In 2021 the IoT threat landscape continued to evolve. Hackers pushed the boundaries in terms of what was thought technological possible, while corporate device manufacturers had their brand dragged through the mud, as their legacy security mechanisms didn’t stand a chance.
1. Verkada breach
In March a group of hackers succeeded to access and control thousands of security cameras developed and managed by Verkada, a Silicon Valley-based company that sells security as a service. The group of hackers was able to get in by discovering a set of Verkada user credentials publicly exposed on the Internet. Once they breached the Verkada database, they moved laterally across the network and gained control over a super-admin account. From there, they were able to hijack control of the cameras to launch future attacks and access video footage stored on the cloud of Verkada’s more than 24,000 client list.
Even more alarming than the attack, was that Verkada had no idea they had been breached until the video feed hit Twitter. Verkada learned about the hack through the media, without any knowledge of the duration of the breach or the extent of the damage. The hackers have since claimed they had uninterrupted full system access for two days.
Verkada had cybersecurity measures in place but they were limited in scope. Neither their cameras or their centralized management consoles had a real-time endpoint cybersecurity solution in place designed to detect and prevent attacks.
This incident is a real-life example of the damage that can be caused by hackers having access and exfiltrating sensitive data from critical facilities. Yet as bad as the situation is, it’s important to be aware of the potential for even worse when connected cameras or other devices are breached that control access systems that are used in smart homes and buildings. When malicious actors have access to this type of sensitive data, they can potentially manipulate footage, conduct invasive surveillance, or control access to sensitive locations. Potentially, coupling a digital risk with a physical attack.
2. Western Digital’s My Book Live attack
Major storage device manufacturer Western Digital, had their My Book Live devices completely wiped. This was due to two vulnerabilities the first of which enabled it to be compromised, the second, a critical security bug that allowed hackers to remotely perform a factory reset without a password.
Western Digital stopped supporting the My Book Live in 2015. The first remote command execution vulnerability surfaced in late 2018, but because it was found three years after Western Digital stopped supporting the device, the bug was never fixed. The My Book Live attack is significant not only because hackers were able to wipe petabytes of user data from each device, but also because it was a Western Digital developer that had actively removed code that required a valid user password before allowing a factory reset to be activated.
Western Digital took a decision, like all other device manufacturers, to stop supporting a device that was no longer deemed profitable. However, just because they are no longer working on it, doesn’t mean that hackers have taken up the memo. On the contrary, popular devices that are no longer supported represent a gold target for hackers as they provide a potential opening into the network that’s freely exposed.
To stop their IoT device from becoming the next cyber attack headline, brands and manufacturers must step up their game. Device hardening, 2FA, and encrypted data are all good starting points, but they’re not enough. To achieve continued success hackers evolve their malware tactics, therefore a real time IoT security solution is needed to be able to keep up before any damage occurs.
3. BotenaGo Targets Millions of Routers and IoT devices
Got a Netgear device or a D-Link router? They are just a couple of brands that were caught up in the BotenaGo malware that harvested millions of IoT devices into its global botnet. The botnet was discovered using over thirty different exploits to infect a variety of routers, modems and NAS devices.
It was discovered by researchers at AT&T who found it was written in Golang (Go) which had explosive popularity recently. On their part, malware creators love it for developing payloads that are harder to detect and reverse engineer. And when put to the test, only six out of the 62 AV engines on the public malware library, VirusTotal, flagged the sample as malicious, few identifying it as a variant of Mirai.
Unusual for botnets, the researchers didn’t discover a connected malicious C2 server to which the malware could transmit all the data collected. Analysts have provided three possible explanations:
- BotenaGo is only the first part in a multi-stage malware attack, and not the part responsible for transmitting communication.
- BotenaGo is a new tool used by Mirai operators on certain machines
- The malware isn’t in full operation yet, perhaps accidentally leaked into the wild, the sample detected is still only in early development.
Whatever the case, the underlying capabilities of BotenaGo has given the cyber community a real jolt and has left no ambiguity as to the intentions of its authors.