Microsoft Nabs Russian Hackers Exploiting Flimsy IOT Security
from the the-check-will-someday-come-due dept
Week after week we've documented how internet of things devices are being built with both privacy and security as a distant afterthought, resulting in everything from your television to your refrigerator creating both new attack vectors and wonderful new surveillance opportunities for hackers and state actors. And CIA leaks have indeed confirmed that "smart" TVs and other devices with embedded microphones make for wonderful surveillance tools.
So it's not too surprising to see Microsoft's Security Response Center proclaim this week that it has caught Russian hacking group “Strontium" (aka Fancy Bear and APT28) using poorly secured printers, VoIP phones, and video decoders to gain access to sensitive networks. As is usually the case, Microsoft found that once these devices' security was bypassed (often an easy feat given there's sometimes little to no security measures in place), they were able to use them as a beach head to gain broader access to the networks they were connected to:
"After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets. They were also seen enumerating administrative groups to attempt further exploitation. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting. Analysis of network traffic showed the devices were also communicating with an external command and control (C2) server."
In at least two instances, the hacks were only made possible thanks to hardware shipping with default username and password logins, something that has frequently plagued residential routers as well. Just as unsurprising as the hack was Microsoft's warning that this is a problem that's only going to get worse, regardless of the government or organization pulling the strings:
"While much of the industry focuses on the threats of hardware implants, we can see in this example that adversaries are happy to exploit simpler configuration and security issues to achieve their objectives,” the report noted. “These simple attacks taking advantage of weak device management are likely to expand as more IoT devices are deployed in corporate environments."
As security researchers like Bruce Schneier have long noted, there's some severe market failure driving this dysfunction. Companies don't want to spend money on security and privacy standards as they connect everything under the sun to the internet, and by the time vulnerabilities are discovered, they're off to selling the next big thing. Because the devices often don't provide insight into what they're doing, consumers routinely have no idea what the device is even doing on the network. And by the time vulnerabilities are addressed, consumers are off to buy the next big thing (with equally terrible security holes).
Year after year after year, we're connecting millions upon millions of devices to home and business networks with paper-mache grade security. And while there's some fleeting efforts to address the problem (like incorporating flaws into product reviews), it's still not something folks are taking seriously enough. And while such proclamations are often dismissed as hyperbole, it's something folks like Schneier predict isn't likely to change until these vulnerabilities result in some notable human casualties.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: hacking, iot, russia, security
Companies: microsoft
Reader Comments
Subscribe: RSS
View by: Time | Thread
Sadly getting humans to understand the things they are doing are a dumpster fire that isn't waiting to happen, it's burning now.
IoT isn't the only place where there've been masive human failures, just the most contrived.
[ link to this | view in chronology ]
Running a network without a proper firewall and rule set is pretty much like leaving your front and back doors open when you go to bed. Sad that most consumer grade edge devices still allow all outbound traffic by default which violates basic network security 101. The harsh reality is most government officials are clueless, ISPs know better but don't want the responsibility of helping millions of IT clueless customers setup proper security and the companies selling this stuff are taking full advantage.
[ link to this | view in chronology ]
Re: Access Control Sucks
It’s never simple, never obvious, and always more of a pain in the neck than anyone cares to deal with.
Overcoming that is the better mousetrap that causes a path to be beaten to your door.
[ link to this | view in chronology ]
Re:
"Running a network without a proper firewall and rule set is pretty much like leaving your front and back doors open when you go to bed."
Ever since my early days with computers I've believed that the act of locking your doors and not leaving the keys in must have been a habit formed over a mountain of corpses of the idiots who failed to learn. And eventually basic computer/network security would achieve the same status of normality.
However, that was more than twenty years ago and if anything we're worse off today. I blame Steve Jobs to get the ball rolling on the concept that the consumer should trust the hardware vendor with every decision of importance, leaving the only user decision to be whether to toggle the on/off button or not.
In days long past networked devices were used by professionals and those who refused to learn stayed away from them. Today the braying herd of lusers just insist that the professionals should ensure that no matter how moronic the actions of the user base, the hardware shall remain idiot proof.
And that's a losing struggle since idiots get automatically upgraded every year but the hardware and software security is only upgraded as a result of hard work.
