Defending against IoT ransomware attacks in a zero-trust world

IoT sensors and the smart devices they’re connected to are among the fastest-growing attack vectors in 2024, with opportunistic attackers offering a growing number of tools and services on the dark web to compromise them. 

Adversaries are becoming more opportunistic. They are looking to cash in on the fast-growing market for IoT devices and technologies. IoT Analytics predicts that global appending on IoT technologies will grow from $280 billion in 2024 to $721 billion by 2030. 

“In 2024, the potential of IoT innovation is nothing short of transformative. But along with opportunity comes risk. Each individual connected device presents a potential access point for a malicious actor,” writes Ellen Boehm, senior vice president of IoT Strategy and Operations for Keyfactor. In their first-ever global IoT security report, Digital Trust in a Connected World: Navigating the State of IoT Security, Keyfactor found that 93% of organizations face challenges securing their IoT and connected products. 

IoT sensors are a cyberattack magnet 

There was a 400% increase in IoT and OT malware attacks last year. The manufacturing industry was the top targeted sector, accounting for 54.5% of all attacks and averaging 6,000 weekly attacks across all monitored devices. Mirai and Gafgyt botnets dominate all activity, accounting for 66% of attack payloads. Mirai and Gafgyt infect then use IoT devices to launch distributed denial-of-service (DDoS) attacks, causing billions in financial losses.

Attacks on IoT and ICS networks are becoming so pervasive that it’s common for the Cybersecurity and Infrastructure Security Agency (CISA) to issue cybersecurity advisories. The most recent involves four, three of them from Rockwell Automation.     

“We’re connecting all these IoT devices, and all those connections create vulnerabilities and risks. I think with OT cybersecurity, I’d argue the value at stake and the stakes overall could be even higher than they are when it comes to IT cybersecurity. When you think about what infrastructure and types of assets we’re protecting, the stakes are pretty high,” Kevin Dehoff, president and CEO of Honeywell Connected Enterprise, told VentureBeat during an interview last year. Dehoff emphasized the need to give customers better visibility into risks and vulnerabilities. 

Selling IoT ransomware tradecraft is a booming underground business 

DDoS attack services orchestrated through IoT botnets are best-sellers on the dark web. Analysts identified more than 700 ads for DDoS attack services on various dark web forums in the first half of last year alone. Costs depend on CAPTCHA, DDoS protection and JavaScript verification on the victim’s side, starting at $20 a day and going up to $10,000 a month. Average pricing is in the $63.50 per day range and $1,350 per month based on ads promoting DDoS services on the dark web.   

Attackers are prolific in their efforts to create, sell and use ransomware to attack IoT devices. Of the many in existence, the following eight are among the most well-known. DeadBolt exploits CVE-2022-27593 to encrypt user files and demand ransom for a decryption key and targets QNAP NAS devices is among the more recent. A WannaCry variant targets IoT devices, exploiting vulnerabilities in Microsoft’s SMB protocol. Additional ones include Mirai, Linux.Encoder.1, Gafgyt, Reaper, Hajime, BrickerBot and BASHLITE.  

The Wall Street Journal reports that ransomware attacks against manufacturers, utilities and other industrial companies were up 50% last year. Rob Lee, chief executive of Dragos, said that among industrial companies, manufacturers were targeted most. “It’s not so much that they’re OT experts; it’s just they know that they’re impacting the revenue-generating portions of those companies,” Lee said, “so the companies are willing to pay and pay faster.”

Protecting against IoT ransomware attacks with zero trust 

The challenges of protecting IoT sensors and their supporting ICS platforms bring out the many strengths zero trust has in hardening these systems from cyberattacks. The core attributes of zero trust that can protect IoT devices are briefly described below:  

Monitor and scan all network traffic. Every security and information event management (SIEM) and cloud security posture management (CSPM) vendor aims to detect breach attempts in real time. There has been a surge in innovations in the SIEM and CPSM arena that make it easier for companies to analyze their networks and detect insecure setups or breach risks. Popular SIEM providers include Cisco (Splunk), CrowdStrike Falcon, Fortinet, LogPoint, LogRhythm, ManageEngine, QRadar and Trellix.

Enforce least privilege access for every endpoint and IoT device, then audit and clean up (identity access management) and privileged access management (PAM) roles. The majority of breaches start because attackers use a variety of techniques to gain privileged access credentials so they can penetrate a network and install ransomware payloads. Auditing and tightening up least privilege access for endpoints and IP-addressable IoT devices is a first step. Cleaning up IAM and PAM privilege access credentials and removing any that have been active for years for contractors is also critically important. 

Get back to the basics of security hygiene by adopting Multifactor authentication (MFA) across IT infrastructure. CISOs have told VentureBeat that MFA is a quick win. MFA metrics are relatively easy to capture and CISOs tell VentureBeat they use them to show their boards they’re making progress on a zero-trust strategy. MFA is table stakes for protecting IoT infrastructure, as many IoT devices and sensors are preconfigured with no authentication and factory passwords preset. 

Applying microsegmentation to endpoints, especially IoT sensors, including those with Programmable Logic Controllers (PLCs). Sixty percent of enterprises are aware of less than 75% of the endpoint devices on their network. Only 58% can identify every attacked or vulnerable asset on their network within 24 hours of an attack or exploit. Eighty-six percent of manufacturers have little to no visibility into their OCS. Microsegmentation is designed to segregate and isolate specific network segments to reduce the number of attack surfaces and limit lateral movement. It’s one of the core elements of zero trust as defined by the NIST SP 800-27 zero-trust framework. Leading vendors include Akamai, Aqua Security, Cisco, CrowdStrike, ColorTokens, Illumio, Palo Alto Networks, TrueFort, vArmour, VMware and Zscaler. 

Deploy risk-based conditional access across all endpoints and assets. Risk-based access needs to be enabled in least-privileged access sessions for applications, endpoints, or systems based on the device type, device settings, location, and observed anomalous behaviors combined with other relevant attributes. Leading cybersecurity vendors have been using machine learning (ML) algorithms for years to calculate and recommend actions based on risk scoring. The leading vendors who have deep expertise in ML to accomplish this include Broadcom, CrowdStrike, CyberArk, Cybereason, Delinea, SentinelOne, Microsoft, McAfee, Sophos and VMWare Carbon Black.

Get patch management back on track and consider automating it with AI and ML. Patch management approaches that aren’t data-driven are breaches waiting to happen. Attackers are weaponizing years-old CVEs while security teams wait until a breach happens before they prioritize patch management. Patching has gotten the reputation of the one task every IT team procrastinates about. Seventy-one percent of IT and security teams say it is overly complex, cumbersome, and time-consuming. AI-driven patch management shows the potential to cut through these challenges.