IoT Devices and Zombie Mushrooms - It’s Time

They are small, they are out there everywhere, they are supposed to help the tree trunk. But what if the tiny creatures we celebrate as IoT sensors and devices are hijacked by a mind-control fungus? Let’s remove the ‘if’. Here’s why

Ants are intelligent. That’s why they thrive even in the most inhospitable environments. They have their specific jobs inside a colony. But they also know how to work together. They have two stomachs – one for the food they eat and one to share with other ants. And, of course, they are so tiny. But that’s where their strength and network power lie.

That’s exactly what comes to one’s mind while marvelling at the ease, scale and elegance with which IoT devices and IIoT sensors have spread all around enterprises. Hard to see from the central tower, these little pixies are busy doing their work on the tiny branches and ant-hills across the forest of an enterprise’s operations. They can communicate with others- and splendidly. They can stomach data for the specific spot’s needs but can also help other central processes, when needed. Be it a factory, a water utility or a huge farm – these smart machines are silently doing their job of data collection and processing – snugly wrapped around those machines, those far-off taps and those sprinklers.

Until- they meet zombie fungi.

Many IoT devices are insecure by design, lack robust built-in security features, can’t be easily updated, or are sometimes abandoned by the original manufacturer which makes them susceptible to compromise and exploitation by cybercriminals. - Fabio Fratucello, CrowdStrike

In other words. Cordyceps. Yes, that very specific and dangerous kind of fungus species that’s known to take over an ant’s body and brains- living inside them, eating them hollow and then attaching spores inside the ant’s bodies so that they travel and spread the infection far and wide. The world of mycology also, sometimes, calls them ‘mind-control mushrooms’. And not the ones, you get on the hills with a Brownie.

In a weird twist of fate, the small, smart and graceful; but innocent, unassuming and unprepared ants of the enterprise world have also been infected by the Cordyceps of cyber-attack fungi. If the last few months are given a gander- even if not under a microscope- it’s clear how IoT devices are turning into weak, vulnerable and easy targets for cyber-attackers.

The Yeast is now the Beast

Imagine 6K weekly attacks targeting the manufacturing vertical alone! And education vertical witnessing a 960 per cent jump in attacks! The Zscaler ThreatLabz research team had reported that IoT malware attacks shot up by as much as 400 per cent in the first half of 2023 compared to 2022.

Recently enough, we heard the buzz about three million smart toothbrushes being reportedly converted into a massive botnet to carry out a distributed denial of service (DDoS) attack against a Swiss company. In 2023, edge network security also came to spotlight with some vulnerability discovered on compromised IOS XE devices.

As analysed by OT and IoT security firm Armis, in its 2023 attack landscape analysis- there was a 104 percent year-over-year increase in attempted intrusions; and utility-specific attempts over this same time period grew by 200 percent. The targets entail any physical and virtual assets within utilities’ environments – like IT, IoT, OT, ICS, building management systems with engineering workstations, SCADA servers and PLCs spotted as the riskiest OT and ICS devices outside of the healthcare industry. Even engineering workstations came up as the year’s most targeted OT device.

We are talking about a fiercely-growing colony here. The global Internet of Things (IoT) market is expected to rise from about $714 billion in 2024 to some $4,062 billion by 2032 (As per Fortune Business Insights). Or from $611 billion in 2023 to about $3967 billion by 2030 (if we go by The Insight Partners).

The continued proliferation of insecure communication protocols has further expanded the attack surface for malicious actors. - Priyamvadha Vembar, Bosch Global Software Technologies

And this colony is being attacked from multiple creatures and back-doors now.

Sandeep Hodkasia, CEO & Founder, Appsecure Security avers that there is a rise in the risks of Edge security. “With the evolving threat landscape, the number of cybercriminals and the ease of accessing hacking information online have fueled a rise in malicious activity. This translates to more attacks targeting edge devices. In addition, as more devices connect directly to the internet (IoT devices, smart sensors, etc.), managing and securing them becomes a complex task for organisations. This complexity creates vulnerabilities that attackers can exploit.”

Yihao Lim, Google Threat Intelligence Lead Advisor for JAPAC, Google Cloud asserts that surge with real patterns observed. “Google Threat Intelligence has observed threat actors consistently moving to target Edge devices over the past 12 months, and the reason is largely due to the nature of Edge devices. Edge devices are challenging to monitor and may not support endpoint detection and response (EDR) solutions or methods to detect modifications or collect forensic images, further reducing the likelihood of detection and complicating attribution.”

