As we look back over the first half of 2021, we’ll likely remember it as the time when immunization programs, where available, started to make a difference by suppressing the COVID-19 pandemic. For those of us involved in security research, however, we’ll remember it as a time of unprecedented cybercrime.
Following milestone attacks on SolarWinds in December 2020 and Microsoft Exchange in January 2021, recent months have seen further landmark attacks. Ransomware operators have executed high impact incidents – on Colonial Pipeline and JBS Foods, on Quanta, Acer and Kaseya – and demanded higher ransoms. For industrial organizations, ransomware attacks rose 500% between 2018 and 2021, with another 116% increase just between January and May of 2021.
At the same time, vulnerability disclosures for ICS grew 44% in the first half of this year compared to the second half of last year. The critical manufacturing sector was the most affected, with a whopping 148% increase in vulnerability disclosures solely affecting that industry.
IoT security threats, such as those for IoT security cameras, were also a heightened area of risk. Our Labs team disclosed vulnerabilities for Realtek and ThroughTek, while the Verkada breach showed us that attackers could use security cameras as an entry point for lateral movement across victims’ networks.
To help defenders of OT/IoT environments and the security community at large, we just released a new report that focuses on the areas mentioned above. It provides insights that will aid in re-evaluating your risk models and security programs, along with actionable recommendations for securing your operational systems.
Ransomware Attacks Result in OT Disruption
Ransomware dominated news headlines in the first half of 2021, particularly with the attack on Colonial Pipeline. While this notable incident did not include a direct breach of the OT network, pipeline systems were taken offline by the company as a precaution, resulting in gas shortages along the U.S. East Coast. This highlights the link between IT and OT risks. Even if the attack didn’t cross from IT to OT, operational systems were disrupted to ensure their safety and integrity.
Darkside, the group that attacked Colonial Pipeline, is an example of a Ransomware as a Service (RaaS) operator. It coordinates an effort that carefully prepares and deploys malware that uses a combination of attack techniques. The success of the entire attack shows the effectiveness of the RaaS model, with a division of labor that plays to the strengths of each party.
Unfortunately, another RaaS operator, REvil, also flourished in the first half of the year with high profile attacks on JBS Foods, Acer, and Quanta. REvil continues to make waves with its recent attack on Kaseya, a provider of a Software as a Service network management tool. This cunning supply chain/ransomware attack is estimated to have impacted up to 1,500 organizations in dozens of countries around the world – and came with a $70 million ransom demand.
Ransomware threats are now a board-level topic of conversation. All organizations with OT systems need to understand how these attacks are conducted and how to defend against them.
Critical Manufacturing Vulnerabilities Are on the Rise
To help defenders, Nozomi Networks Labs analyzed the new vulnerabilities published by ICS-CERT, a program run by CISA, a U.S. government body. While there are other sources of vulnerability information beyond ICS-CERT, if a vulnerability is important, it’s covered by ICS-CERT.
Vulnerabilities increased 44% in the first half of 2021 as compared to the second half of 2020. While the number of vendors affected rose by just 5%, the number of products impacted rose 19%.
The top three affected industries include Critical Manufacturing, a grouping identified as Multiple Industries by CISA, and Energy. The most important aspect of the industry breakdown is that vulnerabilities solely affecting the manufacturing sector rose by 148%. This poses an additional challenge to an industry where many segments are struggling to regain momentum after pandemic-driven shutdowns.
IoT Security Camera Vulnerabilities
IoT security cameras are used extensively by industry and the critical infrastructure sector. According to research firm Markets and Markets, the global video surveillance market size is expected to grow from US $45.5 billion in 2020 to US $74.6 billion by 2025.
The infrastructure sector – including transportation, city surveillance, public places, and utilities, is expected to grow at the highest rate during that period. Given the prevalence of and exponential use of IoT cameras, it’s important to understand their security risks.
Over the last six months Nozomi Networks has discovered and disclosed three surveillance camera vulnerabilities for companies that use Peer-to-Peer (P2P) functionality to provide access to audio/video streams. Additionally, we’ve reported on an IoT security camera cyberattack that resulted in unauthorized access to the live video feeds of 150,000 surveillance cameras and their full video archive.
Our findings indicate:
- P2P security camera vendors can view video streams and access user credentials – a striking violation of confidentiality expectations.
- P2P security camera and IoT vulnerabilities are widespread. For example, ThroughTek’s P2P SDK is used by many vendors, and in millions of devices.
- Video camera attacks, such as the one on Verkada, allow attackers to execute shell commands on breached cameras. This provides an entry point for lateral movement on victims’ networks.
Security Recommendations for OT/IoT Environments
A successful ransomware attack can be extremely debilitating, leaving victims with no other option than to meet the hackers’ demands. Taking proactive steps to prevent ransomware infection is key to significantly reducing risk.
The first area to focus on for ransomware prevention is reducing opportunities for initial access to your networks. This includes having spear-phishing protection in place, implementing security awareness training and requiring multi-factor user authentication wherever possible.
It’s also important to adopt a post-breach mindset. For example, each organization should have a detailed plan in place to address a failure in IT that could impact OT, complete with operational continuity and disaster recovery components.
With regards to vulnerabilities, simply looking at numbers for a given timeframe is not the best way to assess risk. Instead, assess your security fundamentals against major threats, like REvil or emerging new ransomware, and harden your attack surface against them.
When selecting an IoT device, bear in mind that they are often insecure-by-design. If you need a capability like remote viewing of surveillance video, conduct extensive due diligence on the technology and vendors under consideration.
As the pandemic becomes more manageable and economies strengthen, cybercrime will continue to rise. We encourage you to subscribe to Nozomi Networks Labs and utilize our cybersecurity community resources to stay up-to-date.
References for the information above are available in the OT/IoT Security Report.