Microsoft Nabs Russian Hackers Exploiting Flimsy IOT Security

from the the-check-will-someday-come-due dept

Week after week we've documented how internet of things devices are being built with both privacy and security as a distant afterthought, resulting in everything from your television to your refrigerator creating both new attack vectors and wonderful new surveillance opportunities for hackers and state actors. And CIA leaks have indeed confirmed that "smart" TVs and other devices with embedded microphones make for wonderful surveillance tools.

So it's not too surprising to see Microsoft's Security Response Center proclaim this week that it has caught Russian hacking group “Strontium" (aka Fancy Bear and APT28) using poorly secured printers, VoIP phones, and video decoders to gain access to sensitive networks. As is usually the case, Microsoft found that once these devices' security was bypassed (often an easy feat given there's sometimes little to no security measures in place), they were able to use them as a beach head to gain broader access to the networks they were connected to:

"After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets. They were also seen enumerating administrative groups to attempt further exploitation. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting. Analysis of network traffic showed the devices were also communicating with an external command and control (C2) server."

In at least two instances, the hacks were only made possible thanks to hardware shipping with default username and password logins, something that has frequently plagued residential routers as well. Just as unsurprising as the hack was Microsoft's warning that this is a problem that's only going to get worse, regardless of the government or organization pulling the strings:

"While much of the industry focuses on the threats of hardware implants, we can see in this example that adversaries are happy to exploit simpler configuration and security issues to achieve their objectives,” the report noted. “These simple attacks taking advantage of weak device management are likely to expand as more IoT devices are deployed in corporate environments."

As security researchers like Bruce Schneier have long noted, there's some severe market failure driving this dysfunction. Companies don't want to spend money on security and privacy standards as they connect everything under the sun to the internet, and by the time vulnerabilities are discovered, they're off to selling the next big thing. Because the devices often don't provide insight into what they're doing, consumers routinely have no idea what the device is even doing on the network. And by the time vulnerabilities are addressed, consumers are off to buy the next big thing (with equally terrible security holes).

Year after year after year, we're connecting millions upon millions of devices to home and business networks with paper-mache grade security. And while there's some fleeting efforts to address the problem (like incorporating flaws into product reviews), it's still not something folks are taking seriously enough. And while such proclamations are often dismissed as hyperbole, it's something folks like Schneier predict isn't likely to change until these vulnerabilities result in some notable human casualties.

Filed Under: hacking, iot, russia, security
Companies: microsoft


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 7 Aug 2019 @ 2:17pm

    Sadly getting humans to understand the things they are doing are a dumpster fire that isn't waiting to happen, it's burning now.
    IoT isn't the only place where there've been masive human failures, just the most contrived.

    reply to this | link to this | view in chronology ]

  • icon
    tom (profile), 7 Aug 2019 @ 4:27pm

    Running a network without a proper firewall and rule set is pretty much like leaving your front and back doors open when you go to bed. Sad that most consumer grade edge devices still allow all outbound traffic by default which violates basic network security 101. The harsh reality is most government officials are clueless, ISPs know better but don't want the responsibility of helping millions of IT clueless customers setup proper security and the companies selling this stuff are taking full advantage.

    reply to this | link to this | view in chronology ]

    • identicon
      Christenson, 7 Aug 2019 @ 5:11pm

      Re: Access Control Sucks

      It’s never simple, never obvious, and always more of a pain in the neck than anyone cares to deal with.

      Overcoming that is the better mousetrap that causes a path to be beaten to your door.

      reply to this | link to this | view in chronology ]

    • icon
      Scary Devil Monastery (profile), 8 Aug 2019 @ 12:43am

      Re:

      "Running a network without a proper firewall and rule set is pretty much like leaving your front and back doors open when you go to bed."

      Ever since my early days with computers I've believed that the act of locking your doors and not leaving the keys in must have been a habit formed over a mountain of corpses of the idiots who failed to learn. And eventually basic computer/network security would achieve the same status of normality.

      However, that was more than twenty years ago and if anything we're worse off today. I blame Steve Jobs to get the ball rolling on the concept that the consumer should trust the hardware vendor with every decision of importance, leaving the only user decision to be whether to toggle the on/off button or not.

