Microsoft Nabs Russian Hackers Exploiting Flimsy IOT Security

from the the-check-will-someday-come-due dept

Week after week we've documented how internet of things devices are being built with both privacy and security as a distant afterthought, resulting in everything from your television to your refrigerator creating both new attack vectors and wonderful new surveillance opportunities for hackers and state actors. And CIA leaks have indeed confirmed that "smart" TVs and other devices with embedded microphones make for wonderful surveillance tools.

So it's not too surprising to see Microsoft's Security Response Center proclaim this week that it has caught Russian hacking group “Strontium" (aka Fancy Bear and APT28) using poorly secured printers, VoIP phones, and video decoders to gain access to sensitive networks. As is usually the case, Microsoft found that once these devices' security was bypassed (often an easy feat given there's sometimes little to no security measures in place), they were able to use them as a beach head to gain broader access to the networks they were connected to:

"After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets. They were also seen enumerating administrative groups to attempt further exploitation. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting. Analysis of network traffic showed the devices were also communicating with an external command and control (C2) server."

In at least two instances, the hacks were only made possible thanks to hardware shipping with default username and password logins, something that has frequently plagued residential routers as well. Just as unsurprising as the hack was Microsoft's warning that this is a problem that's only going to get worse, regardless of the government or organization pulling the strings:

"While much of the industry focuses on the threats of hardware implants, we can see in this example that adversaries are happy to exploit simpler configuration and security issues to achieve their objectives,” the report noted. “These simple attacks taking advantage of weak device management are likely to expand as more IoT devices are deployed in corporate environments."

As security researchers like Bruce Schneier have long noted, there's some severe market failure driving this dysfunction. Companies don't want to spend money on security and privacy standards as they connect everything under the sun to the internet, and by the time vulnerabilities are discovered, they're off to selling the next big thing. Because the devices often don't provide insight into what they're doing, consumers routinely have no idea what the device is even doing on the network. And by the time vulnerabilities are addressed, consumers are off to buy the next big thing (with equally terrible security holes).

Year after year after year, we're connecting millions upon millions of devices to home and business networks with paper-mache grade security. And while there's some fleeting efforts to address the problem (like incorporating flaws into product reviews), it's still not something folks are taking seriously enough. And while such proclamations are often dismissed as hyperbole, it's something folks like Schneier predict isn't likely to change until these vulnerabilities result in some notable human casualties.

Filed Under: hacking, iot, russia, security
Companies: microsoft


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 7 Aug 2019 @ 2:17pm

    Sadly getting humans to understand the things they are doing are a dumpster fire that isn't waiting to happen, it's burning now.
    IoT isn't the only place where there've been masive human failures, just the most contrived.

    reply to this | link to this | view in thread ]

  2. icon
    tom (profile), 7 Aug 2019 @ 4:27pm

    Running a network without a proper firewall and rule set is pretty much like leaving your front and back doors open when you go to bed. Sad that most consumer grade edge devices still allow all outbound traffic by default which violates basic network security 101. The harsh reality is most government officials are clueless, ISPs know better but don't want the responsibility of helping millions of IT clueless customers setup proper security and the companies selling this stuff are taking full advantage.

    reply to this | link to this | view in thread ]

  3. identicon
    Christenson, 7 Aug 2019 @ 5:11pm

    Re: Access Control Sucks

    It’s never simple, never obvious, and always more of a pain in the neck than anyone cares to deal with.

    Overcoming that is the better mousetrap that causes a path to be beaten to your door.

    reply to this | link to this | view in thread ]

  4. icon
    seedeevee (profile), 7 Aug 2019 @ 8:50pm

    No Russian

    No Russians were mentioned in the article.

    reply to this | link to this | view in thread ]

  5. icon
    Toom1275 (profile), 7 Aug 2019 @ 9:13pm

    Re: No Russian

    Perhaps you should try actually reading it?

    Or is it an issue with google translate omitting bits?

    reply to this | link to this | view in thread ]

  6. identicon
    Anonymous Coward, 7 Aug 2019 @ 10:14pm

    Re: Hey blue balls here’s a real anomaly for ya

    According to your post history. You are either a useful idiot/right wing nut job or comma a shit ass Russian troll. Which is it?

    reply to this | link to this | view in thread ]

  7. icon
    Scary Devil Monastery (profile), 8 Aug 2019 @ 12:43am

    Re:

    "Running a network without a proper firewall and rule set is pretty much like leaving your front and back doors open when you go to bed."

    Ever since my early days with computers I've believed that the act of locking your doors and not leaving the keys in must have been a habit formed over a mountain of corpses of the idiots who failed to learn. And eventually basic computer/network security would achieve the same status of normality.

