Microsoft: Russia Probes Office Printers, VOIP PhonesPoints to the Need to Make IoT Devices More Secure
Microsoft warned on Monday that Russia-linked attackers are gaining access to networks through poorly configured devices, such as office printers and VOIP phones.
In two instances, organizations failed to change the default passwords set by the manufacturers on devices. In a third, the latest security updates had not been applied, the company writes in a blog post on Monday.
“Once the actor had successfully established access to the network, a simple network scan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to high-value data,” Microsoft writes.
Microsoft has shared its findings with the makers of the devices “and they have used this event to explore new protections in their products.”
Microsoft says the group is likely Strontium, also known as Fancy Bear, Sofacy and APT28. The group, widely believed to be linked to Russia’s GRU intelligence agency, has been blamed for the intrusion into the Democratic National Committee’s network in the lead-up to the 2016 presidential election.
In August 2018, Microsoft applied to a court and succeeded in gaining control of six domains it believed were tied to Strontium. Although the domains were not used in attacks, two mimicked the domains of U.S.-based think tanks. Microsoft had gone to a court 11 other times to take control of Strontium domains (see: Microsoft Uncovers Fresh Russian Attack Infrastructure).
The U.S. is anticipating an uptick of activity by Russia ahead of the 2020 presidential election. Robert Mueller, who led a special counsel investigating Russian interference in the previous election, warned during a congressional hearing on July 25: “They’re doing it as we sit here. And they expect to do it during the next campaign.”
Shell Scripts for Persistence
Organizations need to ensure they have no IoT devices exposed to the internet with default credentials.
Microsoft and Google issue specific warnings when they suspect a state-sponsored actor is targeting an organization or individual. Microsoft writes that over the last year, it has issued close to 1,400 warnings to organizations it believes were targeted or compromised by Strontium.
The targeting of IoT devices was discovered in April by Microsoft’s Threat Intelligence Center. Eric Doerr, who is general manager of the Microsoft Security Response Center, is due to present more examples of supply chain attacks Thursday at the Black Hat Security Conference in Las Vegas.
After achieving access on a network, Strontium ran tcpdump to analyze network traffic on local subnets as well as enumerating administrative groups. As they moved, the attacks dropped a shell script to maintain access to their footholds, Microsoft reports.
Microsoft says it’s unsure of Strontium's objectives. One in five of the warnings issued were to nongovernmental organizations, think tanks or politics-related organizations. The majority of warnings went to organizations in government, IT, military, defense, medicine, education and engineering, Microsoft writes.
“We have also observed and notified Strontium attacks against Olympic organizing committees, anti-doping agencies and the hospitality industry,” it writes.
There’s been increasing worry about Russia’s offensive cyber activity. In April 2018, the U.S. and U.K. issued a joint advisory saying Russia was seeking to gain footholds in critical internet infrastructure, such as routers, switches, firewalls and network intrusion detection systems. The efforts take advantage of outdated protocols, the absence of encryption, incorrect configurations and unpatched devices (see: US, UK: Russian Hackers Deeply Embedded in Routers, Switches).
Those problems have contributed to global attacks as well. Microsoft cites two prominent campaigns that have targeted IoT devices: Mirai and VPN Filter. Mirai was a botnet that in 2016 compromised devices such as IP cameras and was used to conduct large-scale distributed denial-of-service attacks. Three U.S. men pleaded guilty to co-authoring Mirai (see: Mirai Co-Author Gets House Arrest, $8.6 Million Fine).
VPN Filter was a malware campaign that infected at least 500,000 older routers made by companies including Linksys, Microtik, Netgear, QNAP and TP-Link. The FBI attributed VPN Filter to Fancy Bear and gained a court order to seized a domain linked to its command-and-control infrastructure (see: FBI Seizes Domain Controlling 500,000 Compromised Routers).
Mission: Tidy Up Your IoT
Tidying up IoT devices to reduce the attack surface is not the most exciting mission in IT security, but one that needs to be done.
Microsoft writes that many organizations focus on thwarting hardware implants – sneaky code or capabilities baked into hardware – but “adversaries are happy to exploit simpler configuration and security issues to achieve their objectives.”
Organizations should catalog their IoT devices and ensure newer ones are vetted before deployment and have a security policy. If possible, IoT devices should not be directly exposed to the internet and should be on a separate network, Microsoft writes. Security updates and patches should be applied, and there should be a program for investigating intrusions, including analyzing logs and capturing forensic images for investigation, it adds.