Each quarter, the Cradlepoint Threat Research and Analysis (TR&A) Team researches and informs its customers about the threat landscape, providing threat intelligence that also informs Cradlepoint’s product design and ability to respond to active threats.
Our Views on Recent Attacks
In the second quarter of 2023, a defense-in-depth strategy for securing IoT devices was a recurring theme. Security controls to stop Reconnaissance (TA0043) and Initial Access (TA0001) tactics are needed as malware expands the number of IoT vulnerabilities and actors find novel ways to monetize compromised devices.
IoT Tops List for Initial Access Concern
The Cyber Security & Infrastructure Agency (CISA) published its yearly report, which urged defenders to prioritize securing IoT devices. CISA stated that IoT devices are more likely to have initial access vulnerabilities, which require no user interaction. For more details, see https://vulncheck.com/blog/2022-cisa-kev-review.
TR&A Analyst Comments: In the past quarter, at least three malware programs have increased the number of IoT exploits: RapperBot, Zerobot, and Mirai. In addition, actors are growing monetization for compromised IoT devices with crypto mining and pay2peer software installation. Cradlepoint’s Zero Trust Network Access (ZTNA), delivered by the NCX product suite, defends against Reconnaissance (TA0043) by denying inbound Internet access to systems. And Initial Access (TA0001) can be blocked using the IDPS features available in Cradlepoint’s cellular routers.
Security researchers at Fortinet Labs tracked the evolution of RapperBot malware campaigns, which increased the monetization of their botnet by bundling a Monero crypto miner into their existing malware. This malware targets IoT devices and was previously only used for DDoS botnet attacks. For more details, see https://www.fortinet.com/blog/threat-research/rapperbot-ddos-botnet-expands-into-cryptojacking.
TR&A Analyst Comments: These malware use Resource Hijacking (T1496) techniques, which reduce device availability and may impact business services. As more actors are prosecuted, they find less visible ways to maintain their revenues, and crypto mining in other technologies, such as browser extensions, has proven successful. ZTNA blocks access for devices and traffic destined for a known bad destination by default to create a defense-in-depth for pre- and post-compromised device security.
Security researchers at Akamai found evidence of actors using proxyjacking for financial gain by installing pay2peer software, which pays for devices added to the peering network (T1496 Resource Hijacking). Actors could have used the peered network for malicious activity because this makes it difficult to determine where the attack originates. For more details, see https://www.akamai.com/blog/security-research/proxyjacking-new-campaign-cybercriminal-side-hustle.
TR&A Comments: The proxyjacking attack lifecycle depends on a vulnerable SSH server for initial access, typically using vulnerability exploits, password guessing brute force attacks, SSH key loss, and credential theft. Securing SSH servers from untrusted internal networks and the dirty web are effective defenses implemented by Cradlepoint’s NCX Secure Connect. Secure Connect enforces explicit-allow policies to limit local and Internet access, reducing the likelihood of compromised devices and blocking connections to actor-controlled resources.
Cradlepoint’s 5G-optimized SASE product suite provides device attack surface mitigation, prevention of initial compromise attacks, and post-compromise detection.
All quarterly Cradlepoint Threat Intelligence reports can be found on the Cradlepoint blog under "Network Security."