Forescout Technologies has released its findings about the riskiest devices in enterprise networks in 2022 at GITEX.
In this region, network-attached storage is the riskiest and these devices often have both easy-to-exploit vulnerabilities and internet connectivity, thus they are constantly targeted by threat actors for ransomware, botnets, crypto mining, or simply data destruction.
“At Forescout, we are keen to raise awareness and let government entities and businesses know exactly where the vulnerabilities lie with their network. Our research team has done a fantastic job identifying which industry verticals are being targeted relentlessly and which connected devices are most at risk, globally and here across the region,” commented Ihab Moawad, Vice President, Forescout, Middle East, Turkey, and Africa.
Manufacturing has the highest percentage of devices with high risk (11%), while government and financial have the top combinations of medium and high risk (43% for government and 37% for financial). Healthcare and retail have the lowest risk overall, with 20% of devices having medium or high risk in healthcare and 18% in retail.
The ranking of riskiest devices does not change considerably per industry, which shows that almost every organization nowadays relies on a combination of IT, IoT, and OT (as well as IoMT for healthcare) to deliver their business. It also means that almost every organization is affected by a growing attack surface. The riskiest IT and OT devices remain nearly constant across different regions, while the riskiest IoT devices change slightly and the riskiest IoMT devices change considerably.
“GITEX gives us this global platform to showcase our Automated Cybersecurity Solutions that protect any digital terrain. Forescout is here to help companies understand and mitigate risks that come with digital transformation, the rapid growth of IoT devices across organizations, and the convergence of IT and OT networks that is encouraging the rise of ransomware-as-a-service gangs,” added Moawad.
At GITEX 2022, organizations and government entities can learn how they can better protect themselves against a new type of ransomware attack that can leverage any IoT devices, even security cameras, to deploy ransomware.
Forescout has further identified the five riskiest devices in four device categories: IT, IoT, OT, and IoMT – as shown in Table 1.
Table 1 – Riskiest connected devices per category
|1||Router||IP camera||Programmable logic controller (PLC)||DICOM workstation|
|2||Computer||VoIP||Human machine interface (HMI)||Nuclear medicine system|
|3||Server||Video conferencing||Uninterruptible power supply (UPS)||Imaging|
|4||Wireless access point||ATM||Environment monitoring||Picture archiving and communication system (PACS)|
|Hypervisor||Printer||Building automation controller||Patient monitor|
IT devices are still the main target of malware, including ransomware, and the main initial access points for malicious actors. These actors exploit vulnerabilities on internet-exposed devices, such as servers running unpatched operating systems and business applications, or use social engineering and phishing techniques to dupe employees to run malicious code on their computers.
Hypervisors, or specialized servers hosting virtual machines (VMs), have become a favorite target for ransomware gangs in 2022 since they allow attackers to encrypt several VMs at once and because ransomware developers are moving towards languages such as Go and Rust that allow for easier cross-compilation and can target both Linux and Windows.
A growing number of IoT devices on enterprise networks are being actively exploited because they are harder to patch and manage than IT devices. IoT devices are compromised due to weak credentials or unpatched vulnerabilities primarily to become part of distributed denial-of-service (DDoS) botnets. Beyond DDoS, several threat actors have been using IoT devices for other phases of attacks.
PLCs and HMIs are the riskiest OT devices because they are very critical, allowing for full control of industrial processes, and are known to be insecure by design. Although PLCs are not often connected to the internet, many HMIs are, to enable remote operation or management. These devices are not only common in critical infrastructure sectors, such as manufacturing, but also in sectors such as retail, where they drive logistics and warehouse automation.
OT devices are typically associated with manufacturing and critical infrastructure. However, other observed risky OT devices are much more widespread than PLCs and HMIs. For instance, uninterruptible power supplies (UPSs) are present in many corporate and data center networks next to computers, servers, and IoT devices. UPSs play a critical role in power monitoring and data center power management. CISA has alerted about threat actors targeting UPSs with default credentials. