Microsoft detected Russian hackers targeting VoIP phones, printers, and video decoders to breach secure networks
Russian state-sponsored hackers are using vulnerable office internet of things (IoT) devices to breach enterprise or corporate networks, Microsoft announced on Monday.
The OS maker stated that the Russian hacking group known as Strontium (also commonly known as APT28 or Fancy Bear) was responsible for the new attack that took place in April. This group is also claimed to be responsible for hacking the Democratic National Committee (DMC) in 2016, for the NotPetya attacks against Ukraine in 2017, and targeting political groups in Europe and North America throughout 2018.
In April this year, security researchers in the Microsoft Threat Intelligence Center, one of the OS maker’s cyber-security divisions, discovered that hackers were compromising popular IoT devices such as a VOIP (voice over internet protocol) phone, a connected office printer and a video decoder across multiple customer locations to breach computer networks.
“The investigation uncovered that an actor had used these devices to gain initial access to corporate networks. In two of the cases, the passwords for the devices were deployed without changing the default manufacturer’s passwords and in the third instance the latest security update had not been applied to the device,” Microsoft said in a blog post.
Using those devices as a starting point, the hackers established a base and looked for further access. The “devices became points of ingress from which the actor established a presence on the network and continued looking for further access,” the post added.
“Once the actor had successfully established access to the network, a simple network scan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data.”
While this particular attack was stopped by Microsoft in its early stages, the motive behind the attacks remains unclear, as IoT devices did not appear to be the ultimate target.
Microsoft who has been closely watching this group over the last year has sent around “1400 nation-state notifications to those who have been targeted or compromised by Strontium.” Of this, 20% of the attacks were against non-governmental organizations, think tanks, or politically affiliated organizations around the world. The remaining 80% of Strontium attacks largely targeted the highest-profile sectors for state-sponsored attacks such as government, IT, military, defense, medicine, education, and engineering.
“While much of the industry focuses on the threats of hardware implants, we can see in this example that adversaries are happy to exploit simpler configuration and security issues to achieve their objectives. These simple attacks taking advantage of weak device management are likely to expand as more IoT devices are deployed in corporate environments,” Microsoft’s blog warned.
Although Microsoft did not name the affected products, it did share the information with the manufacturers of the specific devices involved in the attacks who are now looking to explore new protections in their products.
By releasing the research that highlights the extensive security issues that come with IoT devices not only into the private sector but also in the government, Microsoft is hoping the tech industry will take additional measures to protect their infrastructure and network and better secure and manage risk associated with IoT devices.
Source: MSRC Blog