Industrial routers on the front line of attacks
Attacks on operational technology (OT) are growing more automated and indiscriminate, Forescout Research- Vedere Labs’ latest honeypot analysis shows just how aggressively adversaries are probing industrial systems.
New data shows industrial routers are now the most attacked devices in OT environments, drawing 67 percent of all malicious activity in Forescout’s 90-day honeypot analysis.
The most common attacks were brute force authentication attempts via SSH and Telnet, accounting for 72 percent of requests, while HTTP and HTTPS attacks made up 24 percent, primarily exploit attempts and malware download activity.
Of the malware attacks RondoDox accounted for 59 percent, followed by Redtail on 21 percent and ShadowV2 on six percent. Both RondoDox and ShadowV2 are newly identified botnets. RondoDox has demonstrated rapid expansion of its exploit portfolio, raising concerns about potential future targeting of industrial routers.
Hacktivists are increasingly compromising and defacing human-machine interfaces (HMIs) via manual exploits, but other exposed IoT and OT assets, such as IP cameras, PLCs, and routers are also frequently attacked.
The report’s authors note, “The key takeaway from this research is that OT perimeter devices receive more attention from automated attacks than the unintentionally exposed OT. Although most activity on those devices is either not malicious or not successful exploitation, there are risks: weak credentials, specific exploits being added to botnets, and malicious infrastructure used for probing specific devices.”
To protect against these attacks it’s recommended that organizations identify all devices connected to their network, assess their open ports and credentials, and ensure that default or easily guessable credentials are changed. They should also disable any unused services to minimize the attack surface.
To avoid directly exposing OT devices to the internet it’s important to properly segment networks to isolate IT, IoT and OT devices limiting network connections to only authorized management and engineering workstations or among unmanaged devices that need to communicate.
Organizations should also implement IoT/OT-aware monitoring solutions that can detect malicious indicators and behaviors. This includes flagging the use of blacklisted credentials and unauthorized OT protocol activity within your network.
You can get the full report on the Forescout site.
Image credit: Matthew Trommer/Dreamstime.com
