Microsoft Warns of Russian Operatives Using IoT Printers to Hack Networks

Microsoft warned yesterday that hackers, backed by the Russian military, are attempting to break into the networks operated by U.S. companies and other enterprises via Internet of Things (Iot) devices such as Internet-connected printers and phones.

Microsoft stated that the Russian hacker groups, which go by names such as Strontium, Fancy Bear, and APT28, are linked to the Russian Federation’s military intelligence agency called GRU.

These groups are said to have broken into the U.S.  Democratic National Committee in 2016.

A post on the Microsoft Threat Intelligence Center blog stated: “These devices became points of ingress from which the actor established a presence on the network and continued looking for further access. Once the actor had successfully established access to the network, a simple network scan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data.”

Microsoft stated it first spotted the activity, which it attributes to the Russian group Strontium, in April 2019.

In multiple cases, Microsoft said operatives gained access to  networks because the IoT devices were using default manufacturer passwords. In another case, the latest security update was not applied. Using those devices as a starting point, the hackers established looked for further access.

“These devices became points of ingress from which the actor established a presence on the network and continued looking for further access. Once the actor had successfully established access to the network, a simple network scan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data,” Microsoft stated.

Over the 12 months, Microsoft said it’s issued some 1,400 nation-state notifications to those who have been targeted or compromised by Strontium. One in five notifications of Strontium activity were tied to attacks against non-governmental organizations, think tanks, or politically affiliated organizations around the world. The remaining 80 percent of Strontium attacks, according to Microsoft, have largely targeted organizations in the following sectors: government, IT, military, defense, medicine, education, and engineering.

Microsoft also stated that it’s observed and notified those concerned of Strontium attacks against Olympic organizing committees, anti-doping agencies, and the hospitality industry.  The FBI has also attributed the “VPN Filter” malware to Strontium.

Microsoft Call to Action

Microsoft is calling for better enterprise integration of IoT devices, particularly the ability to monitor IoT devices within enterprise networks. Today, it says, the number of deployed IoT devices outnumber the population of personal computers and mobile phones, combined.

With each networked IoT device having its own separate network stack, Microsoft stated “it’s quite easy to see the need for better enterprise management, especially in today’s ‘bring your own device’ world.”

Visit the blog post here for Microsoft’s recommendations for securing enterprise IoT.

Insecurity of Things: The new campaign from GRU compromised popular internet of things devices including a VOIP (voice over internet protocol) phone, a connected office printer, and a video decoder in order to gain access to corporate networks. Microsoft has some of the best visibility into corporate networks on earth because so many organizations are using Windows machines. Microsoft’s Threat Intelligence Center spotted Fancy Bear’s new work starting in April 2019.

In multiple cases, Microsoft saw Fancy Bear get access to targeted networks because the IoT devices were deployed with default passwords. In another case, the latest security update was not applied. Using those devices as a starting point, the hackers established a beachhead and looked for further access.

“Once the actor had successfully established access to the network, a simple network scan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data,” Microsoft warned in a blog post published on Monday.

The hackers moved from one device to another, establishing persistence and mapping the network as they went, communicating with command and control servers all the while.

Global targets: Microsoft has been closely watching this group over the last year.

Of the 1,400 notifications the company delivered to those targeted or compromised by Fancy Bear, 20% have been to global non-governmental organizations, think tanks, or politically affiliated organizations. The remaining 80% have been to various sectors including government, technology, military, medicine, education, and engineering.

“We have also observed and notified STRONTIUM attacks against Olympic organizing committees, anti-doping agencies, and the hospitality industry,” Microsoft’s blog warned.

Last year, the FBI took disruptive action against a Fancy Bear campaign known as “VPNFilter” which targeted routers and network storage devices with malware with destructive capabilities of “bricking” a device by deleting firmware and rendering the device unusable. That campaign especially targeted Ukraine, a favorite target of Fancy Bear.

Advertisements
%d bloggers like this: