The latest Nozomi Networks Labs OT & IoT Security Report, published earlier this month, found that threat actors are not only increasing their attack frequency but are also refining tactics and finding new access points. Ransomware attacks remain high, but it’s also becoming common to see attacks motivated by control and destruction. According to Microsoft, last year 120 countries faced cyberattacks fueled by nation-state actors – more than 40% against critical infrastructure. And, earlier this month as we prepared to publish this report, FBI Director Christopher Wray warned Congress that Chinese hackers are “preparing to cause real-world harm to American critical infrastructure.” It’s a global risk that requires a new level of attention and a greater understanding of the threat activity we’re seeing in critical infrastructure environments.
To help security professional strengthen their defenses, the analysis in our latest report tracks threat actors targeting real customer environments and globally distributed IoT honeypots. We found over the past six months that network anomalies and attacks were the most prevalent threat to OT and IoT environments. Another cause for concern was that vulnerabilities within critical manufacturing surged 230% – threat actors are gaining far more opportunities to access networks and cause these anomalies.
Let’s dive into some of the report’s key findings.
Alert Analysis from Real Customer Environments
Part of our report takes a look at what we’re seeing in alert data from Nozomi Networks customers who have opted into information sharing. Digging into the last six months of alerts, we found network anomalies and attacks represented the most significant portion (38%) of threats.
“Network scans” topped the list of Network Anomalies and Attack alerts, followed closely by “TCP flood” attacks which involve sending large amounts of traffic to systems aiming to cause damage by bringing those systems down or making them inaccessible. “TCP flood” and “Anomalous packets” alert types exhibited significant increases in both total alerts and averages per customer in the last six months, increasing more than 2x and 6x respectively.
While “TCP flood” attacks are common in ICS systems, the alert trends we saw in the last six months indicate evolving network threats, possibly reflecting adaptive attacker strategies or heightened detection capabilities.
Alerts on Access control and authorization threats jumped 123% over the previous reporting period. In this category “Multiple unsuccessful logins” and “Brute force attack” alerts increased 71% and 14% respectively. This trend highlights the continued challenges in unauthorized access attempts, showing that identity and access management in OT and other challenges associated with user-passwords persist.
DDOS attacks were far and away the number one malware attack concern for IoT. Because of this Nozomi Networks Threat Intelligence Product Owner Phil Trainor advise operators who have large deployments of IoT devices that are either part of their OT network or working contiguous with them to make sure they have a strategy to prevent their organization from becoming part of a botnet attack on other organizations.
When it comes to common malware attacks, he also advises operators to mind the miners.
“I would never want to have a report hitting my boss's desk or anyone else in finance who would be looking at this and finding out how much money we spent as an organization wasted by miners operating without our knowledge," Trainor said in our latest webinar covering the report findings.
Newly Discovered CVEs and Top CWEs
Between July 1 and December 21, 2023, CISA released 196 new ICS advisories mentioning 885 old and new vulnerabilities affecting products from 74 vendors. Common Vulnerabilities and Exposures (CVEs) were up 38% compared to the first half of 2023, while mentioned vendors went up 19%. Critical Manufacturing topped the list with CVEs in that sector rising to 621, an alarming 230% increase over the previous reporting period.
Based on this information, critical manufacturers should revisit their security strategy.
“If you have a 230% increase in targeted CVEs in that short of an amount of time (six months) specifically going after your group you have to speculate as to how much money from potential nation states is targeted research attempting to go after you specifically," says Phil Trainor, Nozomi Networks Threat Intelligence Product Owner.
Critical Manufacturing, Energy and Water/Wastewater remained the most vulnerable industries for a third consecutive reporting period – though the total number of vulnerabilities reported in the Energy sector dropped 46% and Water/Wastewater vulnerabilities dropped 16%.
Expect IoT Botnet Attacks to Continue
Malicious IoT botnets remained active and continue to use default credentials in attempts to access IoT devices. In the last six month of 2023, Nozomi Networks honeypots found an average of 712 unique attacks daily, which is a 12% decline in the daily average we saw in the previous reporting period. Top attacker IP addresses were associated with China, the United States, South Korea, India and Brazil.
In a panel discussion of these latest report findings, Nozomi Networks Labs Threat Intelligence Manager Alexey Kleymenoy said defenders should prepare for more botnet activity.
“The situation now is quite different compared to a few years ago when Mirai was just released. The whole client base is now open source so threat actors can jump in and create their own botnet in a matter of minutes. Everything is well coded. This makes it very easy to plug in new exploits and together with the fact that the exploits are also publicly available on the internet, it's just a matter of connecting them like a puzzle to extend a botnet in a very, very fast motion.”
He expects this trend using open-source intelligence to continue. Instead of spending money trying to buy zero days exploits which may or may not pay off, he says threat actors are more likely to spend their energy getting the same results finding vulnerabilities which not everybody is able to patch in time.
Recommendations
CISA and the U.S. National Vulnerability Database catalog thousands of known vulnerabilities in OT/ICS machines and devices. Threat actors continue to aggressively probe Enterprise/IT, OT, and IoT networks across the globe and are growing in capacity and sophistication of capabilities and enhanced TTPs. Nozomi Networks’ OT & IoT Security report gives security professionals and critical infrastructure operators a clear understanding of the vulnerabilities and attack patterns they need know about in order to tune their security postures for the best possible defense.
Critical infrastructure organizations should prioritize proactive defense strategies that include network segmentation, asset discovery, vulnerability management, patching, logging, endpoint detection, and threat intelligence. There is also a growing need for actionable asset and threat intelligence that can be used by different stakeholders within an organization such as IT teams, compliance officers and risk managers who may have different perspectives on security issues.
Nozomi Networks is Here to Help
From day one, Nozomi Networks’ solutions have been deeply rooted in addressing the complex requirements of industrial and critical infrastructure environments. As OT converges with the vastly different worlds of IT and IoT, that experience has given us a unique understanding of the tools and processes associated with the largest networks in the world. We’ve earned a global reputation for unmatched service, superior cyber and physical system visibility, advanced OT and IoT threat detection, and scalability across distributed environments. We provide real-time asset visibility, threat detection and actionable intelligence that keeps you in control of your critical infrastructure.