R4IoT: When Ransomware Meets the Internet of Things
Originally published June 1, 2022
In mid-2022, Forescout Research – Vedere Labs developed R4IoT, a proof-of-concept that showed how IoT devices could become entry points for IT and further OT ransomware attacks. The original blog post, below, explains how we came to create R4IoT and why. Our 2023H1 Threat Review included ample evidence that cross-device attacks like R4IoT are now a reality. Some threat actors are routinely mixing traditional endpoints with unmanaged devices such as VPN appliances, routers, network attached storage (NAS) and building automation devices as part of their attack campaigns. Clearly, it’s not enough to detect emerging threats; you must also be able to respond to them.
Since unveiling R4IoT, Forescout launched our own threat detection and response solution, Forescout Threat Detection & Response, part of the Forescout Platform. The following video tells the full story of what an R4IoT attack looks like and how Forescout Threat Detection & Response can work with your other security tools, including almost any endpoint detection and response (EDR) solution, to detect a cross-device attack like R4IoT as it unfolds, alert the SOC of a true threat and initiate policy-based remediation. There’s also a companion eBook.
Enjoy the video. Then, read on to understand the anatomy of a ransomware attack involving IoT.
Over the past few years, ransomware has been evolving because of two ongoing trends:
- Digital transformation driving rapid growth in the number of IoT devices in organizations
- The convergence of IT and OT networks
Ransomware actors have been evolving quickly and have moved from purely encrypting data until circa 2019 to exfiltrating data before encryption in 2020 to large extortion campaigns with several phases in 2021. The trend continued in early 2022 with the emergence of new and very sophisticated ransomware families such as ALPHV and more attacks by ransomware-as-a-service (RaaS) gangs such as Conti. This evolution in attacker methods means that ransomware gangs could now cripple the operations of virtually any organization.
Today, Forescout Vedere Labs is releasing an information report that includes a detailed playbook describing how organizations can protect themselves against a new type of ransomware attack that leverages IoT devices, such as video cameras, to deploy ransomware. The report includes a comprehensive, proof-of- concept demonstration of this new attack vector that Forescout Vedere Labs predicts will be the next step in ransomware evolution – we call this new attack approach “Ransomware for IoT,” or R4IoT. The R4IoT report describes how IoT devices can be exploited for initial access and lateral movement to IT and OT devices, with the objective of causing physical disruption of business operations.
The proof-of-concept ransomware described in the R4IoT report exploits the first trend (growth in IoT devices) by using exposed vulnerable devices, such as an IP video camera or a network-attached storage (NAS) device, as the initial access point to the network. It exploits the second trend (convergence of IT and OT networks) to hold OT devices hostage, thus adding another layer of extortion to an attack campaign.
This research is the first of its kind because:
- We implemented and describe in detail detection and response actions for an R4IoT attack that serve as a playbook for organizations looking to defend against both current and future threats.
- This is the first work to combine the worlds of IT, OT and IoT ransomware and to have a full proof-of-concept from initial access via IoT to lateral movement in the IT network and then impact in the OT network. Beyond just encryption, the proof-of-concept on IT equipment includes deployment of crypto miner software and data exfiltration.
- The impact on OT is not limited to standard operating systems (e.g., Linux) or device types (e.g., building automation), does not require persistence or firmware modification on the targeted devices, and works at scale on a wide variety of devices impacted by TCP/IP stack vulnerabilities.
This proof-of-concept, shown in the video above and detailed in the technical report, is a clear demonstration of how IoT and OT exploits can be combined with a traditional attack campaign. It also shows that to mitigate this type of attack, organizations need solutions that allow for extensive visibility and enhanced control of all the assets in a network.
Ransomware mitigation
Beyond demonstrating how an R4IoT attack works, the report shows that there are ways to mitigate both the likelihood and the impact of this type of incident on organizations, thus decreasing the overall risk that they face. Three important observations from our study of the ransomware threat landscape make mitigation of this threat possible across the NIST Cybersecurity Framework functions:
- Identification and Protection are possible because hundreds of very similar attacks happen simultaneously. For instance, Conti had more than 400 successful attacks on U.S. and international organizations in 2021. That means it is possible to identify devices and vulnerabilities being actively exploited so their protection can be prioritized.
- Detection is possible because most tools and techniques these actors use are well-known. We present the top tactics, techniques and procedures (TTPs) used by malware in 2021.
- Response and Recovery are possible because attacks are not immediate and fully automated. The average dwell time of ransomware attackers was five days in 2021.
Implementing this mitigation requires extensive visibility and enhanced control of all assets in a network. In addition to continuous threat detection and response from Forescout Threat Detection & Response, the Forescout Platform helps to achieve that via:
- Unparalleled insight across your entire asset landscape without disrupting critical business processes. After discovering connected devices, Forescout auto-classifies and assesses those devices against company policies. The powerful combination of these three capabilities— discovery, classification and assessment—delivers the asset visibility to drive appropriate policies and action.
- In-depth visibility and cyber resilience with asset and communications inventory based on DPI. This allows for network monitoring and threat hunting capabilities, such as threat and vulnerability indicators.
- Accelerated design, planning and deployment of dynamic network segmentation across the extended enterprise to reduce your attack surface and regulatory risk. It simplifies the process of creating context-aware segmentation policies and allows visualization and simulation of policies prior to enforcement for proactive fine-tuning and validation.
- Sharing device context between the Forescout Platform and other IT and security products to automate policy enforcement across disparate solutions and accelerate system- wide response to mitigate risks.