      In days long past networked devices were used by professionals and those who refused to learn stayed away from them. Today the braying herd of lusers just insist that the professionals should ensure that no matter how moronic the actions of the user base, the hardware shall remain idiot proof.

      And that's a losing struggle since idiots get automatically upgraded every year but the hardware and software security is only upgraded as a result of hard work.

      reply to this | link to this | view in chronology ]

      • identicon
        nae such, 8 Aug 2019 @ 9:06am

        Re: Re:

        not leaving your keys in may up the ante(although, i'm guilty on occasion stupid just smacks me in the face). i know people who have grown up in poor neighbourhoods and had their car robbed who still don't lock the car or the house door. some of these same people think i'm annoyingly paranoid for locking up my vehicle and home. sadly some of these people are fairly logical. it is okay until it isn't and people can't be bothered to care.

        reply to this | link to this | view in chronology ]

        • icon
          Scary Devil Monastery (profile), 9 Aug 2019 @ 1:13am

          Re: Re: Re:

          ...and there is human nature in a nutshell.

          You would think that the average normal person knows how to do risk/threat assessments. Lock your door if you live in a city where breaking and entering is a thing. As a girl don't accept drinks from random strangers in bars with a known history of spiked beverages. Don't leave your laptop clearly visible in the backseat of your car when you park it for the night. Before crossing the road make sure to look right AND left. And so on.

          And when you go online where ten thousand botnets casually prowl for unsecured access points, use that damn firewall.

          It's not rocket science and never should have been viewed as such. But as I'm fond of saying if digital devices were cars less than 1% would know how to check the tire pressure and top up the oil. And about 90% would give up on trying to fill the gas tank.

          reply to this | link to this | view in chronology ]

  • icon
    seedeevee (profile), 7 Aug 2019 @ 8:50pm

    No Russian

    No Russians were mentioned in the article.

    reply to this | link to this | view in chronology ]

    • icon
      Toom1275 (profile), 7 Aug 2019 @ 9:13pm

      Re: No Russian

      Perhaps you should try actually reading it?

      Or is it an issue with google translate omitting bits?

      reply to this | link to this | view in chronology ]

      • This comment has been flagged by the community. Click here to show it
        icon
        seedeevee (profile), 8 Aug 2019 @ 11:29am

        Re: Re: No Russian

        I am pretty sure google translate won't find any Russians in that article either since "Russia" or "Russian" is not in it.

        "Stupid-ass Xenophobic Trash" wasn't in the article either but I see you placed that in the comment section here too.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Aug 2019 @ 10:14pm

      Re: Hey blue balls here’s a real anomaly for ya

      According to your post history. You are either a useful idiot/right wing nut job or comma a shit ass Russian troll. Which is it?

      reply to this | link to this | view in chronology ]

      • icon
        seedeevee (profile), 8 Aug 2019 @ 11:32am

        Re: Re: Hey blue balls here’s a real anomaly for ya

        When did the Russian Boogeyman first appear in your dreams?

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 8 Aug 2019 @ 12:41pm

          Re: Re: Re: Hey blue balls here’s a real anomaly for ya

          Useful idiot it is. Emphasis on idiot

          reply to this | link to this | view in chronology ]

          • icon
            seedeevee (profile), 8 Aug 2019 @ 2:47pm

            Re: Re: Re: Re: Hey blue balls here’s a real anomaly for ya

            Yeah, I see you are using the "Russian Playbook" to divide us Americans with nonsensical Hollywood plot lines and dialogue.

            Great work, comrade.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 8 Aug 2019 @ 3:46pm

              Re: Re: Re: Re: Re: Hey blue balls here’s a real anomaly for y

              Going for the reverse eh? Still pathetic though. Should have called me Ivan.

              reply to this | link to this | view in chronology ]

    • icon
      Scary Devil Monastery (profile), 8 Aug 2019 @ 12:49am

      Re: No Russian

      "We attribute the attacks on these customers using three popular IoT devices to an activity group that Microsoft refers to as STRONTIUM."

