthcare organization in New Jersey in May 2022, and used Babuk ransomware to shake down the Washington DC Metropolitan Police Department, the DoJ added.

"From his home base in Russia, Matveev allegedly used multiple ransomware variants to attack critical infrastructure around the world, including hospitals, government agencies, and victims in other sectors," said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department's Criminal Division in a statement about the newly unsealed charges against the alleged ransomware operator. "These international crimes demand a coordinated response. We will not relent in imposing consequences on the most egregious actors in the cybercrime ecosystem."

If convicted, Matveev faces up to 20 years in prison; however, he resides in Russia, making the carrying out of any sentence highly unlikely.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Russian Ransomware Perp Charged After High-Profile Hive, Babuk & LockBit Hits

Researchers infiltrate a ransomware operation and discover slick services behind Qilin's Rust-based malware variant.

Ransomware-as-a-service (RaaS) operation Qilin has been arming its affiliates with malware and supporting services to target education, healthcare, and other critical sectors of the worldwide economy, paying out an industry-leading 80% to 85% of takings to the partners.

Researchers from Group-IB were able to infiltrate the Qilin operation in March, and what they found was a one-stop shop for aspiring cybercriminals to get their hands on advanced, customizable ransomware, a defined payment structure, and encryption services to support double-extortion operations (i.e., demanding money to decrypt the data, as well as an additional fee not to release the data on a Wark Web leak site).

Ransomware attacks backed by Qilin operators typically begin with a phishing email, the Group-IB team observed. The Qilin ransomware variant itself has evolved from its July 2022 roots, initially written in Go programming language (Golang) while its current iteration is written in Rust. That makes it difficult to detect and simple to customize for each campaign, Group-IB said in its report on the RaaS operation.

"Having infiltrated Qilin, Group-IB Threat Intelligence researchers were able to analyze the inner workings of the affiliate program and all sections of Qilin's admin panel," the Group-IB report said.

The Qilin RaaS team provides information on everything from intelligence on targets, customizable buildable malware, and even ransomware note templates, the Group-IB team found.

The researchers warn that RaaS operator Qilin is actively recruiting new affiliates and improving its tools and operations, making it an important emerging ransomware threat to keep an eye on.

"Although Qilin ransomware gained notoriety for targeting critical sector companies, they are a threat to organizations across all verticals," the Group-IB report warned. "Moreover, the ransomware operator’s affiliate program is not only adding new members to its network, but it is weaponizing them with upgraded tools, techniques, and even service delivery."

Qilin Ransomware Operation Outfits Affiliates With Sleek, Turnkey Cyberattacks

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Your marching orders are simple: Come up with a clever cybersecurity-related caption for the cartoon above. Now comes the harder part: coming up with the winning caption!

Our favorite submission will win a $25 Amazon gift card. Here are four convenient ways to submit your ideas before the June 7, 2023, deadline:

*   Email _\[email protected\]_ with the subject line "Dark Reading May Toon."
*   Via social media: Twitter, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)

**Last Month's Winner**

We burrowed through many great caption ideas (thank you, readers) to pick our fave for last month's contest, "Lucky Charm." And that person is ... Chris Roe, security analyst at Voxtur Analytics, whose caption appears below. Congratulations! A $25 Amazon gift card is on the way.

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Toon: One by One

Joint integration delivers effective DSPM enforcement for self-managed customers starting with credential-free access, risk-based continuous authentication, and protection from data exposure.

**SAN FRANCISCO****,** **May 16, 2023** **/PRNewswire/ --** Circle Security, a transformative cybersecurity platform purpose-built for threat prevention powered by a decentralized cryptographic architecture, is pleased to announce a joint integration with the ForgeRock Identity Platform. The pre-built on-premises integrated node will help businesses stay ahead of evolving threats and achieve their security goals by integrating identity authentication and privacy protection capabilities into customer applications as a single unified API.

The Circle Security integrated node provides a credential-free authentication API that enables developers and enterprise IT to enhance the security of identities for Circle and ForgeRock customers by minimizing their dependence on usernames and passwords, binding devices to identities, and securing data flows throughout identity journeys. Specifically, the combination of Circle and ForgeRock strengthens customer's security posture on two critical fronts:

*   Secure and frictionless data access across applications, browsers, and devices without the need for usernames/passwords with cryptographic credential free authentication.
*   Continuous risk-based delegated MFA as a step-up re-authentication or identity verification in existing user workflows for high-risk use cases, contexts, and user profiles.

"Circle Security and ForgeRock share a commitment to excellence, innovation, and customer satisfaction. By joining forces, we are bringing the best of both worlds to our clients and enhancing their digital security posture. Our foundational technology built on a patented decentralized architecture helps developers and enterprises elevate their security posture to _Prevention-first_ from _Detect & Respond_," said Phani Nagarjuna, Founder & CEO of Circle Security. "With the availability of the integrated node available on the ForgeRock Marketplace, self-managed ForgeRock and Circle Security customers can enjoy the benefits of no credential phishing or other credential-driven vulnerabilities and reduced data exposure."

