The cybercriminal group Fancy Bear, whose activities are associated with the Russian government, breaks in popular IoT devices to gain a foothold in the attacked corporate networks.
Corresponding cyber operations were reported by security researchers at Microsoft.
“Over the past year, Microsoft notified 1,400 businesses that affected by the actions of Fancy Bear cybercriminals”, — the Microsoft team writes.
The Microsoft Threat Intelligence Center team first recorded Fancy Bear attacks in April.
Further, experts started analysis of the malicious campaign and came to the conclusion that criminals compromised popular IoT devices: softphones for making VoIP calls, office printers and video decoders.
Hacked devices were used by cybercriminals to infiltrate a corporate network.
Read also: Attackers introduce multi-lock skimmer through fake Google domains: How to protect yourself?
The success of the attack relied on standard credentials from the manufacturer, which employees of the enterprise did not bother to change. In one of the episodes, the owners of the device simply did not have time to install the latest security update.
“These simple attacks taking advantage of weak device management are likely to expand as more IoT devices are deployed in corporate environments”, — warn in Microsoft.
The main objective of Fancy Bear is to gain access to important corporate data. To do this, criminals moved smoothly through the network, trying to find other vulnerable devices and compromise more privileged accounts.
Recommendations for Securing Enterprise IoT
There are additional steps an organization can take to protect their infrastructure and network from similar activity. Microsoft recommends the following actions to better secure and manage risk associated with IoT devices:
- Require approval and cataloging of any IoT devices running in your corporate environment.
- Develop a custom security policy for each IoT device.
- Avoid exposing IoT devices directly to the internet or create custom access controls to limit exposure.
- Use a separate network for IoT devices if feasible.
- Conduct routine configuration/patch audits against deployed IoT devices.
- Define policies for isolation of IoT devices, preservation of device data, ability to maintain logs of device traffic, and capture of device images for forensic investigation.
- Include IoT device configuration weaknesses or IoT-based intrusion scenarios as part of Red Team testing.
- Monitor IoT device activity for abnormal behavior (e.g. a printer browsing SharePoint sites…).
- Audit any identities and credentials that have authorized access to IoT devices, users and processes.
- Centralize asset/configuration/patch management if feasible.
- If your devices are deployed/managed by a 3rd party, include explicit Terms in your contracts detailing security practices to be followed and Audits that report security status and health of all managed devices.
- Where possible, define SLA Terms in IoT device vendor contracts that set a mutually acceptable window for investigative response and forensic analysis to any compromise involving their product.