Vivek Srivastava, Country Manager, India & SAARC, Fortinet paints a grim but real picture. When organisations add security cameras, HVAC sensors, medical equipment, and thousands of similar connected or smart devices, many are IoT-enabled to help deliver better operational efficiencies for the business. But these devices also have little to no built-in security by design. Headless devices lack memory and processing. They don’t have a traditional interface or operating system like those of a laptop or phone; therefore, they can’t run meaningful built-in security. And some IoT devices can’t even be patched or updated due to hard-coded PINs in the firmware.”

BOLDMOVE is an example worth noting. It was created by Chinese espionage groups and had extra features to evade detection. They disabled critical elements of the device and included a command to manipulate memory addresses associated with these logging functions.- Yihao Lim, Google Cloud

It will be safe to say that with the rise in online devices means that more data is being collected, stored, and transmitted at the edge of networks, making them attractive targets for cybercriminals, avers Zubair Chowgale, Senior Technical Consultant - APMEA at Securonix

Termites in The Hills

The reasons for IoT being exploited by the bad guys are not hard to understand. It is also because custom malware targeting edge devices prioritise several key attributes, Lim explains. “They aim to evade detection, simplify their functioning, enhance reliability, tailor its capabilities as per the target device and minimise their footprint on the system. This combination makes it challenging for analysts to attribute the malware to a particular source.”

For example, small office home office (SOHO) routers are being used in a different manner than the zero-days in other edge devices, Lim illustrates. “They are exploited to create botnets which are then used to mask attacker origins. The attacker will compromise many of these routers then route traffic through them. This way they can come from systems near the target and they can constantly refresh the infrastructure that might be used to attribute or track them.”

Malicious actors can exploit weaknesses in edge devices to gain a foothold and infiltrate the core network, potentially deploying ransomware or building botnets, tells Priyamvadha Vembar, Senior Director, Cyber Security Practice, Bosch Global Software Technologies. “These attacks target vulnerabilities across devices, IT infrastructure, applications, and network layers. A single weakness in any of these areas can expose the entire organisation and its data.”

We must assume that all devices at the edge and the core are vulnerable, regardless of how effective we view our defences to be. - Vivek Srivastava, Fortinet

Fabio Fratucello, Field CTO, International, CrowdStrike echoes that argument of sheer volume, access and variety that IoT offers. “Each connected device serves as a potential entry point for adversaries to gain initial access and move laterally across networks, accessing critical assets and data. The variety of IoT devices, protocols, and obscure supply chains also create major visibility and monitoring gaps that can prevent timely threat-detection within IoT ecosystems.”

The rise of AI capabilities has equipped attackers to craft more sophisticated malware attacks that can bypass traditional security techniques, adds Vembar.

Then there is the big gap in standardisation that gives more speed and ammo to attackers.

“With different vendors involved in developing these devices, each infrastructure varies significantly. Creating unified security protocols for these diverse devices remains a challenge. This absence of standardisation makes it difficult to ensure consistent security practices across different fields and types of IoT devices.” Argues Mathivanan Venkatachalam, Vice President, ManageEngine.

Vembar also reminds of the increasing pressure that businesses are under to deliver features faster to remain competitive. “This often involves working with a network of subcontractors for development, integration, release, and operation of products. All this proportionally increases the risk of vulnerabilities within the supply chain due to the increased frequency of deployments.”

Many of these devices handle sensitive data and may not have robust security measures in place, making them attractive targets. Additionally, they may not receive updates as frequently as traditional IT infrastructure, leaving them vulnerable to attacks that exploit unknown vulnerabilities, points out Anshuman Sharma Director - VTRAC, Cybersecurity Consulting Services, Verizon Business.

Often, security teams don’t even realise that these devices are IoT-enabled or that the existing security infrastructure can’t protect them. And these same problems exist with other headless devices, such as industrial control systems (ICS) and programmable logic controllers (PLCs), dissects Srivastava. “While securing IoT we must accept that when there is no clear delineation between the network and the outside world, everything that touches the network must be visible.”

