Stories From Two Years in an IoT Honeypot

by Chris Brook April 14, 2017 , 8:00 am

SINT MAARTEN—Curious just how susceptible some of the more vulnerable IoT devices are, a researcher set up a series of honeypots at his friends’ houses to record traffic, exploit attempts and other statistics.
Dan Demeter, a junior security researcher with Kaspersky Lab’s Global Research and Analysis Team (GReAT), reviewed two years of honeypot history in a talk at the company’s Security Analyst Summit last Tuesday.
     

April 7, 2017 , 11:50 am

“Our idea was to run honeypots in people’s houses, some of my friends accepted, some of my friends didn’t,” Demeter said of the project, which he carried under the guidance of GReAT Director Costin Raiu. Demeter said the devices, mostly faulty routers, didn’t affect the users’ internet activity, they just silently recorded pings.
After planting vulnerable devices, mostly in the UK and his native Romania, Demeter was able to register 200 malicious or abusive IP addresses and almost 13 million hits from his honeypots.
For his project Demeter gleaned traffic from ISPs and networks mostly in Romania, such as RDS and RCS, Telekom Romania, and UPC Romania. In the U.K., he looked at traffic from BskyB-broadband-as, GB – AS5607.
Demeter saw attackers attempt to carry out a variety of exploits – new and old – but broke down three of the more common ones in his talk.

Many attacks tried to leverage an older vulnerability in the embedded webserver RomPager in order to change DNS server settings. Attackers also used the vector to carry out clickjacking attacks, Demeter said, hoping to redirect users a variety of phony sites, some mimicking Netflix, some urging users to invest in a new cryptocurrency called Fargocoin.
Researchers with Check Point publicized the RomPager vulnerability, a cookie vulnerability that affected 12 million devices they dubbed Misfortune Cookie, mostly routers, in 2014.
“The fact that I still see RomPager exploits in a honeypot in 2017 means that there are still vulnerable routers out there,” Demeter told the crowd, “I think this trend will not go away, these attacks are almost four years old and I think they’re going to be around for a long time.”
Demeter also saw attacks trying to execute commands via another vulnerability from 2014, ShellShock, and perhaps more interesting–especially given the freshness of the vulnerability–leverage last month’s Apache Struts 2 exploit.
Attackers were quick to incorporate the Struts 2 vulnerability, Demeter said. The flaw was patched after it was disclosed by Cisco’s Talos on March 8  but it only took one day for Demeter’s honeypot to observe a hit trying to exploit the vulnerability. Before all was said and done, he saw 10,000 hits trying to exploit the Struts 2 flaw.
Demeter showed a sample of one request that emanated from a server in China and described how it was trying to search for a content type header to exploit. Embedded IoT devices don’t run Apache Struts by nature so none of Demeter’s devices were at risk but that didn’t stop the researcher from being fascinated with how quickly the vulnerability was recruited.
One of Demeter’s more interesting observations from the project came when attackers changed their behavior to adapt to his honeypots.
The researcher’s honeypots collected logs that are processed in a machine; another machine, meanwhile, fetched links and samples in a sandbox environment. One day Demeter observed that attackers were beginning to use FTP to echo commands in a file.
“I was like ‘Oh my god, my honeypot doesn’t know how to handle FTP connections,'” Demeter said, “I found that pretty interesting because they changed their behavior, they adopted a new tactic because they realized that our honeypots were capable of automatically extracting the files.”
The researcher took a moment near the end of his talk to drill down on the botnet’s details further and tabulated which countries were the most probed. Southeast Asian countries like China and South Korea, perhaps not surprising, were the most active, with over one million pings each. The United States and Japan came in third and fourth with 360,000 and 340,000 respectively.
“As more and more devices are added to the network the vulnerability, the web space for attacks gets larger and larger,” Demeter said, “I think new devices that are being developed should have a thorough code review.”
Demeter began his talk by reviewing vulnerable IoT devices such as IP cameras made by Dahua and routers made by TP-Link. He also described the spate of recent, large-scale DDoS attacks, including those that affected OVH, the DNS provider Dyn, and Brian Krebs’ website. He suggested that in the grand scheme of things there may not be a huge difference between now and nearly 30 years ago, in 1988 when the Great Worm, a/k/a the Morris Worm made its way through computer systems.
“Is this really a new trend?” Demeter asked, “Back then, more and more computers were connecting to ARPANET and slowing down, there were no patches. Now experts say that by 2020, there will be 50 billion IoT devices, is there really a difference?”

About Chris Brook

"Distrust and caution are the parents of security" - Benjamin Franklin

Groups Say NIST Must Better Address Healthcare's Cyber Needs

HIMSS, CHIME, AMA Submit Comments on Framework UpdateMarianne Kolbasuk McGee (HealthInfoSec) • April 13, 2017 

The National Institute for Standards and Technology's proposed update to its cybersecurity framework needs to better address specific concerns of the healthcare sector, ranging from medical device risks to strained resources at smaller care providers.
See Also: Defend Against Spear Phishing: Encouraging Developments Gaining Momentum
That's some of the feedback from healthcare industry groups in their submissions to NIST in response to the agency's request for public comment on the latest proposed draft of the NIST framework, which was unveiled in January.
The Framework for Improving Critical Infrastructure Cybersecurity, Draft Version is described by NIST as an "update" rather than a major overhaul of its cybersecurity framework that was released in 2014. Public comments on the proposed framework update were due on April 10.

