Forescout’s Vedere Laboratories Unveils First Proof of Concept…


(MENAFN- Intelligent Marketing Consultants) Over the past few years, ransomware has evolved due to two ongoing trends:
1. Digital transformation is driving rapid growth in the number of IoT devices in organizations
2. the convergence of IT and OT networks.
Ransomware actors have evolved rapidly from pure data encryption until around 2019 to pre-encryption data exfiltration in 2020 to large extortion campaigns with multiple phases in 2021. The trend continued early 2022 with the emergence of new, highly sophisticated ransomware families such as ALPHV and more attacks by ransomware-as-a-service gangs such as Conti. This evolution in attackers’ methods means that ransomware gangs could now cripple the operations of virtually any organization.
Today, Forescout’s Vedere Labs is releasing an informational report that includes a detailed playbook outlining how organizations can protect themselves against a new type of ransomware attack that leverages IoT devices, such as video cameras, to deploy ransomware. The report includes a comprehensive proof-of-concept demonstration of this new attack vector which Vedere Labs believes will be the next step in the evolution of ransomware – we call this new attack approach “Ransomware for IoT” or R4IoT. The R4IoT report describes how IoT devices can be exploited for initial access and lateral movement to IT and OT devices, with the aim of causing physical disruption to business operations.
The proof-of-concept ransomware described in the R4IoT report exploits the first trend by using exposed vulnerable devices, such as an IP video camera or network-attached storage (NAS) device, as an initial network access point, and the second tends to hijack OT devices, adding another layer of extortion to an attack campaign.
This research is the first of its kind because:
• We have implemented and detailed detection and response actions for an R4IoT attack that serve as a playbook for organizations seeking to defend against current and future threats.
• This is the first work to combine the worlds of IT, OT and IoT ransomware and have a complete proof of concept from initial access via IoT to lateral movement in the IT network and then impact in the OT network. Beyond simple encryption, proof of concept on IT equipment includes deployment of crypto-mining software and data exfiltration.
• Impact to OT is not limited to standard operating systems (e.g. Linux) or device types (e.g. building automation), does not require persistence or modification of firmware on targeted devices, and works at scale on a wide variety of devices impacted by TCP/IP stack vulnerabilities.

This proof of concept, presented in the video and detailed in the technical report, is a clear demonstration of how IoT and OT exploits can be combined with a traditional attack campaign. It also shows that to mitigate this type of attack, organizations need solutions that enable extended visibility and improved control of all network assets.
Ransomware Mitigation
Beyond demonstrating how an R4IoT attack works, the report shows that there are ways to mitigate both the likelihood and impact of this type of incident on organizations, reducing the overall risk. that organizations face. Three important observations from our study of the ransomware threat landscape make it possible to mitigate this threat through the functions of the NIST Cybersecurity Framework:
• Identification and protection are possible because hundreds of very similar attacks occur simultaneously. For example, Conti had more than 400 successful attacks against US and international organizations in 2021. This means it is possible to identify actively exploited devices and vulnerabilities so their protection can be prioritized.
• Detection is possible because most of the tools and techniques used by these actors are well known. We outline the top tactics, techniques, and procedures (TTPs) used by malware in 2021.
• Response and recovery are possible because attacks are not immediate and fully automated. The average dwell time for ransomware attackers was 5 days in 2021.

Implementing this mitigation requires extended visibility and improved control of all assets in a network. The Forescout Continuum Platform helps achieve this goal through:
• Unparalleled insight into your entire asset landscape without disrupting critical business processes. After discovering connected devices, Forescout automatically classifies and assesses these devices against company policies. The powerful combination of these three features (discovery, classification, and assessment) provides asset visibility to drive appropriate policies and actions.
• Deep visibility and cyber resilience with DPI-based asset and communications inventory. This enables network monitoring and threat hunting capabilities, such as threat and vulnerability indicators.
• Accelerate the design, planning, and deployment of dynamic network segmentation across the enterprise to reduce your attack surface and regulatory risk. It simplifies the process of creating context-aware segmentation policies and enables visualization and simulation of policies before they are applied for proactive adjustment and validation.
• Sharing device context between the Forescout Continuum Platform and other IT and security products to automate policy enforcement across disparate solutions and accelerate system-wide response to mitigate risk.


Legal disclaimer: MENAFN provides the information “as is” without warranty of any kind. We assume no responsibility for the accuracy, content, images, videos, licensing, completeness, legality or reliability of any information in this article. If you have any complaints or copyright issues related to this article, please contact the provider above.


About Author

Comments are closed.