Russian printer pwning tactics exposed by Microsoft

Cyberspies – likely from Russia – are taking advantage of the inherent vulnerabilities in IoT devices to hack into corporate networks, Microsoft warns.

Enterprise networks are routinely getting breached in an ongoing campaign that relies on hacking devices such as VOIP phones, an office printer and a video decoder, according to new research from Microsoft.

Security researchers from Microsoft’s Threat Intelligence Center said multiple customers have been hit by the attacks, which it blames on Strontium (APT 28), elsewhere identified as a computer hacking unit of Russian military intelligence, GRU.

The attack relies on exploiting vulnerabilities in targeted devices – such as default manufacturer’s passwords and known but unpatched software vulnerabilities – to compromise equipment on gain a foothold on corporate networks.

After gaining access to IoT devices, attackers are running tcpdump to sniff network traffic on local subnets and scanning for other devices that might be vulnerable, as part of a stepping stone attack ultimately aimed at comprehensively pwning corporate targets.

Microsoft said that since it identified these attacks in the early stages, the ultimate objectives of the attackers are as yet unclear. The scope of malfeasance attributable to Strontium – also referred to as Sofacy Group, or Fancy Bear – is beyond serious doubt, however.

“Over the last twelve months, Microsoft has delivered nearly 1400 nation-state notifications to those who have been targeted or compromised by Strontium,” Microsoft explains in a blog post.

“One in five notifications of Strontium activity were tied to attacks against non-governmental organizations, think tanks, or politically affiliated organizations around the world. The remaining 80% of Strontium attacks have largely targeted organizations in the following sectors: government, IT, military, defense, medicine, education, and engineering.

“We have also observed and notified Strontium attacks against Olympic organizing committees, anti-doping agencies, and the hospitality industry,” it adds.

Microsoft has published at outline of the attack and indicators of compromise ahead of a talk on the topic by Microsoft Eric Doerr at Black Hat USA on Thursday (8 August).

The research shows that IoT devices can be leveraged as an initial entry/access point into an enterprise’s corporate network. The threats to corporate security is complicated by the lack of visibility IT operation centres have about such devices on their network.

The same Strontium (APT 28) group was blamed for running a campaign last year that exploited hundreds of thousands of home and small business networking and storage devices to plant the so-called “VPN Filter” malware.

Insecure IoT devices have also been exploited by cybercriminals.

For example, back in 2016 IP cameras and basic home routers were infected with the Mirai malware, creating a botnet that was subsequently abused to take out DNS provider Dyn in an attack that left many high-profile websites inaccessible.