What's Proposed

Among the proposed new features of the framework is a section on cybersecurity measurements to gauge security status and trends over time, as well as an expanded section on supply chain relationship management, which includes revised language in the access control category to account for authentication, authorization and identity proofing by adding a subcategory.
In comments submitted to NIST, the Healthcare Information and Management Systems Society suggests NIST in the framework's supply chain section to address issues related to medical device supply chain risks.
HIMSS notes that "some computer hardware, mobile devices, and other types of computing devices have been sold with embedded malware. While the insertion of such malware may have been unintentional by the manufacturer ... the very fact that this has occurred highlights the dangers of insider threat."
HIMSS stresses that healthcare providers and public health leaders "have great concerns with respect to the medical device supply chain, given the potentially significant risk to patient safety. Accordingly, HIMSS recommends that the Framework provide more granular detail on the 'how' and 'why' of supply chain risk management to include a relevant context of insider threat detection and management."
Meanwhile, in their joint comments, the College of Healthcare Information Management Executives - which represents 2,300 CIOs - and its subgroup, the Association for Executives in Healthcare Information Security - which represents 600 CISOs - call for NIST to develop industry-specific guidance for using the framework, including in healthcare.
CHIME and AEHI note that a "crosswalk" co-developed and released in 2016 by the Department of Health and Human Services to help healthcare entities bridge the NIST cybersecurity framework to the HIPAA Security Rule "is very helpful."
However, "healthcare users also need guidelines for each function of the Framework - identify, protect, detect, respond, recover - for each of these areas: policy, procedures, testing, and integration," the groups add.
Drilling down to some of the more specific proposals in NIST's updated framework, CHIME and AEHIS note that while they support NIST's added subsection on "identity proofing" to its section covering access control, "we also believe that there needs to be a discussion and guidance on privileged users."
Most healthcare systems have identities spread through an average of 10 to 12 different systems, CHIME and AEHIS note. "Guidance on identity management needs to include the critical need to have a master view of all identities and all the entitlements."

Challenges of Smaller Healthcare Entities

Some of the comments submitted to NIST also touch upon the special challenges that smaller healthcare entities, including clinics and doctor practices, often face.
"While discussions of cybersecurity typically include perspectives of government, health IT vendors, and large health and hospital systems, the physician voice is relatively unheard," notes the American Medical Association in its comments to NIST.
"We recommend that NIST and others in the cybersecurity space contemplate ways to make cybersecurity best practices affordable, attainable, and approachable for physicians without extensive health IT knowledge or experience," writes AMA, a professional organization which represents physicians in the U.S.
"We suggest NIST consider developing a non-technical, plain-language compendium to accompany the Framework to help individuals champion the importance of cybersecurity to their organization and promote a culture of good cyber hygiene," the AMA writes.
Still, the AMA adds that, overall, it supports the framework's "voluntary approach" that offers flexibility allowing entities to customize how they adopt and implement a cybersecurity framework. "This is critical in the healthcare space where a solo practitioner has very different resources than a large health system," AMA says.

Special Needs

Keith Fricke, principle consultant at tw-Security says he thinks the AMA's requests to NIST are reasonable. "It is great knowing [AMA members] want to adopt using [the framework] and have expressed an interest in wanting NIST to develop a compendium to better understand it," he notes.
"I think if NIST can achieve the AMA's request, the AMA would be more likely to endorse its use amongst its members."
Mac McMillan, president of security consulting firm CynergisTek says he supports the idea of a healthcare-specific compendium and the development of other tools to operationalize the framework. However, it's not feasible for NIST to address all of AMA's concerns, he says.
"We have more than 60 percent of healthcare entities using the NIST framework now, so this is absolutely doable, but the AMA's response is a bit frustrating as it is not always possible to make responses to cybersecurity flexible, and secondly NIST is not necessarily in a position to make cybersecurity more affordable."

Needs Gaps

Tom Walsh, president of tw-Security, says that overall, there are disconnects between NIST in its framework, and the needs and challenges faced by many healthcare entities.
"The mission of NIST is to serve other federal agencies - not healthcare specifically. What works at a federal government agency level does not always translate well into a small or rural healthcare setting."
Additionally, "NIST staff may have little to no experience in actually working in healthcare - hospitals and in particular - critical access hospitals and private physician practices/clinics. IT in small hospitals and clinics is almost always outsourced to a local IT company with little or no understanding of HIPAA, let alone NIST cybersecurity framework," Walsh notes.
Supplemental NIST framework guidance might not even be enough to help some smaller healthcare entities in their cybersecurity stance, he adds. "Practice managers in clinics have at least six different roles - compliance, privacy, and security officers are three of them. Expecting them to comprehend the NIST cybersecurity framework is not likely going to happen - with or without a supplemental document."
Walsh adds that "small and rural providers way outnumber larger healthcare organizations. Most healthcare in the U.S. is delivered in a small and rural setting. The folks in Washington D.C and Gaithersburg, Md. [where NIST is based] tend to forget that."
For instance, clinics and critical access hospitals "in the 'flyover states'... often struggle with guidelines from the beltway. That's due mostly to a lack of resources to implement," he adds. "Not everyone has the deep pockets of the federal government."
Kate Borten, president of privacy and security consulting firm The Marblehead Group, says organizations outside of NIST might be the best bet in helping smaller healthcare entities - and especially physician practices - navigate cybersecurity issues covered by the framework.
"I believe that HHS and professional organizations such as the AMA are better equipped to speak to solo practitioners," Borten says. "They already have the communication links, relationships, and can frame content for that specialized audience, unlike NIST - an organization they are not likely to know."

Coming Soon

NIST says it plans to host a workshop in May to discuss the comments from all industries it received on its framework update proposals.
After the May 2017 workshop and analyzing the 130 comments received, NIST intends to issue a final version of the updated framework, along with an updated "roadmap" document that describes recommended activities in work areas that are related and complimentary to the framework.