[ link to this | view in chronology ]
Re: Re:
not leaving your keys in may up the ante(although, i'm guilty on occasion stupid just smacks me in the face). i know people who have grown up in poor neighbourhoods and had their car robbed who still don't lock the car or the house door. some of these same people think i'm annoyingly paranoid for locking up my vehicle and home. sadly some of these people are fairly logical. it is okay until it isn't and people can't be bothered to care.
[ link to this | view in chronology ]
Re: Re: Re:
...and there is human nature in a nutshell.
You would think that the average normal person knows how to do risk/threat assessments. Lock your door if you live in a city where breaking and entering is a thing. As a girl don't accept drinks from random strangers in bars with a known history of spiked beverages. Don't leave your laptop clearly visible in the backseat of your car when you park it for the night. Before crossing the road make sure to look right AND left. And so on.
And when you go online where ten thousand botnets casually prowl for unsecured access points, use that damn firewall.
It's not rocket science and never should have been viewed as such. But as I'm fond of saying if digital devices were cars less than 1% would know how to check the tire pressure and top up the oil. And about 90% would give up on trying to fill the gas tank.
[ link to this | view in chronology ]
No Russian
No Russians were mentioned in the article.
[ link to this | view in chronology ]
Re: No Russian
Perhaps you should try actually reading it?
Or is it an issue with google translate omitting bits?
[ link to this | view in chronology ]
Re: Re: No Russian
I am pretty sure google translate won't find any Russians in that article either since "Russia" or "Russian" is not in it.
"Stupid-ass Xenophobic Trash" wasn't in the article either but I see you placed that in the comment section here too.
[ link to this | view in chronology ]
Re: Hey blue balls here’s a real anomaly for ya
According to your post history. You are either a useful idiot/right wing nut job or comma a shit ass Russian troll. Which is it?
[ link to this | view in chronology ]
Re: Re: Hey blue balls here’s a real anomaly for ya
When did the Russian Boogeyman first appear in your dreams?
[ link to this | view in chronology ]
Re: Re: Re: Hey blue balls here’s a real anomaly for ya
Useful idiot it is. Emphasis on idiot
[ link to this | view in chronology ]
Re: Re: Re: Re: Hey blue balls here’s a real anomaly for ya
Yeah, I see you are using the "Russian Playbook" to divide us Americans with nonsensical Hollywood plot lines and dialogue.
Great work, comrade.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Hey blue balls here’s a real anomaly for y
Going for the reverse eh? Still pathetic though. Should have called me Ivan.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Hey blue balls here’s a real anomaly f
No. The reverse would have been to say something intelligent.
[ link to this | view in chronology ]
Re: No Russian
"We attribute the attacks on these customers using three popular IoT devices to an activity group that Microsoft refers to as STRONTIUM."
"Fancy Bear (also known as APT28, Pawn Storm, Sofacy Group, Sednit, Tsar Team and STRONTIUM) is a Russian cyber espionage group. Cybersecurity firm CrowdStrike has said with a medium level of confidence that it is associated with the Russian military intelligence agency GRU. The Foreign and Commonwealth Office, and security firms SecureWorks, ThreatConnect, and Fireeye's Mandiant, have also said the group is sponsored by the Russian government. In 2018, an indictment by the United States Special Counsel identified Fancy Bear as two GRU units known as Unit 26165 and Unit 74455."
Learn to read, Baghdad bob.
[ link to this | view in chronology ]
Re: Re: No Russian
I see you have to add things that ARE NOT IN THE ARTICLE to make Russians magically appear in the article.
How nice.
[ link to this | view in chronology ]
Re: Re: Re: No Russian
That’s the absolute worst attempt at gaslighting I’ve ever seen. Maybe being a shit ass troll just isn’t in your wheelhouse. Here’s a bit of career advise for free. Try practicing saying “Would you like fries with that?”
[ link to this | view in chronology ]
Re: Re: Re: Re: No Russian
Here is some better career ADVICE for you - SPELL CHECK.
[ link to this | view in chronology ]
Re: Dig up stupid!
Going for the grammar Nazi angle are we? You never fail to disappoint.
advise
you, use spell check.
[ link to this | view in chronology ]
Re: Re: Dig up stupid!
Russians AND Nazis! You have them all.
Don't forget Space Aliens next time.
[ link to this | view in chronology ]
Re: Re: Re: Dig up stupid!
and*
space aliens*
[ link to this | view in chronology ]
Re: Re: Re: No Russian
" I see you have to add things that ARE NOT IN THE ARTICLE to make Russians magically appear in the article. How nice."