Organizations need to ensure that they invest in IoT-specific tools that utilize lightweight security protocols like CoAP (Constrained Application Protocol) and Zigbee specifically designed for these unique IoT environments. - Mathivanan Venkatachalam, ManageEngine

In 2023, Google Threat Intelligence identified a concerning trend where attackers linked to China were exploiting vulnerabilities, especially zero-day, to gain access to edge devices. These attackers deploy custom-made malware ecosystems specifically designed for the compromised edge device and its operating system, Lim drills into some details. “These ecosystems often consist of multiple, distinct malware families that work together to achieve the attackers’ goals. Since they do not have dedicated indications of malicious activity, they have high chances of going undetected.”

Many of these devices also lack strong security measures, leaving them open to exploitation. - Zubair Chowgale, Securonix

Where is the Magic Mushroom?

Solutions are possible. But guarding ant-hills is always better than fighting predators.

It’s both a surprise and an epiphany to observe that 34 of the 39 most popular IoT exploits – as reported in the Zscaler report- were aimed at vulnerabilities that have existed for over three years. Looks like, visibility and quick action – they just cannot be sidelined in the rush to deploy IoT.

The power – as always- lies in the cohesive strength of not one factor but many- and defences at many points. There are many measures that could and should be taken for protecting IoT from attackers and their real-covert intentions.

“It is essential to have a security engineering process that incorporates ‘chip to cloud’ security throughout the product development lifecycle and operations. Hardware should be equipped with a hardware ‘root of trust’ that provides the environment to execute all security operations. Data security must be ensured both at rest and in transit.” Vembar recommends. “There is ‘No Security without an Effective Key Management System’. It is crucial to secure the cryptographic material used to activate security measures.”

What should be taken care of – very specifically and strongly – is the weak spot of visibility.

As Lim reminds, threat actors take advantage of another vulnerability: the tendency for users to neglect rebooting edge devices like VPNs for extended periods, sometimes years. “Because these devices remain unmonitored for long stretches, attackers can exploit existing vulnerabilities within the system and operate unnoticed. THINCRUST is one such example. What made it particularly stealthy was its ability to disguise its communication with the attackers’ control center as regular interactions with the device’s own API. By cleverly exploiting built-in features of the devices, UNC3886 kept their malware relatively simple while ensuring its operation is ongoing.”

Segmenting networks is another important step. Firewalls and access controls can be used to enforce network segmentation, which helps contain threats and prevents them from spreading to other parts of the network, in case of a breach, adds Venkatachalam.

To reduce risks, organisations should use encryption, two-factor authentication, and strong logging practices, Chowgale suggests. “However, the complexity and interconnected nature of edge devices make them attractive targets for attacks.”

Edge devices often process sensitive data close to its source. This proximity makes them attractive targets for data breaches. - Sandeep Hodkasia Appsecure Security

Wake up Queen Ant

It’s not impossible to evade the bugs but time is everything.

In the last few months, we notice a trend where specialised devices in the healthcare industry are being targeted by threat actors, as Venkatachalam informs. “Due to the high-demand for healthcare data in the dark web and the critical nature of medical services, it is crucial for the organisations to invest in robust security.”

IoT devices are emerging as an area of hot interest and that’s exactly why they need urgent attention on security. “An attacker who gains access to one compromised edge device can easily use it as a pivot point to infiltrate into other parts of the network. More so, as these devices are generally deployed across diverse locations, and unless centrally monitored and managed using appropriate IoT-specific tools, they present a wide scope for initial access to the network to launch further attacks.” Cautions Venkatachalam.

Hodkasia echoes that concern. “Once compromised, an edge device can serve as a gateway for attackers to infiltrate deeper into the network, accessing more sensitive systems and data. This makes it essential for enterprises to extend their security measures comprehensively across all network edges.”

The potential impact of a successful cyberattack on an IoT ecosystem can result in failure in critical services and industries and even physical danger to individuals and the environment, warns Srivastava.

The good news is that ants are still ants. That means we should not forget the fact that ants are the strongest creatures. They can lift so much more than their own body weight. And can live really long. They may not have eyes and ears but the chemicals or pheromones they use to communicate with other ants are extraordinarily sharp and fast. They can also pick vibrations from their feet on the ground. Most importantly, ants are survivors. They may not know how to swim but they can even survive floods. If IoT devices are made to do all that – they can still stay ants. But can turn into something ferocious- Fire ants.

Definitely not the ones to be messed with.

P.S. We have not even talked about slave-making ants yet. What if IoT devices turn attacks into slaves or use them the way ants farm aphids. Just saying!

 By Pratima H

pratimah@cybermedia.co.in