What IT Needs to Know About OT/IoT Security Threats in 2020

What IT Needs to Know About OT/IoT Security Threats in 2020
What IT Needs to Know About OT/IoT Security Threats in 2020

As head of the security research team at Nozomi Networks Labs, today I’m proud to introduce our review of the OT/IoT threat landscape for the first half of 2020 (1H). During this time, our team saw an increase in threats to OT and IoT networks, especially IoT botnet, ransomware and COVID-19-themed attacks.

These attack types align with global computing and socio-economic trends. The rapid rise in IoT devices and connections, the worldwide COVID-19 pandemic, and the increasing growth and sophistication of cyber criminals using ransomware for financial gain are the significant drivers.

Our report provides an overview of the most active threats we saw in 1H, insight into their tactics and techniques, and recommendations for protecting your critical networks. Read on to learn some of the report’s highlights.

One of the interesting botnets is Dark Nexus, discovered in April 2020. Its code development process is quite intriguing. Dark Nexus operators frequently issue new updates similar to releases you see with commercial software. Additionally, Dark Nexus operators brazenly hawk their DDoS mitigation services on the open internet.

From a technical point of view, what stands out about Dark Nexus when compared to competing botnets is the elaborate mechanisms it uses to profile the processes running on the infected device. The goal of these mechanisms is to identify suspicious processes that might hinder the smooth execution of the malware.

While Dark Nexus initially infected only a few thousand devices, numbers can fluctuate quickly, and defenders should keep an eye on this type of threat.


Shifting ransomware escalates enterprise risk

Ransomware attacks targeting a variety of industry verticals remain commonplace. What is changing is the significance of the targets. Ransomware gangs have shifted their focus to larger, more critical targets with deeper pockets, including manufacturers, energy operators, local municipalities, and others.

Ransomware operators typically encrypt files and demand ransom payments from affected parties. Now they also exfiltrate company data and threaten to leak it publicly, as a way to apply more leverage.

See our report to learn details about these ransomware threats:


COVID-19-themed malware take advantage of remote work and a climate of anxiety

The COVID-19 global pandemic has provided threat actors with more vectors and opportunities for exploitation. The attack surface for most companies has greatly expanded with the fast switch to work-from-home policies. Some companies have infrastructure that allows remote work, such as VPNs and work laptops. Many others were not prepared and had to quickly come up with solutions, opening the door to security risks.

Furthermore, the climate of anxiety and uncertainty caused by COVID-19 makes targets more susceptible to social engineering attacks. Threat actors primarily used phishing emails in the initial attack phase to lure users into giving up personal information or executing malicious software.

An example is the Chinoxy Backdoor malware family. It embeds a document containing information related to COVID-19 assistance in a .rtf file exploiting CVE-2017-11882. The exploit is used to drop malicious binaries in the machine, which use HTTP over port 443 for C&C communication.

When threat actors gain access to systems and exfiltrate network data, they always leave a trail. That’s good news because the trail can be identified and quickly acted on if you have clear visibility into what’s happening in your OT/IoT networks.


ICS vulnerabilities remain a challenge

Vulnerabilities discovered in ICS systems provide attackers with opportunities to disrupt or manipulate data, which can impact physical processes and be extremely dangerous. It is therefore important to take the trends in vulnerabilities and weaknesses into account when evaluating security risks.

The number of vulnerabilities tracked by ICS-CERT in the first half of 2020 grew significantly compare to 2019. A reasonable course of action for asset owners is to reduce exposure by addressing easy-to-mitigate vulnerabilities first. Over time, more and more vulnerabilities can be mitigated.

Improper input validations and buffer overflow vulnerabilities lead the 2020 chart in terms of numbers. While the former falls into the easy-to-mitigate category, the latter is more difficult to address. Buffer overflowsrequire firmware updates from vendors, the replacement of old equipment, or other mitigations. Unfortunately, this group will likely continue to represent a significant percentage of the vulnerabilities discovered for the next few years.

Overall, a multi-pronged strategy of monitoring, vulnerability elimination and vulnerability mitigation is recommended


Shifting OT/IoT threats call for high cyber resiliency

We expect that attacks from IoT botnets, ransomware and COVID-19-themed malware will continue to grow, though they will shift and adapt in the second half of the year. Given that threats are increasing and constantly changing, it’s important to maintain high cyber resiliency and fast response capabilities.

In this regard, security gaps related to people, processes and technology have a large impact. For example, the separation of IT and OT in organizations with increasingly connected IT, OT, and IoT systems can lead to blind spots. But, with the right technology and a focus on best practices, you can increase visibility and operational resiliency.

We encourage you to subscribe to Nozomi Networks Labs and utilize our cybersecurity community resources to stay on top of the latest threats.

About The Author


Alessandro Di Pinto is an Offensive Security Certified Professional (OSCP) with an extensive background in malware analysis, ICS/SCADA security, penetration testing and incident response. He holds GIAC Reverse Engineering Malware (GREM) and GIAC Cyber Threat Intelligence (GCTI) certifications. Alessandro co-authored the research paper “TRITON: The First ICS Cyber Attack on Safety Instrument Systems” and “Analyzing the GreyEnergy Malware: from Maldoc to Backdoor."

Read more

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..

Subscribe