Annual IoT Security Report 2019-3

Annual IoT Security Report 2019-3

November 11, 2020 | Adeline Zhang
IoT botnets

LockerGoga Ransomware Alleged to Repeatedly Attack Plants

On January 24, 2019, France-based Altran Technologies was allegedly hit by LockerGoga ransomware. On March 19, Norsk Hydro, one of the largest aluminum companies worldwide, was hit by an extensive cyberattack, having machines around the globe infected with malware and some unable to operate. As a result, some plants had to switch from automatic to manual procedures, significantly compromising the productivity. This attack on the Norwegian aluminum company employed a tactic similar to that of LockerGoga. On March 12, 2019, two US chemical manufacturers Hexion and Momentive respectively suffered a LockerGoga ransomware attack9. In as short as two months, four plants in Europe and the USA became targets of ransomware attacks. Such devastating ransomware caused great damages to enterprises. According to a report on July 23, 201910, the attack could cost Norsk Hydro a whopping amount of $63.50 million to $75 million. But no exact figure was given because the computing system used for calculating profits was also compromised by the ransomware.

LockerGoga is not the only ransomware that harasses people. Other ransomware families have also caused great damages to industrial systems. For example, Demant, the world’s second largest hearing healthcare group, suffered losses of up to $95 million following what appeared to be a ransomware infection that hit the company11. ASCO, one of the world’s largest suppliers of airplane parts, had to cease production in factories in Germany, Canada, and the USA due to a ransomware infection reported
at its plant in Zaventem, Belgium12. In 2018, a ransomware attack cost TSMC over RMB 1.7 billion13.

After breaking into a computer system, ransomware usually encrypts the user’s important files without crippling system functions so as not to obstruct the user from using the computer to pay ransom as required. However, LockerGoga tends to paralyze the computer system. As a result, even if a victim pays the demanded ransom, he or she still needs to spend a lot of money having the system restored.

The 2018 Annual IoT Security Report also lists the TMSC ransomware attack as one of the major IoT incidents in 2018. Obviously, ransomware attacks are often directed at plants, with a devastating impact. This somewhat reflects the trend of traditional ICSs moving into the Internet. As a result of the convergence of operational technology (OT) systems and information technology (IT) systems, ICSs are no longer physically isolated. Moreover, with the rise of the industrial Internet, industrial equipment’s getting online will become an irreversible trend. Whether for defeating an adversary country, as mentioned previously, or for exerting an extensive impact, as demonstrated in these incidents, attacks on IT systems have severely affected the security of ICSs, which may escalate into serious production
security accidents.

To tackle threats from ransomware, industrial manufacturers must create backups for their mission critical files and make offline backups for mission critical computer systems on a daily basis so as to be able to rapidly restore production and operations following a ransomware attack. Antivirus software should be deployed to protect engineering stations and other terminals and the virus database should be updated in time. It is also important to provide security training to employees, who should be cautious enough not to download applications from untrusted websites.

WS-Discovery First Found to Be Abused for DDoS Reflection Attacks

In February 2019, security researchers from Baidu published an article concerning a WS-Discovery reflection attack1, which involved 1665 reflectors14. This is the first report we have read about such attacks. In a post, ZDNet mentioned that WS-Discovery reflection attacks were first reported in May, and in August, many hacker groups began to use this protocol to launch DDoS attacks15. According to Akamai, one of its customers in the gaming industry suffered a WS-Discovery reflection attack weighing in at 35 Gbps at peak bandwidth16.

Web Services Dynamic Discovery (WS-Discovery) is a multicast discovery protocol to locate services on a local area network (LAN). However, due to device vendors’ design flaw in the implementation, when a normal IP address sends a service discovery packet, devices will also respond to the request. If exposed on the Internet, these devices will be possibly exploited for DDoS reflection attacks.

WS-Discovery operates over TCP and UDP port 3702. Currently, the ONVIF specification17 for video surveillance devices specifies WS-Discovery as the service discovery protocol, and some printers also use port 3702 for service discovery on newer devices.

Reflection attacks are nothing new and protections against them are constantly improved. The same happens on the other side of the fence. Attackers keep upgrading their methods and begin to turn their eyes to some new protocols. The WS-Discovery reflection attack, as a new type of reflection attack, is aimed at IoT devices. It had never been mentioned in articles concerning reflection attacks before 2019. However, the protocol is ripe for abuse and there is a danger that it may be weaponized to its full potential one day, which we should guard against. In chapter 4, we will provide a further analysis of the related attacks.

