China, USA and India worst IoT malware offenders

  • December 21, 2022
  • Steve Rogerson

China, the USA and India were the top countries originating IoT malware this year, according to a report from Microsoft.

The third edition of Microsoft’s Cyber Signals, a regular cyber-threat intelligence brief, highlights insights on the wider risks that converging IT, IoT and operational technology (OT) systems pose to critical infrastructure, and how enterprises can defend against these attacks.

It spotlights security trends and insights gathered from Microsoft’s 43 trillion daily security signals and 8500 security experts.

Around 38% of IoT malware infections come from China, with 19% from the USA and 10% from India. South Korea follows at 7%, with Taiwan and Russia both on 5%.

As IT and OT converge to support expanding business needs, assessing risk and establishing a more secure relationship between IT and OT require consideration of several control measures, says the report. Air-gapped devices and perimeter security are no longer sufficient to address and defend against modern threats such as sophisticated malware, targeted attacks and malicious insiders.

“The growth of IoT malware threats, for example, reflects this landscape’s expansion and potential to overtake vulnerable systems,” says the report.

With increasing connectivity across converging IT, OT and IoT, organisations and individuals need to rethink cyber risk impact and consequences. Similar to how the loss of a laptop or modern vehicle containing a homeowner’s cached wifi credentials could grant a property thief unauthorised network access, compromising a manufacturing facility’s remotely connected equipment or a smart building’s security cameras introduces new vectors for threats such as malware or industrial espionage.

“As OT systems underpinning energy, transportation and other infrastructures become increasingly connected to IT systems, the risk of disruption and damage grows as boundaries blur between these formerly separated worlds,” said Vasu Jakkal, corporate vice president at Microsoft. “For businesses and infrastructure operators across industries, the defensive imperatives are gaining total visibility over connected systems and weighing evolving risks and dependencies.”

Microsoft identified unpatched, high-severity vulnerabilities in 75% of the most common industrial controllers in customer OT networks. This illustrates how challenging it is for even well‑resourced organisations to patch control systems in demanding environments sensitive to downtime.

There has been a 78% increase in disclosures of high-severity vulnerabilities from 2020 to 2022 in industrial control equipment produced by popular vendors.

Over one million connected devices are publicly visible on the internet running Boa, an outdated and unsupported software still widely used in IoT devices and software development kits.

For businesses and individuals, securing IoT with a zero-trust security model starts with non-IoT specific requirements. This can be achieved by specifically ensuring they have implemented the basics to securing identities and their devices and limiting their access. These requirements include explicitly verifying users, having visibility into the devices on the network, and real-time risk detections.

In 2022 Microsoft helped a major global food and beverage company, using very old operating systems to manage factory operations, with a malware incident. While performing routine maintenance on equipment that would later connect to the internet, malware spread to factory systems via a compromised contractor laptop.

Unfortunately, says the report, this is becoming a fairly common scenario. While an ICS environment can be air-gapped and isolated from the internet, the moment a compromised laptop is connected to a formerly secure OT device or network it becomes vulnerable.

Across the customer networks Microsoft monitors, 29 per cent of Windows operating systems have versions that are no longer supported. The company said it had seen seen versions such as Windows XP and Windows 2000 operating in vulnerable environments.

It said a defence based on zero trust, effective policy enforcement and continuous monitoring could help limit the potential blast radius and prevent or contain incidents such as this in cloud connected environments.