Microsoft Nabs Russian Hackers Exploiting Flimsy IOT Security

from the the-check-will-someday-come-due dept

Week after week we’ve documented how internet of things devices are being built with both privacy and security as a distant afterthought, resulting in everything from your television to your refrigerator creating both new attack vectors and wonderful new surveillance opportunities for hackers and state actors. And CIA leaks have indeed confirmed that “smart” TVs and other devices with embedded microphones make for wonderful surveillance tools.

So it’s not too surprising to see Microsoft’s Security Response Center proclaim this week that it has caught Russian hacking group ?Strontium” (aka Fancy Bear and APT28) using poorly secured printers, VoIP phones, and video decoders to gain access to sensitive networks. As is usually the case, Microsoft found that once these devices’ security was bypassed (often an easy feat given there’s sometimes little to no security measures in place), they were able to use them as a beach head to gain broader access to the networks they were connected to:

“After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets. They were also seen enumerating administrative groups to attempt further exploitation. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting. Analysis of network traffic showed the devices were also communicating with an external command and control (C2) server.”

In at least two instances, the hacks were only made possible thanks to hardware shipping with default username and password logins, something that has frequently plagued residential routers as well. Just as unsurprising as the hack was Microsoft’s warning that this is a problem that’s only going to get worse, regardless of the government or organization pulling the strings:

“While much of the industry focuses on the threats of hardware implants, we can see in this example that adversaries are happy to exploit simpler configuration and security issues to achieve their objectives,? the report noted. ?These simple attacks taking advantage of weak device management are likely to expand as more IoT devices are deployed in corporate environments.”

As security researchers like Bruce Schneier have long noted, there’s some severe market failure driving this dysfunction. Companies don’t want to spend money on security and privacy standards as they connect everything under the sun to the internet, and by the time vulnerabilities are discovered, they’re off to selling the next big thing. Because the devices often don’t provide insight into what they’re doing, consumers routinely have no idea what the device is even doing on the network. And by the time vulnerabilities are addressed, consumers are off to buy the next big thing (with equally terrible security holes).

Year after year after year, we’re connecting millions upon millions of devices to home and business networks with paper-mache grade security. And while there’s some fleeting efforts to address the problem (like incorporating flaws into product reviews), it’s still not something folks are taking seriously enough. And while such proclamations are often dismissed as hyperbole, it’s something folks like Schneier predict isn’t likely to change until these vulnerabilities result in some notable human casualties.

Filed Under: , , ,
Companies: microsoft

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Microsoft Nabs Russian Hackers Exploiting Flimsy IOT Security”

Subscribe: RSS Leave a comment
tom (profile) says:

Running a network without a proper firewall and rule set is pretty much like leaving your front and back doors open when you go to bed. Sad that most consumer grade edge devices still allow all outbound traffic by default which violates basic network security 101. The harsh reality is most government officials are clueless, ISPs know better but don’t want the responsibility of helping millions of IT clueless customers setup proper security and the companies selling this stuff are taking full advantage.

Scary Devil Monastery (profile) says:

Re: Re:

"Running a network without a proper firewall and rule set is pretty much like leaving your front and back doors open when you go to bed."

Ever since my early days with computers I’ve believed that the act of locking your doors and not leaving the keys in must have been a habit formed over a mountain of corpses of the idiots who failed to learn. And eventually basic computer/network security would achieve the same status of normality.

However, that was more than twenty years ago and if anything we’re worse off today. I blame Steve Jobs to get the ball rolling on the concept that the consumer should trust the hardware vendor with every decision of importance, leaving the only user decision to be whether to toggle the on/off button or not.

In days long past networked devices were used by professionals and those who refused to learn stayed away from them. Today the braying herd of lusers just insist that the professionals should ensure that no matter how moronic the actions of the user base, the hardware shall remain idiot proof.

And that’s a losing struggle since idiots get automatically upgraded every year but the hardware and software security is only upgraded as a result of hard work.

nae such says:

Re: Re: Re:

not leaving your keys in may up the ante(although, i’m guilty on occasion stupid just smacks me in the face). i know people who have grown up in poor neighbourhoods and had their car robbed who still don’t lock the car or the house door. some of these same people think i’m annoyingly paranoid for locking up my vehicle and home. sadly some of these people are fairly logical. it is okay until it isn’t and people can’t be bothered to care.

Scary Devil Monastery (profile) says:

Re: Re: Re: Re:

…and there is human nature in a nutshell.

You would think that the average normal person knows how to do risk/threat assessments. Lock your door if you live in a city where breaking and entering is a thing. As a girl don’t accept drinks from random strangers in bars with a known history of spiked beverages. Don’t leave your laptop clearly visible in the backseat of your car when you park it for the night. Before crossing the road make sure to look right AND left. And so on.

And when you go online where ten thousand botnets casually prowl for unsecured access points, use that damn firewall.

It’s not rocket science and never should have been viewed as such. But as I’m fond of saying if digital devices were cars less than 1% would know how to check the tire pressure and top up the oil. And about 90% would give up on trying to fill the gas tank.

Scary Devil Monastery (profile) says:

Re: No Russian

"We attribute the attacks on these customers using three popular IoT devices to an activity group that Microsoft refers to as STRONTIUM."

"Fancy Bear (also known as APT28, Pawn Storm, Sofacy Group, Sednit, Tsar Team and STRONTIUM) is a Russian cyber espionage group. Cybersecurity firm CrowdStrike has said with a medium level of confidence that it is associated with the Russian military intelligence agency GRU. The Foreign and Commonwealth Office, and security firms SecureWorks, ThreatConnect, and Fireeye’s Mandiant, have also said the group is sponsored by the Russian government. In 2018, an indictment by the United States Special Counsel identified Fancy Bear as two GRU units known as Unit 26165 and Unit 74455."

  • citation from the OP-referenced article and the wiki on STRONTIUM.

Learn to read, Baghdad bob.

Scary Devil Monastery (profile) says:

Re: Re: Re: No Russian

" I see you have to add things that ARE NOT IN THE ARTICLE to make Russians magically appear in the article. How nice."

  • So it’s not too surprising to see Microsoft’s Security Response Center proclaim this week that it has caught Russian hacking group “Strontium" (aka Fancy Bear and APT28)

Quoted directly from the article.

And my previous response included just followed the links the article lead to.

So, once again, Baghdad Bob, that you don’t know how to read isn’t something for which you can blame me.

seedeevee (profile) says:

Re: Re: Re:2 No Russian

Too bad "the article" would have been THE ARTICLE THIS OPINION PIECE WAS WRITTEN ABOUT – where it never mentions "Russia" or "Russians".

I understand those of you with Russia-on-the-brain tend to be of limited intelligence but, c’mon. The use of "the", "this" and "xenophobic trash" still has meaning outside of your little conspiracy circles.

That One Guy (profile) says:

Re: Re: Re:3 'No Russian'... if you ignore them, sure

From that very article, which you clearly did not read or read and are now dishonestly claiming it’s contents to be different from what they are:


We attribute the attacks on these customers using three popular IoT devices to an activity group that Microsoft refers to as STRONTIUM. Since we identified these attacks in the early stages, we have not been able to conclusively determine what STRONTIUM’s ultimate objectives were in these intrusions.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...