      "Fancy Bear (also known as APT28, Pawn Storm, Sofacy Group, Sednit, Tsar Team and STRONTIUM) is a Russian cyber espionage group. Cybersecurity firm CrowdStrike has said with a medium level of confidence that it is associated with the Russian military intelligence agency GRU. The Foreign and Commonwealth Office, and security firms SecureWorks, ThreatConnect, and Fireeye's Mandiant, have also said the group is sponsored by the Russian government. In 2018, an indictment by the United States Special Counsel identified Fancy Bear as two GRU units known as Unit 26165 and Unit 74455."

      • citation from the OP-referenced article and the wiki on STRONTIUM.

      Learn to read, Baghdad bob.

      reply to this | link to this | view in chronology ]

      • icon
        seedeevee (profile), 8 Aug 2019 @ 11:31am

        Re: Re: No Russian

        I see you have to add things that ARE NOT IN THE ARTICLE to make Russians magically appear in the article.

        How nice.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 8 Aug 2019 @ 12:47pm

          Re: Re: Re: No Russian

          That’s the absolute worst attempt at gaslighting I’ve ever seen. Maybe being a shit ass troll just isn’t in your wheelhouse. Here’s a bit of career advise for free. Try practicing saying “Would you like fries with that?”

          reply to this | link to this | view in chronology ]

        • icon
          Scary Devil Monastery (profile), 9 Aug 2019 @ 1:15am

          Re: Re: Re: No Russian

          " I see you have to add things that ARE NOT IN THE ARTICLE to make Russians magically appear in the article. How nice."

          • So it's not too surprising to see Microsoft's Security Response Center proclaim this week that it has caught Russian hacking group “Strontium" (aka Fancy Bear and APT28)

          Quoted directly from the article.

          And my previous response included just followed the links the article lead to.

          So, once again, Baghdad Bob, that you don't know how to read isn't something for which you can blame me.

          reply to this | link to this | view in chronology ]

          • icon
            seedeevee (profile), 9 Aug 2019 @ 5:11pm

            Re: Re: Re: Re: No Russian

            Too bad "the article" would have been THE ARTICLE THIS OPINION PIECE WAS WRITTEN ABOUT - where it never mentions "Russia" or "Russians".

            I understand those of you with Russia-on-the-brain tend to be of limited intelligence but, c'mon. The use of "the", "this" and "xenophobic trash" still has meaning outside of your little conspiracy circles.

            reply to this | link to this | view in chronology ]

            • icon
              That One Guy (profile), 11 Aug 2019 @ 1:50am

              'No Russian'... if you ignore them, sure

              From that very article, which you clearly did not read or read and are now dishonestly claiming it's contents to be different from what they are:

              Attribution

              We attribute the attacks on these customers using three popular IoT devices to an activity group that Microsoft refers to as STRONTIUM. Since we identified these attacks in the early stages, we have not been able to conclusively determine what STRONTIUM’s ultimate objectives were in these intrusions.

              reply to this | link to this | view in chronology ]

    • identicon
      Baron von Robber, 8 Aug 2019 @ 7:06am

      Re: No Russian

      Wow you really took Drumpf's "Don’t believe what you’re reading or seeing" pretty serious.

      reply to this | link to this | view in chronology ]

    • icon
      Thad (profile), 8 Aug 2019 @ 7:53am

      Re: No Russian

      But I see some in the comments!

      reply to this | link to this | view in chronology ]

  • icon
    Razlee Security (profile), 8 Aug 2019 @ 2:33am

    Nice post to know some details

    Nice post to know some details

    reply to this | link to this | view in chronology ]

  • icon
    Coyne Tibbets (profile), 8 Aug 2019 @ 7:08am

    Go, IOT

    So what will be the outcome of all this IOT-Russian hacker concern? Obviously IOT voting machines, right?

    reply to this | link to this | view in chronology ]

  • identicon
    michael, 8 Aug 2019 @ 1:14pm

    No one was "nabbed"

    "Nab" general implies physical siezing, or arresting, or catching. The author here is using it in a bizarre, non-standard way, to mean simply "finding out."

    Apologies if the author is not a native English speaker - I can see how some slang might be confusing.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.