    However, that was more than twenty years ago and if anything we're worse off today. I blame Steve Jobs to get the ball rolling on the concept that the consumer should trust the hardware vendor with every decision of importance, leaving the only user decision to be whether to toggle the on/off button or not.

    In days long past networked devices were used by professionals and those who refused to learn stayed away from them. Today the braying herd of lusers just insist that the professionals should ensure that no matter how moronic the actions of the user base, the hardware shall remain idiot proof.

    And that's a losing struggle since idiots get automatically upgraded every year but the hardware and software security is only upgraded as a result of hard work.

    reply to this | link to this | view in thread ]

  8. icon
    Scary Devil Monastery (profile), 8 Aug 2019 @ 12:49am

    Re: No Russian

    "We attribute the attacks on these customers using three popular IoT devices to an activity group that Microsoft refers to as STRONTIUM."

    "Fancy Bear (also known as APT28, Pawn Storm, Sofacy Group, Sednit, Tsar Team and STRONTIUM) is a Russian cyber espionage group. Cybersecurity firm CrowdStrike has said with a medium level of confidence that it is associated with the Russian military intelligence agency GRU. The Foreign and Commonwealth Office, and security firms SecureWorks, ThreatConnect, and Fireeye's Mandiant, have also said the group is sponsored by the Russian government. In 2018, an indictment by the United States Special Counsel identified Fancy Bear as two GRU units known as Unit 26165 and Unit 74455."

    • citation from the OP-referenced article and the wiki on STRONTIUM.

    Learn to read, Baghdad bob.

    reply to this | link to this | view in thread ]

  9. icon
    Razlee Security (profile), 8 Aug 2019 @ 2:33am

    Nice post to know some details

    Nice post to know some details

    reply to this | link to this | view in thread ]

  10. identicon
    Baron von Robber, 8 Aug 2019 @ 7:06am

    Re: No Russian

    Wow you really took Drumpf's "Don’t believe what you’re reading or seeing" pretty serious.

    reply to this | link to this | view in thread ]

  11. icon
    Coyne Tibbets (profile), 8 Aug 2019 @ 7:08am

    Go, IOT

    So what will be the outcome of all this IOT-Russian hacker concern? Obviously IOT voting machines, right?

    reply to this | link to this | view in thread ]

  12. identicon
    Baron von Robber, 8 Aug 2019 @ 7:09am

    Re: Go, IOT

    Unless you have internal firewalls, you can use IoT as a jumpbox.

    reply to this | link to this | view in thread ]

  13. icon
    Thad (profile), 8 Aug 2019 @ 7:53am

    Re: No Russian

    But I see some in the comments!

    reply to this | link to this | view in thread ]

  14. identicon
    nae such, 8 Aug 2019 @ 9:06am

    Re: Re:

    not leaving your keys in may up the ante(although, i'm guilty on occasion stupid just smacks me in the face). i know people who have grown up in poor neighbourhoods and had their car robbed who still don't lock the car or the house door. some of these same people think i'm annoyingly paranoid for locking up my vehicle and home. sadly some of these people are fairly logical. it is okay until it isn't and people can't be bothered to care.

    reply to this | link to this | view in thread ]

  15. This comment has been flagged by the community. Click here to show it
    icon
    seedeevee (profile), 8 Aug 2019 @ 11:29am

    Re: Re: No Russian

    I am pretty sure google translate won't find any Russians in that article either since "Russia" or "Russian" is not in it.

    "Stupid-ass Xenophobic Trash" wasn't in the article either but I see you placed that in the comment section here too.

    reply to this | link to this | view in thread ]

  16. icon
    seedeevee (profile), 8 Aug 2019 @ 11:31am

    Re: Re: No Russian

    I see you have to add things that ARE NOT IN THE ARTICLE to make Russians magically appear in the article.

    How nice.

    reply to this | link to this | view in thread ]

  17. icon
    seedeevee (profile), 8 Aug 2019 @ 11:32am

    Re: Re: Hey blue balls here’s a real anomaly for ya

    When did the Russian Boogeyman first appear in your dreams?

    reply to this | link to this | view in thread ]

  18. icon
    seedeevee (profile), 8 Aug 2019 @ 11:34am

    Re: Re: No Russian

    I see you have taken the "make shit up to overcome my cognitive dissonance" directive from Momma Clinton to heart. How nice.

    reply to this | link to this | view in thread ]

  19. icon
    seedeevee (profile), 8 Aug 2019 @ 11:35am

    Re: Re: No Russian

    Yeah. Don't look under your bed. It's scary what your imagination will make you seee there.

