A sharp increase in cyberattacks on IoT devices: Check Point
Cybersecurity company Check Point Research has flagged a sharp increase in cyberattacks targeting IoT devices this calendar year. The first two months of 2023 have seen a 41% increase from 2022 in the number of weekly IoT device attacks per organisation, with the education and research sector experiencing the largest increase in attack frequency.
“The Internet of Things (IoT) has become an integral part of our daily lives. However, with the growing use of IoT devices, there has been an increase in cyberattacks against these devices in recent years, using various exploitable vulnerabilities. One contributing factor to this increase is the rapid digital transformation that occurred in various sectors, such as education and healthcare, during the pandemic. This transformation, driven by the need for business continuity, often took place without proper consideration of security measures, leaving vulnerabilities in place,” say Check Point researchers.
Cybercriminals know that IoT devices are notoriously one of the most vulnerable parts of the networks, with most not adequately secured or managed. With IoT devices like cameras and printers, their vulnerabilities and unmanaged devices can allow direct access and significant privacy violation, allowing attackers an initial foothold into corporate networks before propagating inside the breached network.
“In the first two months of 2023, almost every week, on average 54% of organisations were targeted by these attack attempts, with an average of almost 60 attacks per organisation per week targeting IoT devices. This is 41% higher than in 2022, and more than triple the number of attacks from two years ago. These IoT devices attacked range from a variety of common IoT devices like routers, IP cameras, DVRs (digital video recorders) to NVRs (network video recorders), printers and more. IoT devices such as speakers and IP cameras have become increasingly common in remote work and learning environments, providing cybercriminals with a wealth of potential entry points,” adds the team at Check Point.
This trend was observed across all regions and sectors.
Europe is the region currently suffering from the most attacks targeting IoT devices, with an average of almost 70 such attacks per organisation every week, followed by APAC with 64, Latin America with 48, North America with 37 (and the largest increase from 2022, with 58%), and Africa with 34 weekly IoT cyber-attacks per organisation.
The education and research sector faces an unprecedented surge in attacks targeting IoT devices, with 131 weekly attacks per organisation, more than twice the global average and a staggering 34% increase from the previous year. Other sectors are also witnessing a surge in attacks, with most sectors experiencing double-digit growth compared to 2022.
Prior reports by Check Point Research revealed that hackers prefer to target schools as "soft targets" due to the abundance of personal data stored on school networks, making students and schools vulnerable.
The shift to remote learning has significantly expanded the attack surface for cybercriminals. Introducing numerous unsecured IoT devices into school networks has made it easier for hackers to breach these systems. Additionally, the lack of investment in robust cybersecurity prevention and defence technologies by schools makes it even simpler for cybercriminals to carry out phishing attacks and deploy ransomware.
While the threat landscape for IoT vulnerability exploits contains hundreds of vulnerabilities, some are seen more widely than others in scanning and attack attempts against corporate networks.
The top five exploits seen in the wild since the beginning of 2023 include MVPower DVR remote code execution. This exploit impacts an average of 49% of organisations every week.
Then comes the Dasan GPON router authentication bypass (CVE-2018-10561), which impacts 38% of organisations weekly.
In third place is NETGEAR DGN command injection, impacting 33% of organisations weekly.
D-Link multiple products remote code execution (CVE-2015-2051), impacting 23% of organisations weekly, and D-Link DSL-2750B remote command execution, impacting 14% of organisations weekly, sums up the list.
Command injection represents a critical and frequently exploited vulnerability in IoT devices. Attackers can inject commands into the program, taking advantage of the vulnerable application's privileges. The widespread adoption of IoT devices has made this vulnerability a prime target for cybercriminals.
Vulnerability scanners are widely used to identify and exploit weaknesses in web applications and APIs. While these tools have legitimate uses, attackers may also employ them maliciously. Two increasingly popular tools include Out-of-band security testing (OAST) and "Interact.sh."
The scanning technique serves as a filtering tool to pinpoint potential victims. When attack complexity is low, scanning has become a favoured initial step for attackers. The process entails sending a simple payload to a large group, with vulnerable targets responding to the initial request, confirming their vulnerability. This method falls under active scanning, the first step in the MITRE Matrix for Enterprise, a hierarchical framework of attack tactics and techniques used by cybercriminals.
Scanning enables attackers to verify the vulnerability of their targets and ensure only they receive the actual malicious payload. Research findings indicate that during a one-week testing period, at least 3% of networks were affected by this scanning method. The top exploits employing this attack method on IoT devices include NETGEAR DGN command injection, Netgear R7000 and R6400 cgi-bin command injection (CVE-2016-6277), FLIR AX8 thermal camera command injection (CVE-2022-37061), and multiple IoT command injection.
With organisations' increased reliance on IoT devices for daily operations, they must remain vigilant and proactive in securing these devices.
“Some steps that can be taken to improve IoT security include purchasing IoT devices from reputable brands that prioritise security, implementing security measures inside the devices before distribution to market. Practising password complexity policies and using multifactor authentication (MFA) when applicable also helps. It is prudent to ensure that connected devices are updated with the latest software and maintaining good device health. Enforcing zero-trust network access profiles for connected assets, and separating networks for IT and IoT when possible, are other suggestions,” says the Check Point team.
“We have recently announced Check Point quantum IoT protect as part of the Quantum 'Titan' release R81.20, which revolutionises network security by blocking the most evasive zero-day DNS, phishing, and IoT attacks. Check Point quantum IoT protect assists organisations in automatically discovering and protecting IoT assets within minutes.”
“As technology continues to advance, so will the sophistication and frequency of cyberattacks. By implementing robust security measures and staying informed about the latest threats and best practices, organisations can better protect themselves and their IoT devices from cybercriminals.”