Forescout proof-of-concept ransomware attack affects IoT, OT

A new proof-of-concept ransomware attack from Forescout Technologies raises troubling implications for IoT and operational technology security.

Forescout Technologies' Vedere Labs released research Wednesday presenting the proof-of-concept attack where a hypothetical attacker uses a vulnerable IP camera to compromise an organization's IT infrastructure and uses the access to shut down operational technology (OT) hardware. The attack uses pre-existing vulnerabilities and does not include new exploits.

However, Daniel dos Santos, head of security research at Vedere Labs, wrote that it was "the first and only work to date to combine the worlds of IT, OT and IoT ransomware" within a single, comprehensive proof of concept.

The attack works by compromising leading network-connected security cameras -- particularly those sold by Axis and Hikvision. According to Forescout, these two vendors are responsible for 77% of the IP cameras used in enterprise networks. In addition, Forescout claimed in its report that more than half a million devices are using default VLAN 1 configuration, meaning the cameras weren't properly configured for network segmentation.

Therefore, by using a vulnerability like 2017's Devil's Ivy, threat actors can use these IoT devices to gain access to an improperly protected enterprise network. In a video demonstration, Forescout showed that after exploiting a camera's vulnerabilities, threat actors can execute a command to gain access to a Windows machine. From there, they can execute further commands that locate additional machines attached to the camera, find machines with weak credentials and open remote desktop protocol ports, and establish an SSH tunnel.

The attacker then uses this access to open a remote desktop session, install malware and disable network firewalls and antivirus protection. With this access, the attacker can escalate privileges, install ransomware and cryptocurrency miners, and launch malicious executables aimed at OT systems.

Forescout's video demonstration featured a simulated ransomware attack against a hospital. In this example, Forescout accessed an IP camera, used it to gain access to the fictional hospital's network, gained access to the camera, spotted a programmable logic controller used to control a hospital's HVAC system, and used escalated privileges to install ransomware and shut down the HVAC.

While the simulated attack is too specific to be directly applicable to any one organization, the new research shows how various types of network-connected hardware can be used together to devastating consequences.

Dos Santos told SearchSecurity that one motivation for the proof-of-concept attack was to illustrate to organizations how vulnerabilities -- like the Nucleus:13 flaws discovered by Forescout last fall -- can be used in practice by threat actors to compromise OT networks. The second motivation was to highlight the dangers and evolving landscape of ransomware.

"Ransomware is evolving very, very fast," he said. "And we wanted to have a bit of a longer-term view on what attackers could be doing pretty soon so that organizations can prepare and proactively defend instead of just reacting to attacks. It's a long-term view about paying attention to OT and IoT."

Dos Santos recommended implementing proper network segmentation and utilizing both the NIST Cybersecurity Framework and zero-trust architecture.

Ransomware attacks on OT and industrial control system (ICS) networks have become a growing concern in the infosec community. Earlier this year, ICS security vendor Dragos' Year in Review 2021 report showed ransomware was the leading cause of compromises in the industrial sector and caused significant disruptions even when OT and ICS networks were not directly targeted or infected.

Alexander Culafi is a writer, journalist and podcaster based in Boston.