    reply to this | link to this | view in thread ]

  20. icon
    Thad (profile), 8 Aug 2019 @ 12:28pm

    Re: Re: Re: No Russian

    Bored now. Plonk.

    reply to this | link to this | view in thread ]

  21. identicon
    Anonymous Coward, 8 Aug 2019 @ 12:41pm

    Re: Re: Re: Hey blue balls here’s a real anomaly for ya

    Useful idiot it is. Emphasis on idiot

    reply to this | link to this | view in thread ]

  22. identicon
    Anonymous Coward, 8 Aug 2019 @ 12:43pm

    Re:

    Wow is that a real vintage whataboutclinton? Those things go for big buck on eBay.

    reply to this | link to this | view in thread ]

  23. identicon
    Anonymous Coward, 8 Aug 2019 @ 12:47pm

    Re: Re: Re: No Russian

    That’s the absolute worst attempt at gaslighting I’ve ever seen. Maybe being a shit ass troll just isn’t in your wheelhouse. Here’s a bit of career advise for free. Try practicing saying “Would you like fries with that?”

    reply to this | link to this | view in thread ]

  24. identicon
    michael, 8 Aug 2019 @ 1:14pm

    No one was "nabbed"

    "Nab" general implies physical siezing, or arresting, or catching. The author here is using it in a bizarre, non-standard way, to mean simply "finding out."

    Apologies if the author is not a native English speaker - I can see how some slang might be confusing.

    reply to this | link to this | view in thread ]

  25. icon
    seedeevee (profile), 8 Aug 2019 @ 2:47pm

    Re: Re: Re: Re: Hey blue balls here’s a real anomaly for ya

    Yeah, I see you are using the "Russian Playbook" to divide us Americans with nonsensical Hollywood plot lines and dialogue.

    Great work, comrade.

    reply to this | link to this | view in thread ]

  26. icon
    seedeevee (profile), 8 Aug 2019 @ 2:48pm

    Re: Re: Re: Re: No Russian

    Here is some better career ADVICE for you - SPELL CHECK.

    reply to this | link to this | view in thread ]

  27. icon
    seedeevee (profile), 8 Aug 2019 @ 2:49pm

    Re: Re:

    Yeah, sorry.

    Vintage McCartyism is much more in vogue, isn't it?

    reply to this | link to this | view in thread ]

  28. icon
    seedeevee (profile), 8 Aug 2019 @ 2:50pm

    Re: Re: Re: Re: No Russian

    That "plank" stuff is still a thing?

    reply to this | link to this | view in thread ]

  29. icon
    seedeevee (profile), 8 Aug 2019 @ 2:51pm

    Re: No one was "nabbed"

    You can't have a xenophobic tantrum without bending a few conventions.

    reply to this | link to this | view in thread ]

  30. identicon
    Anonymous Coward, 8 Aug 2019 @ 3:46pm

    Re: Re: Re: Re: Re: Hey blue balls here’s a real anomaly for y

    Going for the reverse eh? Still pathetic though. Should have called me Ivan.

    reply to this | link to this | view in thread ]

  31. identicon
    Anonymous Coward, 8 Aug 2019 @ 3:50pm

    Re: Dig up stupid!

    Going for the grammar Nazi angle are we? You never fail to disappoint.

    advise
    you, use spell check.

    reply to this | link to this | view in thread ]

  32. identicon
    Anonymous Coward, 8 Aug 2019 @ 3:51pm

    Re: Stop hitting yourself!

    For you useful idiots it’s all about that projection baby!

    reply to this | link to this | view in thread ]

  33. identicon
    Anonymous Coward, 8 Aug 2019 @ 3:57pm

    Re: Sad low energy troll

    I do wonder who you borrowed that phrase from. Because you are quite obviously not smart enough to know what half those words mean.

    reply to this | link to this | view in thread ]

  34. icon
    seedeevee (profile), 8 Aug 2019 @ 5:10pm

    Re: Re: Re: Re: Re: Re: Hey blue balls here’s a real anomaly f

    No. The reverse would have been to say something intelligent.

    reply to this | link to this | view in thread ]

  35. icon
    seedeevee (profile), 8 Aug 2019 @ 5:11pm

    Re: Re: Dig up stupid!

    Russians AND Nazis! You have them all.

    Don't forget Space Aliens next time.

    reply to this | link to this | view in thread ]

  36. icon
    seedeevee (profile), 8 Aug 2019 @ 5:12pm

    Re: Re: Stop hitting yourself!

