Several IoT (Internet of Things) devices, including unsecured VoIP phones, in some corporate offices in the United States, were said to be targeted by what is believed to be state-sponsored hackers from Russia, Microsoft revealed in a blog post today.
Security research presented at the Black Hat, Microsoft said that in April, Russian hackers compromised VoIP phones, office printers, and video decoders across multiple corporations. “In two of the cases, the passwords for the devices were deployed without changing the default manufacturer’s passwords, and in the third instance the latest security update had not been applied to the device,” Microsoft said in a blog post.
Once compromised, Microsoft revealed that the hackers would then scan the entire network to look for potentially vulnerable entryways they can exploit to get in the organization’s main interface and administrative accounts, which would grant them access to potentially valuable data.
“Several sources estimate that by the year 2020, some 50 billion IoT devices will be deployed worldwide. IoT devices are purposefully designed to connect to a network, and many are simply connected to the internet with little management or oversight,” said Microsoft.
“Some IoT devices may even communicate basic telemetry back to the device manufacturer or have means to receive software updates. In most cases, however, the customers’ IT operation center don’t know they exist on the network.”
Links to Russian state-sponsored hacking group
Microsoft reveals that they have found evidence of multiple attacks in the form of a malicious script installed in VoIP phones and other IoT devices which would allow access to the Russian hackers to carry out their plans.
The hacking group behind the series of a sophisticated and coordinated attack against American corporations is believed to be the Fancy Bear or Strontium hacking group. It is also worth noting that this hacking group was reportedly under the Russian government’s payroll and was blamed for the cyberattack on the Democratic National Committee in 2016.
Until now, the motives behind the attack on the VoIP phones of corporations in America are still unclear; however, Microsoft postulates that it could be related to other cyber operations carried by the hacking group in the past. Last year, the FBI flagged Fancy Bear for malware to more than 500,000 unpatched internet routers to carry out a massive espionage campaign around the world. In 2018, hundreds of thousands of home and small business networking and storage devices were compromised and loaded with the so-called “VPN Filter” malware.
Hacking weak systems like IoT devices and VoIP phones
The April incident was discovered by Microsoft Threat Intelligence Center when “infrastructure of a known adversary (is) communicating to several external devices.” With the research conducted by the security team, they uncovered several attempts to compromise popular IoT devices like a VOIP phone, an office printer, and a video decoder across multiple customer locations.
“In two of the cases, the passwords for the devices were deployed without changing the default manufacturer’s passwords, and in the third instance, the latest security update had not been applied to the device,” Microsoft explains.
The penetrated devices were said to become the hackers’ point of entry and a suitable environment for them to stay as they are looking for other ways to compromise the victim’s network and data. After accessing the network, the threat actor would then run a tcpdump to sniff network traffic on local subnets.
To continue their operation, the threat actors also enumerated administrative groups and moved from one device to another; they would mark their path with a shell script to establish persistence in the network and further their exploitation of the network. All of these, according to Microsoft, is communicated to an external command and control center, which they have also tracked.
The discovery of this operation serves as a reminder for corporate America to secure their systems and to protect their IoT devices like VoIP phones and online printers. Microsoft is calling for better integration of security mechanisms in IoT devices as they outnumber the population of personal computers and mobile phones, combined.
“Today we are sharing this information to raise awareness of these risks across the industry and calling for better enterprise integration of IoT devices, particularly the ability to monitor IoT device telemetry within enterprise networks,” Microsoft wrote.
“While much of the industry focus on the threats of hardware implants, we can see in this example that adversaries are happy to exploit simpler configuration and security issues to achieve their objectives,” they said.