Weak Passwords Enabling a Hacker to Take Over 29 IoT Botnets

According to ZDNet’s report19, a threat actor with the screen name of “Subby” took over 29 IoT DDoS botnets. Subby used a dictionary of user names and a list of common passwords to brute-force his way into the C&C servers of these 29 botnets, some of which used very weak credentials, such as “root:root”, “admin:admin”, and “oof:oof”. According to Subby, none of the 29 hijacked botnets were particularly large in size. The actual number of bots in these botnets added up to a meager 25,000.

Today, one does not need to know much about programming when creating an IoT botnet program. A script kiddie can produce one by finding some program or code from a technical website and then making some minor configuration changes. This is why the hacker in question could take over 29 IoT botnets so easily. Many IoT botnets are created in similar ways, further aggravating the IoT security situation.

However, every cloud has a silver lining. As attackers may not be skillful professionals, they tend to use default passwords or even directly use addresses of C&C servers revealed in examples given in various analysis articles. This provides a chance for us to “hack back”. In other words, we can use attackers’ weaknesses to our advantage so as to take down malicious botnets.

Japan Approving a Law Amendment to Allow Government Workers to Hack into IoT Devices

On January 25, 2019, the Japanese government approved a law amendment that would allow government workers to hack into people’s IoT devices20. According to the amendment, the National Institute of Information and Communications Technology (NICT) workers can scan IoT devices to find vulnerable ones by trying weak passwords, and NICT can share such information to telecom carriers as threat intelligence. For this purpose, Japan initiated the National Operation Towards IoT Clean Environment (NOTICE) project21 on February 20, 2019, starting to survey IoT devices on the Internet for vulnerable ones and provide related information to telecom carriers. Then, telecom carriers will identify the users of the devices and alert them to the problem. These moves taken by Japan were also part of its security efforts for the Summer Olympics and Paralympics to be held in this country in 2020 to avoid incidents like the Olympic Destroyer attack22 aimed at the Pyeongchang Winter Olympics in 2018.

Although this practice of Japan may compromise the integrity of devices or cause some people’s grievance, reducing or removing vulnerable IoT devices from the Internet is an effective method to eradicate IoT security issues.

As indicated above, there are a large number of vulnerable IoT devices on the Internet, which will exist for a long time, thus making themselves ideal targets for attackers. Although we mentioned in section 1.7 a “hack-back” method, this is not recommended because it is an illegal practice. The fundamental approach to IoT security governance is to identify vulnerable devices and users on the Internet and then harden security or replace devices. Of course, to do so, we must first evaluate devices, checking whether they are vulnerable. Technically, some intrusive methods have to be employed, which will somewhat compromise the integrity of devices. Therefore, this approach is also illegal. As for the NOTICE project, the Japanese government removes the legal risk government workers (security researchers) may bear for surveying vulnerable IoT devices in the country. Besides, the government also expressly indicates on its website21 that the survey is aimed at checking whether the password setting in each IoT device is easily guessed and the survey will not intrude into devices or obtain other information than required for the survey.

As for the information obtained in the survey, strict safety control measures will be taken in accordance with NICT’s implementation plan approved by the Minister for Internal Affairs and Communications. The measures taken by Japan, which encourage sufficient interactions between governments, telecom carriers, and users, can inform the handling of vulnerable IoT devices on the Internet in other countries.

SummaryThis chapter looks back at eight IoT incidents in 2019. Power outages in Venezuela, massive attacks launched via Mirai-based botnets and ransomware, and critical vulnerabilities found in Boeing systems open our eyes to a still gloomy landscape of IoT security in 2019. The incident of EOL D-Link routers for which no official patch or update will be provided is just a tip of the iceberg. There must be a lot of other devices with the same issue, which, if not addressed promptly, will pose a longstanding threat.

A hacker’s takeover of dozens of botnets enlightens us that those on the defensive can take the offensive to take down botnets by attacking them. In numerous incidents, sources and targets are both linked with vulnerable IoT devices. Therefore, for the purpose of cybersecurity, the USA and Japan both enacted acts and policies in 2019 directed at IoT devices.

In a word, the security situation of IoT devices was still depressing, making IoT security assurance a long-term task that calls for joint efforts from governments, enterprises, and users. Specifically, government agencies and legislatures should gradually put in place all necessary statutes and policies concerning IoT security, thus driving the security of the IoT ecology.

Enterprises should make more efforts to standardize the management of IoT security around their personnel and devices and even need to invest in security controls to reduce losses incurred by DDoS attacks and ransomware attacks.

Users should raise the security awareness. When making purchase decisions, they should understand what loss they may suffer because of using insufficiently protected devices. Besides, they should change their login credentials from time to time and update their software and systems regularly.

To be continued.