The role of compromised cyber-physical devices in modern cyberattacks
Cyber-physical devices are increasingly getting compromised and leveraged by criminal groups and state-sponsored threat actors.
Fyodor Yarochkin, Senior Threat Solution Architect with Trend Micro, believes that getting a better understanding of attackers’ infrastructure leads to a better understanding of the attackers themselves.
(The answers have been lightly edited for clarity.)
In your talk at Deep Conference next week, you will be talking about cyber-physical devices being compromised and used by cyber criminals and state-sponsored threat actors. How would you define a cyber-physical device? Which cyber-physical devices are being leveraged by attackers, and in what way(s)?
We mainly examined attacks against cameras and physical security systems as well as associated infrastructure, i.e., routers and some other IoT devices.
A cyber physical device is a device that connects the physical world and computer networks. Many people may associate the term “cyber physical device” with Supervisory Control and Data Acquisition (SCADA) systems and OT network segments, but there’s more to it.
Devices that interconnect the physical world give attackers a unique perspective: they allow them to perform on-ground observation of events, to monitor and observe the impact of their attacks, and can even sometimes make an impact on the physical world (although this would normally require them to be connect to some sort of SCADA/ICS equipment).
How are malicious overlay networks built on compromised cyber-physical devices?
Many devices are compromised for the simple purpose of creating points of presence at new locations, so attackers can bypass geofencing restrictions. These devices are often joined and used as a part of overlay networks.
Many of these devices are not traditional routers but could be anything from temperature sensors to cameras. We have even seen compromised museum Android display boards in some countries.
And we suspect that additional capabilities of these devices might be exploited – although we don’t (yet) have clear evidence of such activities.
How do attackers maintain persistence on cyber-physical devices, such as surveillance cameras, after initial compromise?
They don’t. It’s all about being as low profile as possible. In many cases, we observe devices getting compromised, payloads getting installed and then removed from the file system. When device is rebooted, the payloads disappear.
The only option we saw for maintaining persistence involves downgrading devices to the latest vulnerable firmware versions.
Are state-sponsored actors using compromised cyber-physical devices differently from criminal groups? Are attackers monetizing access to compromised cyber-physical infrastructure in criminal markets? Are attackers using compromised cyber-physical devices to perform reconnaissance on physical environments for further attacks?
We believe that state-sponsored actors dedicate a significant amount of time to building and rebuilding their operational relay infrastructure. They are not just opportunistically compromising systems: they are building pivoting platforms in the countries of their interest.
Cyber-criminal operators are mainly interested in building infrastructure that they can sell or rent, and I guess this is how they monetize it.
Recent botnet disruptions by law enforcement have revealed that botnet operators are currently favoring the 3-Tier architecture: compromised (IoT, server, endpoint) devices make Tier 1, Tier 2 are servers forwarding communications between those devices and the servers issuing orders (Tier 3). The advantages for such a choice are obvious. Are there any disadvantages (this is all from the attackers’ perspective, of course)?
The complexity of the infrastructure management is probably the main disadvantage. The attackers solve it by automation of deployment with a script.
But this brings another disadvantage – an obvious network footprint that can be searched/picked up by the threat intelligence researchers.
With billions of internet-connected devices around the world, many of which have inadequate security capabilities and options, what are – in your opinion – some realistic actions that can make that number decrease substantially in the next 3 to 5 years?
Realistically, I don’t believe there is a way to decrease number of compromised devices. We are moving towards networks where IoT devices will be one of the predominant types of connected devices, with things like a dish washer or fridge having an IP address. Naturally, I think many of these devices could be easily targeted and exploited by attackers and turned into pivoting points.
Residential and mobile proxy networks are springing up left and right. Some users knowingly install proxyware on their devices, others are effectively tricked into it. While these networks can be used for legitimate purposes, they can also be – and are – abused by attacker groups for DDoS attacks, password spraying, social engineering campaigns, or as the jumping off point for targeted intrusions. In your experience, how often does that happen?
We don’t see so much DDoS, but we see a lot of other unwanted actions, such as web scraping, credential spraying, cryptocurrency pump-and-dump campaigns, scraping of online shops, sneaker bot activity, online ticket speculation, carding (to match geolocation to the card owner location), and so on.
Mandiant researchers have recently documented the rise of operational relay box (ORB) networks and how they are being increasingly used by attackers that prefer to avoid standing up their own attack or communications infrastructure. How has the current geo-political situation allowed this development, and what do you expect the next logical development of the situation to be?
ORB building is one of the operational procedures of some threat actors.
Many countries perform geofencing by filtering traffic from unwanted locations and ORBs are perfect answer to that. They allow attackers to be able to pop up from the same locations as the expected benign traffic.
Some ORBs are based on compromised devices, others on rented infrastructure. With different groups we often observe a combination of both.
The growth and merging between ORB infrastructure, residential proxies and overlay networks that are used to bypass geofencing is a massive tendency and we often see widespread adoption of such techniques by threat actors from different regions.
How big of an issue is supply chain compromise when it comes to the proliferation of compromised smartphones and IoT devices?
Supply chain compromise is a popular attack vector for smartphones and smaller devices running on Android (such as TV boxes). It is quite widespread, and we also believe that in some cases it’s a combination of software (software package or SDK) and hardware (firmware) compromise.
It is so common that sometimes we find two or more implants on the same firmware (in different components of the firmware).