Quoted directly from the article.
And my previous response included just followed the links the article lead to.
So, once again, Baghdad Bob, that you don't know how to read isn't something for which you can blame me.
[ link to this | view in chronology ]
Re: Re: Re: Re: No Russian
Too bad "the article" would have been THE ARTICLE THIS OPINION PIECE WAS WRITTEN ABOUT - where it never mentions "Russia" or "Russians".
I understand those of you with Russia-on-the-brain tend to be of limited intelligence but, c'mon. The use of "the", "this" and "xenophobic trash" still has meaning outside of your little conspiracy circles.
[ link to this | view in chronology ]
'No Russian'... if you ignore them, sure
From that very article, which you clearly did not read or read and are now dishonestly claiming it's contents to be different from what they are:
Attribution
We attribute the attacks on these customers using three popular IoT devices to an activity group that Microsoft refers to as STRONTIUM. Since we identified these attacks in the early stages, we have not been able to conclusively determine what STRONTIUM’s ultimate objectives were in these intrusions.
[ link to this | view in chronology ]
Re: 'No Russian'... if you ignore them, sure
Something something get someone to acknowledge something they're paid not to.
[ link to this | view in chronology ]
Re: No Russian
Wow you really took Drumpf's "Don’t believe what you’re reading or seeing" pretty serious.
[ link to this | view in chronology ]
Re: Re: No Russian
I see you have taken the "make shit up to overcome my cognitive dissonance" directive from Momma Clinton to heart. How nice.
[ link to this | view in chronology ]
Re:
Wow is that a real vintage whataboutclinton? Those things go for big buck on eBay.
[ link to this | view in chronology ]
Re: Re:
Yeah, sorry.
Vintage McCartyism is much more in vogue, isn't it?
[ link to this | view in chronology ]
Re: Stop hitting yourself!
For you useful idiots it’s all about that projection baby!
[ link to this | view in chronology ]
Re: Re: Stop hitting yourself!
Thanks for the advice.
[ link to this | view in chronology ]
Re: Re: Re: No Russian
4th grade tactics seem advanced to you?
[ link to this | view in chronology ]
Re: No Russian
But I see some in the comments!
[ link to this | view in chronology ]
Re: Re: No Russian
Yeah. Don't look under your bed. It's scary what your imagination will make you seee there.
[ link to this | view in chronology ]
Re: Re: Re: No Russian
Bored now. Plonk.
[ link to this | view in chronology ]
Re: Re: Re: Re: No Russian
That "plank" stuff is still a thing?
[ link to this | view in chronology ]
Nice post to know some details
Nice post to know some details
[ link to this | view in chronology ]
Go, IOT
So what will be the outcome of all this IOT-Russian hacker concern? Obviously IOT voting machines, right?
[ link to this | view in chronology ]
Re: Go, IOT
Unless you have internal firewalls, you can use IoT as a jumpbox.
[ link to this | view in chronology ]
Re: Go, IOT
"So what will be the outcome of all this IOT-Russian hacker concern?"
Obviously - making Hillary Clinton voters feel better about themselves and selling USG upgrades to mass surveillance policies.
[ link to this | view in chronology ]
Re: Re: Go, IOT
[troll and brain damage detected]
[ link to this | view in chronology ]
Re: Re: Re: Go, IOT
Please go see your doctor.
[ link to this | view in chronology ]
No one was "nabbed"
"Nab" general implies physical siezing, or arresting, or catching. The author here is using it in a bizarre, non-standard way, to mean simply "finding out."
Apologies if the author is not a native English speaker - I can see how some slang might be confusing.
[ link to this | view in chronology ]
Re: No one was "nabbed"
You can't have a xenophobic tantrum without bending a few conventions.
[ link to this | view in chronology ]
Re: Sad low energy troll
I do wonder who you borrowed that phrase from. Because you are quite obviously not smart enough to know what half those words mean.
[ link to this | view in chronology ]
Re: Re: Sad low energy troll
I won't count on your self purported abilities to straighten that conundrum out.
[ link to this | view in chronology ]
Re: Re: Re: Sad low energy troll
Yup. Thad was right. You’re boring. You really need a better comebacks than “NO U” and “Look a distraction.”
[ link to this | view in chronology ]
Re: Re: Re: Re: Sad low energy troll
Little children have "comebacks" and thad is why I don't use them.
[ link to this | view in chronology ]