Cyber-physical devices are increasingly becoming targets for criminal groups and state-sponsored threat actors, as highlighted by Fyodor Yarochkin, Senior Threat Solution Architect with Trend Micro. Yarochkin believes that gaining insight into attackers’ infrastructure is key to understanding the attackers themselves.
In a recent interview at the Deep Conference, Yarochkin discussed the compromise of cyber-physical devices by malicious actors. He defined cyber-physical devices as those that bridge the physical world with computer networks, including cameras, physical security systems, routers, and other IoT devices. These devices provide attackers with the ability to observe events on the ground, monitor the impact of their attacks, and sometimes even manipulate the physical environment.
One tactic used by attackers is the creation of malicious overlay networks on compromised cyber-physical devices. These devices serve as points of presence in various locations, allowing attackers to bypass geofencing restrictions. Not only traditional routers are compromised, but also devices like temperature sensors, cameras, and even museum display boards.
When it comes to maintaining persistence on compromised cyber-physical devices, attackers aim to stay low profile. They often install payloads that are removed from the file system upon reboot, with the only option for persistence being downgrading devices to vulnerable firmware versions.
State-sponsored actors and cyber-criminal groups have different approaches to using compromised cyber-physical devices. State-sponsored actors focus on building and maintaining operational relay infrastructure in specific countries of interest, while cyber-criminal groups aim to monetize the compromised infrastructure by selling or renting it out.
The recent disruptions of botnets have revealed a trend towards the use of a 3-Tier architecture by attackers. While this architecture provides advantages in communication and control, it also poses challenges in managing the complex infrastructure and leaves a notable network footprint that can be detected by threat intelligence researchers.
With billions of internet-connected devices vulnerable to exploitation, Yarochkin believes it is unrealistic to expect a significant decrease in compromised devices in the next 3 to 5 years. As IoT devices become more prevalent, the potential for them to be targeted and turned into pivot points by attackers increases.
In conclusion, the issue of supply chain compromise remains a significant concern for the proliferation of compromised smartphones and IoT devices. Attackers often exploit vulnerabilities in software and hardware components, leading to multiple implants on the same firmware. As threat actors continue to evolve their tactics and techniques, it is crucial for organizations and individuals to prioritize cybersecurity measures to defend against cyber-physical device compromise.