"Our Trust Network technology partnership with Circle Security will provide our joint customers with faster time-to-value and reduced cybersecurity risk and costs," said Alecia Bridgwater, Director of Technology Partners at ForgeRock.

"Together, we will bring cutting-edge security technology to businesses of all types and sizes around the world," added Mr. Nagarjuna of Circle Security.

**About Circle Security** 

Circle is a cybersecurity platform powered by a patented decentralized cryptographic architecture purpose-built to deliver true prevention. Using Circle, enterprises can seamlessly enforce effective data security posture management starting with user data access, data flow tracking, and protection against data exposure.

Unlike other cybersecurity players, Circle decentralizes security orchestration from the cloud to the endpoint while eliminating the need for user credentials thus delivering the dual impact of prevention from credential-driven data breaches and protection from cloud attacks.

Enterprises can deploy Circle in minutes as a device-native service, a mobile app, or a zero-footprint browser-based solution while developers can integrate Circle's API-first technology into their apps, websites, products, and services with low/no code.

_All product and company names are trademarks™ or registered®_ _trademarks of their respective holders._

SOURCE Circle Security

Circle Security Technology Partnership With ForgeRock to Accelerate the Prevention-First Era in Digital Security

Researchers found 11 vulnerabilities in products from three industrial cellular router vendors that attackers can exploit through various vectors, bypassing all security layers.

Eleven vulnerabilities in the cloud-management platforms of three industrial cellular router vendors put operational technology (OT) networks at risk for remote code execution, even if the platform is not actively configured for cloud management, researchers have found.

The vulnerabilities are so severe that even though they affect devices from only three vendors — Sierra Wireless AirLink, Teltonika Networks RUT, and InHand Networks InRouter — they could impact thousands of industrial Internet of things (IIoT) devices and networks in a variety of sectors, warn Eran Jacob, security research team leader, and Roni Gavrilov, security researcher, from Otorio.

"Breaching of these devices can bypass all of the security layers in common deployments, as IIoT devices are commonly connected both to the Internet and the internal OT network," the researchers tell Dark Reading. "It also raises additional risk for propagation to additional sites through the built-in VPN."

If attackers achieve direct connectivity to the internal OT environment, it also may lead to impact on production and safety risks for users across the physical environment, the researchers added.

Moreover, attackers have a number of vectors from which they can exploit the vulnerabilities, including by gaining root access through a reverse-shell; compromising devices in the production network to facilitate unauthorized access and control with root privileges; and compromising devices to exfiltrate sensitive information and perform operations such as shutdown, the researchers said.

Gavrilov shared key findings and remediation tips about the flaws at Black Hat Asia 2023 last week, and the company also published a report that it shared with Dark Reading. All of the vulnerabilities were responsibly disclosed in coordination with the vendors and CISA and have been mitigated by the vendors, according to Otorio.

**Where the Issues Lie**

An industrial cellular router allows multiple devices to connect to the Internet from a cellular network. These routers are commonly used in industrial settings, such as manufacturing plants or oil rigs, where traditional wired Internet connections may not be available or reliable, the researchers said.

"Industrial cellular routers and gateways have become one of the most prevalent components in the IIoT landscape," Gavrilov wrote in the report. "They offer extensive connectivity features and can be seamlessly integrated into existing environments and solutions with minimal modifications."

Vendors of these devices employ cloud platforms to provide customers with remote management, scalability, analytics, and security across their OT networks. Specifically, researchers found various vulnerabilities that "pertain to the connection between IIoT devices and cloud-based management platforms," which, in some devices, is enabled by default, the researchers explain to Dark Reading.

"These vulnerabilities can be exploited in various scenarios, affecting devices that are both registered and unregistered with remote management platforms," they say. "Essentially, it means that there are security weaknesses in the default settings of certain devices' connectivity to cloud-based management platforms, and these weaknesses can be targeted by attackers."

The typical connectivity to these platforms relies on machine-to-machine (M2M) protocols like MQTT for device-cloud communication together with Web interfaces for user management, according to the report. MQTT operates on a publish-subscribe model, where the broker manages topics and devices can subscribe to receive published information. A specialized device API is also commonly used for initialization communication with the cloud platform, along with user API and Web interface for management of the devices.

**Attack Vectors**

Researchers identified critical issues that can be exploited by various attack vectors in three key areas of this connectivity: the asset-registration process, security configurations, and external APIs and Web interfaces, they said.

"Attackers could target specific facilities by leveraging sources like WiGLE and information-leak vulnerabilities (such as \[those\] found in InHand devices), or perform a wide attack on thousands of devices, aiming for wider impact or access," the researchers tell Dark Reading.

Moreover, exploitation of the vulnerabilities could allow attackers to interfere with operational processes, putting the safety of those working in the environment at risk, they say.

One attack vector that can be highly valuable in particular to ransomware groups — which are ramping up industrial network attacks — is to reach sites beyond the initial access point that are at risk due to built-in VPN connectivity of devices, the researchers say. This can allow attack propagation across the broader network, to control centers and SCADA (Supervisory Control and Data Acquisition) servers, they say.