    Thanks for the advice.

    reply to this | link to this | view in thread ]

  37. icon
    seedeevee (profile), 8 Aug 2019 @ 5:15pm

    Re: Go, IOT

    "So what will be the outcome of all this IOT-Russian hacker concern?"

    Obviously - making Hillary Clinton voters feel better about themselves and selling USG upgrades to mass surveillance policies.

    reply to this | link to this | view in thread ]

  38. icon
    seedeevee (profile), 8 Aug 2019 @ 5:17pm

    Re: Re: Sad low energy troll

    I won't count on your self purported abilities to straighten that conundrum out.

    reply to this | link to this | view in thread ]

  39. identicon
    Anonymous Coward, 8 Aug 2019 @ 5:23pm

    Re: Re: Re: Sad low energy troll

    Yup. Thad was right. You’re boring. You really need a better comebacks than “NO U” and “Look a distraction.”

    reply to this | link to this | view in thread ]

  40. identicon
    Anonymous Coward, 8 Aug 2019 @ 5:23pm

    Re: Re: Re: Dig up stupid!

    and*

    space aliens*

    reply to this | link to this | view in thread ]

  41. icon
    seedeevee (profile), 8 Aug 2019 @ 9:21pm

    Re: Re: Re: Re: Sad low energy troll

    Little children have "comebacks" and thad is why I don't use them.

    reply to this | link to this | view in thread ]

  42. icon
    Scary Devil Monastery (profile), 9 Aug 2019 @ 1:13am

    Re: Re: Re:

    ...and there is human nature in a nutshell.

    You would think that the average normal person knows how to do risk/threat assessments. Lock your door if you live in a city where breaking and entering is a thing. As a girl don't accept drinks from random strangers in bars with a known history of spiked beverages. Don't leave your laptop clearly visible in the backseat of your car when you park it for the night. Before crossing the road make sure to look right AND left. And so on.

    And when you go online where ten thousand botnets casually prowl for unsecured access points, use that damn firewall.

    It's not rocket science and never should have been viewed as such. But as I'm fond of saying if digital devices were cars less than 1% would know how to check the tire pressure and top up the oil. And about 90% would give up on trying to fill the gas tank.

    reply to this | link to this | view in thread ]

  43. icon
    Scary Devil Monastery (profile), 9 Aug 2019 @ 1:15am

    Re: Re: Re: No Russian

    " I see you have to add things that ARE NOT IN THE ARTICLE to make Russians magically appear in the article. How nice."

    • So it's not too surprising to see Microsoft's Security Response Center proclaim this week that it has caught Russian hacking group “Strontium" (aka Fancy Bear and APT28)

    Quoted directly from the article.

    And my previous response included just followed the links the article lead to.

    So, once again, Baghdad Bob, that you don't know how to read isn't something for which you can blame me.

    reply to this | link to this | view in thread ]

  44. identicon
    Baron von Robber, 9 Aug 2019 @ 10:58am

    Re: Re: Re: No Russian

    4th grade tactics seem advanced to you?

    reply to this | link to this | view in thread ]

  45. identicon
    Baron von Robber, 9 Aug 2019 @ 11:01am

    Re: Re: Go, IOT

    [troll and brain damage detected]

    reply to this | link to this | view in thread ]

  46. icon
    seedeevee (profile), 9 Aug 2019 @ 5:11pm

    Re: Re: Re: Re: No Russian

    Too bad "the article" would have been THE ARTICLE THIS OPINION PIECE WAS WRITTEN ABOUT - where it never mentions "Russia" or "Russians".

    I understand those of you with Russia-on-the-brain tend to be of limited intelligence but, c'mon. The use of "the", "this" and "xenophobic trash" still has meaning outside of your little conspiracy circles.

    reply to this | link to this | view in thread ]

  47. icon
    seedeevee (profile), 9 Aug 2019 @ 5:13pm

    Re: Re: Re: Go, IOT

    Please go see your doctor.

    reply to this | link to this | view in thread ]

  48. icon
    That One Guy (profile), 11 Aug 2019 @ 1:50am

    'No Russian'... if you ignore them, sure

    From that very article, which you clearly did not read or read and are now dishonestly claiming it's contents to be different from what they are:

    Attribution

    We attribute the attacks on these customers using three popular IoT devices to an activity group that Microsoft refers to as STRONTIUM. Since we identified these attacks in the early stages, we have not been able to conclusively determine what STRONTIUM’s ultimate objectives were in these intrusions.

    reply to this | link to this | view in thread ]

  49. icon
    Toom1275 (profile), 12 Aug 2019 @ 8:02pm

    Re: 'No Russian'... if you ignore them, sure

    Something something get someone to acknowledge something they're paid not to.

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.