With attacks against Internet of Things devices on the rise, threat researchers are warning companies to make sure they know their devices and have processes in place to maintain and defend them.

In a Jan. 25 blog post, threat intelligence firm Intel 471 stated a surge of attacks on IoT devices in 2020 and 2021 led to the theft of confidential information and creation of massive botnets for launching distributed denial-of-service (DDoS) attacks. The company also saw main malware codebases Mirai and Gafgyt being used to compromise connected devices, with variants of Mirai the most popular way to sell illicit access to targeted firms on underground forums.

The threat will only grow this year as attackers shift to more profit-focused motives, says Michael DeBolt, chief intelligence officer for Intel 471.

"As IoT devices become more and more commonplace, and industries increase their dependency on these devices for their uptime and operations ... we expect to see the shift to targeted ransomware and IoT botnet operators working with access merchants to identify potential targets," he says.

Two trends in the IoT marketplace are converging to create a significant security problem. Manufacturers of a plethora of devices are adding connected functionality for management and updates, as well as to offer additional services, leading to a larger attack surface area in most organizations. However, management of these devices has not kept pace, leaving many of them vulnerable to attack.

In the medical space, for example, 53% of connected medical devices and other IoT devices in healthcare settings have critical vulnerabilities, according to a Jan. 20 report from Cynerio. Intravenous pumps and patient monitors are the most common connected devices in hospitals, accounting for 57% of IoT devices in the average medical setting.

The level of vulnerability in the medical industry means that hospitals and healthcare organizations have to go beyond having visibility into their current attack surface, according to the report. They must also be able to effectively respond.

"Hospitals don’t need more data — they need to be able to act decisively when attacked," according to Cynerio's report. "Identifying and addressing risk vectors that are already being leveraged in the wild is a good first step towards implementing healthcare IoT security that will make a hospital's connected device footprint more resilient."

The codebase for the Mirai botnet continues to be a staple of online attackers, Intel 471's DeBolt says. Mirai is most recognized as the malware used to compromise Internet-connected digital video recorders (DVRs) and routers in 2016 and cause them to attack websites and network providers. Six years later, malware developers continue to extend the functionality of the Mirai codebase, using compromised systems as a way to anonymize traffic as well as send floods of packets at targeted networks, Intel 471 stated in its blog post.

"The takeaway is that Mirai is still alive," says DeBolt. "It's not going anywhere and it is still kicking."

Vulnerabilities in IoT devices extend far beyond home routers and consumer products. Because many of these connected devices are based on the same operating systems — such as Linux or Wind River System's VxWorks — a variety of medical devices, manufacturing controllers, and monitoring systems, to name a few, are also routinely found to have vulnerabilities.

"While people hear IoT and automatically think of smart devices — think home appliances with internet connection — that’s not really where the big, primary threat is," DeBolt says. "The vulnerabilities lie in the software development kits, operating systems and/or firmware that power the hardware that makes all these smart devices connect to the internet."

Because of the sensitive nature of many of these connected devices, Intel 471 argues that IoT ransomware is likely to be the next stop for attackers. An attack on IoT controllers or monitoring devices could easily lead to a halt of operations at utilities, hospitals, or within smart buildings and city infrastructure, lending any ransom demand that much more weight.

Currently, the company has not seen much chatter among underground actors that indicate ransomware functionality is being integrated into current codebases, but given the seriousness of the issue, defenders should be thinking about it now, says DeBolt.

"We are not seeing the underground actors wholly going to IoT as a ransomware target," he adds, "but if you are in IoT security, you should be worried about ransomware."