**Mitigation Strategies**

Researchers outlined a number of mitigation strategies for both OT network administrators and vendors of these devices. OT network administrators should disable any unused cloud feature if they're not actively using the router for cloud management to prevent device takeovers and reduce the attack surface, the researchers advised.

They also should register devices under their own accounts in the cloud platform before connecting them to the Internet. This establishes ownership and control and prevents unauthorized access, the researchers said.

Further, administrators can limit direct access from IIoT devices to the routers, since built-in security features like VPN tunnels and firewalls are ineffective once compromised, the researchers said.

"Adding separate firewall and VPN layers can assist with delimitering and reduce risks from exposed IIoT devices used for remote connectivity," Gavrilov wrote in the report.

For their part, vendors can avoid building vulnerabilities into their devices by avoiding the use of weak identifiers and using an additional "secret" identifier during device registration and connection establishment, the researchers advised. They should also enforce initial credential setup so network operators avoid using default credentials and thus introducing security risks immediately into the network. Moreover, the security requirements of the IIoT are unique and should be considered separately to the IoT footprint because the two are not equivalent, the researchers warned.

"This may involve reducing 'high-risk' features upon demand and adding extra layers of authentication, encryption, access control, and monitor," Gavrilov wrote.

Severe RCE Bugs Open Thousands of Industrial IoT Devices to Cyberattack

What works in IT may not in an operational technology/industrial control systems environment where availability and safety of operations must be maintained.

When it comes to incident response, many organizations assume that the training and preparation they have done for the IT side of their networks extends to their operational technology/industrial control systems environments. While they may appear to share many similarities, OT security requires different protocols, objectives, analysis, forensics, and other security methods. What works successfully in an IT network may be problematic for conducting incident response (IR) in an OT/ICS environment, where availability and safety of operations must be maintained. 

Organizations must understand the key differences to navigate around gaps and pitfalls that could prevent a successful OT/ICS IR scenario. 

These are the most common areas we see organizations need some help with during our incident response simulation assessments.

**Shutting Down First, Asking Questions Later**

In an IT environment, isolating or shutting down the system to prevent further infection is a normal and relatively common practice. In an OT environment, isolation or shutting down a system has much more substantial ramifications. 

For example, in the Colonial Pipeline attack, they responded to an attack in the IT systems. To ensure it did not spread to OT systems, they shut those down as well, even though the ransomware did not reach the OT level. The move was in line with their culture of safety. But a shutdown of OT systems has a higher cost per minute of downtime and requires longer to get running again. An IT server can be taken offline and a new one created and stood up in about a day if the entire IT department works on it. In Colonial's case, it took five days _after the ransom was paid_ to stand the pipeline's OT network backup to regular operations. 

**Stopping the Attack and Starting Remediation Too Early**

IT security personnel in a security operations center (SOC) traditionally do not have intimate knowledge of the OT systems, and OT equipment is much more sensitive to data transfer. The SOC team members may get an alert of something happening in the OT system, and if they jump to conduct a scan for vulnerabilities, they can easily overwhelm the system, denial-of-service style. That means it will cease to function and cause a massive loss in productivity. It also requires the OT engineer to go in and fix the mess, which can be an unnecessary source of additional frustration during an already stressful time.

**Lack of Alignment on Ultimate Responsibility**

Because IT and OT teams are so separate, sometimes no one has responsibility for OT from a day-to-day perspective. If a SOC is responsible for the security of all IT systems in the company, does that include OT systems? OT systems aren't IT systems, so one could say no. OT systems have IT assets, though, so are those included? Are those OT assets or IT assets? There is a problem from the moment of responsibility. You have IT professionals without knowledge or experience with the OT assets, and you have OT professionals without a security mindset or understanding of cyber-risk. And neither likes being dictated to by the other. 

**Misunderstanding What the Other Side Is Trying to Accomplish**

One story told by a customer perfectly sums up this point. They talked about how their SOC used to send security reports to the OT engineers to have them patch, fix, or change something in the OT systems. Whenever the OT professionals received this report, they would promptly throw it in the trash. Whether this was from a lack of understanding on either the OT or IT side is unclear, but what is clear is that the communication between the teams was not just insufficient — it was actively opposed.

So how can organizations overcome these challenges? 

Communication and compromise are crucial to building trust. Instead of the security professionals dictating what needs to occur in an OT system, they should work with the OT professionals to find compromises that do not hinder OT goals too much while still allowing the network to maintain security. It's vital to proactively bring both groups together to work towards common security objectives. 

CISOs and security managers can implement structured training programs that simulate how cybersecurity and incident response teams from both IT and OT disciplines would work together during a real-life incident response event. By putting the right people from both sides in the right seats and creating a shared learning path, you invite communication and collaboration between the groups. The more they can practice detecting, responding, and remediating attacks on critical infrastructure together, the better they can understand how to work together better in real life. 

At the end of the day, they are both after the same thing: keeping the organization and its people safe from industrial cyberattacks.

Source

DARKReading