Account takeover attacks are like the widely told campfire story about a babysitter that receives a series of threatening phone calls that are traced from "inside the house."

Fear of the unknown hits too close to home. Initial access brokers are closely related to account takeover attacks, and both are linked to ransomware. Now, it seems likely that initial access brokers (IABs) and account takeover attacks will set their sights on Internet of Things-enabled devices. Instead of the call coming from inside the house, the attack is coming from inside the phone (VoIP-enabled, of course).

The Role of Initial Access Brokers in Ransomware Attacks

The rise of remote work has contributed to the increase in ransomware attacks in recent years. With more employees working from home, organizations have had to rely on remote access technologies, such as remote desktop protocol (RDP) and virtual private networks (VPNs), which provide attackers with an easy way to gain initial access to a network.

Account takeover attacks are often used as a means of gaining initial access to a network to carry out a ransomware attack. In an account takeover attack, the attacker typically uses stolen or purchased login credentials to gain unauthorized access to a victim's online accounts.

IABs, also known as breach brokers, provide access to hacked or compromised computer systems to other individuals or organizations. The use of IABs has become increasingly common in recent years, as this allows cybercriminals to easily and quickly gain access to a range of targets without having to spend time and resources on hacking them themselves.

However, as organizations better secure RDP, VPN, and other IT credentials, attackers will have to turn their attention to new targets. IoT devices are a logical choice because of their widespread deployment — more than a quarter of devices in every organization are IoT devices, regardless of industry, and that number is expected to continue to increase. Unfortunately, many of these devices are vulnerable to attack, making them an attractive target.

Three Reasons IoT Devices Are Vulnerable to Attack

Although there are many reasons that IoT devices are vulnerable to attack, three main reasons are that they are often used with default configurations, patch management is difficult, and they were not designed with security in mind.

Default credentials are easy targets — Access:7 research identified entire product lines of IoT devices that shared hardcoded credentials for remote access.

Specialized IoT firmware may remain unpatched — Project Memoria identified more than 100 vulnerabilities in TCP/IP stacks that affected several devices, but many were not patched by the manufacturers.

Many IoT devices lack authentication and encryption — OT:ICEFALL research has demonstrated how insecure protocols in operational technology are easily exploited by attackers.

Of course, vulnerabilities tell only half of the story. For organizations to understand the nature of the threat, they also need to understand how IoT devices are currently under attack.

IABs for IoT

There are many examples of advanced persistent threats (APTs) that have used corporate IoT for initial access into organizations. For instance, the Russian state-sponsored actor Strontium has leveraged VoIP phones, office printers, and video decoders, while Chinese state-sponsored actors have exploited vulnerabilities on IP cameras to infiltrate US organizations.

Attack techniques tend to trickle down from APTs to less-sophisticated actors, and there are already cybercriminal gangs, such as the Conti, Deadbolt, and Lorenz ransomware groups, which have targeted IP cameras, NAS devices, and VoIP for initial access. In addition, there are groups that trade IoT exploits on Dark Web markets — the logical next step is an IAB market for IoT.

An IAB for IoT would likely act in a similar way to hacktivists that have been targeting IoT/OT. They would scan target organizations using tools such as Shodan and Kamerka, enumerate vulnerabilities or discover credentials, and use those for initial access.

One of the main differences between IABs that focus on RDP/VPN and those that target IoT devices is that the latter could also leverage vulnerabilities in IoT devices, which tend to remain unpatched for much longer. This means that they would be able to gain access to organizations in a more stealthy and persistent way, making them a more attractive target for cybercriminals.

Mitigating the Risk of IABs for IoT

Although IABs for IoT are different from those targeting RDP/VPN credentials, the good news is that organizations can still take a similar approach to cybersecurity. The discovery of new devices on the network, the continuous monitoring of network traffic, and the use of appropriate network segmentation are all best practices to mitigate the risk of an attack — regardless of if it leverages an IT or an IoT device.

To address the issues unique to IoT devices, manufacturers and organizations need to take a proactive approach to IoT security. This means changing default weak configurations and regularly applying patches to ensure that devices are secure. In addition, protocols used in specialized IoT devices should be designed with security in mind, including basic security controls such as authentication and encryption. By taking these steps, we can improve the security of IoT devices and reduce the risk of attacks.