Posted on August 6, 2019 at 10:55 AM
New Microsoft Warning: Russian ‘Fancy Bear’ Hackers Are Targeting Enterprise Networks Through IoT Devices
According to the new warning by the tech giant Microsoft, it seems that Russian state-backed hacking groups are once again causing trouble for corporations and enterprises. One group, specifically, was pointed out as the main threat — a well-known group going by the name of Fancy Bear. Further, researchers from Microsoft warn that the group is searching for a way to access corporate networks through IoT devices.
Fancy Bear’s newest efforts revealed
Judging by the recent report issued by Microsoft’s cyber-security division called Microsoft Threat Intelligence Center, there were already numerous reported attacks in the wild. The group believed to be responsible is Russian Fancy Bear, also known as APT28, or Strontium.
The group became infamous several years ago, and one of their best-known attacks was recorded in 2016, known as the DNC hack. Then, in 2018, the US officials have identified itas Unit 74455 and Unit 26165 of Russia’s military intelligence agency, also known as GRU.
Now, in their new warning, Microsoft researchers warn that IoT devices became points of ingress from which attackers can gain access to the network, and even continue to look for further access. In other words, once a device has been compromised, hackers can simply scan for other insecure devices and compromise them as well.
The devices in question can include anything, from video decoders, printers to any other Internet of Things device.
Microsoft originally spotted the attacks earlier this year, in April. Back then, the researchers only discovered that Fancy Bear is after IoT devices across multiple customer locations. They targeted an office printer, a VOIP phone, as well as a video decoder. In several cases, they gained access because the devices still used their default passwords, set up by the manufacturer. One case saw attackers gain access because the device did not receive the newest security update.
As mentioned, breaching the devices’ defenses resulted in further scans, as well as attempts at further exploits. However, researchers also noted that, as the attackers moved between different devices — they would leave a shell script to establish their presence within the network. Luckily, Microsoft was successful at blocking the attacks during their early stage. However, this also means that researchers did not manage to learn what the attackers were actually after, provided that they had a firm goal.
IoT devices become a new favorite target for hackers
This is not the first time that Fancy Bear was targeting IoT devices. Back in 2018, the FBI reported that the same group managed to infect over 500,000 consumer-grade routers, in as many as 54 different countries. The malware that they were using to create this botnet was since called VPNFilter malware.
It was believed that the group was going to use the botnet for launching a DDoS attack that was supposed to arrive on the day when the UEFA Champions League final was scheduled. However, the FBI was successful in neutralizing the attack in collaboration with Cisco’s Talos security group.
Fancy Bear, also known as Strontium, is not the only state-sponsored hacking group that has been after IoT devices lately. Groups like Slingshot, LuckyMouse, and Inception Framework were noticed to be doing the same, as well.
For now, Microsoft aims to attend the Black Hat USA 2019 security conference, where the researchers will reveal more information in regards to the April 2019 attack. Meanwhile, the company also contacted the manufacturers of targeted devices, warning them of the threat, and allowing them an opportunity to implement new defenses. However, this is likely not the end of the threat, and hackers are more than likely to target all other types of IoT devices as well, which is why it is imperative for their users to regularly implement security updates, and change the default password as soon as they enable the devices.