Proving the Business Case for the Internet of Things

TrapX spots malware on IoT devices running Windows 7

Steve Rogerson
February 6, 2020
 
Microsoft is putting workers at risk by stopping releasing security patches for Windows 7, according to TrapX Security, which has identified a malware campaign targeting IoT devices running Windows 7 at manufacturing sites.
 
Microsoft announced last month that it would no longer release security patches for Windows 7. There are roughly 200 million devices worldwide still running this now outdated operating system.
 
California-based TrapX Security has issued a report detailing this campaign that uses a self-spreading downloader that runs malicious scripts as part of the Lemon_Duck PowerShell malware variant family. It has targeted a range of devices including smart printers, smart TVs and automated guided vehicles (AGVs) at specific manufacturer sites.
 
In January, Microsoft ended all support for Windows 7, despite the estimated 200 million devices that are still running the out-of-date operating system. This end-of-life announcement means there will be no more additional security patches, fixes or functions, leaving these IoT devices at an increased risk.
 
The manufacturing sector faces large challenges due to its reliance on embedded devices running legacy OS. These devices cannot be updated easily, and most often need to be replaced to upgrade to new, more secure operating systems. The existence of devices running legacy OS leaves these networks open to the campaign causing risks to employee safety, disruption of production and, in some cases, loss of sensitive data.
 
TrapX's report on this malware campaign does a dive into its capabilities and how it spreads throughout target networks. It found that the malware's infection may cause IoT devices to malfunction, causing harm to workers on the manufacturing floor, delays in the supply chain and damage to the brand's reputation.
 
The report describes the compromised security of industrial equipment that could be life threatening, as well as detailed forensics of the malware used in the campaign.
 
"This research is further proof of the growing complexity of security management as businesses adopt new technologies such as IoT and cloud while still maintaining legacy ones," said Ori Bach, chief executive officer of TrapX Security. "To remain effective, security products must be able to scale across the complex threat landscape."
 
The Window 7 end-of-life announcement indicates additional patches, fixes or functions will not not available to protect these devices from future threats.
 
The reports says that infiltration risks damage to safety, the supply chain and data loss, and, in extreme cases, can cause a shutdown of the entire production network. Devices from third-party vendors can enter the network pre-infected.
 
However, it says further attacks are preventable if the proper cyber-security controls are in place, including:

  • Change the default password on devices and avoid use of weak passwords that can be brute forced.
  • Map out at-risk embedded devices running the now end-of-life Windows 7 OS and the resulting operational impact of infections to the network.
  • Replace sensitive devices with more up-to-date ones and create further segmentation around devices that cannot be replaced.
  • Deploy detection and response technology to monitor and quarantine infected devices.
The report outlines anonymised case studies of real attacks and can serve as a guide for IT teams looking to identify and mitigate the threat.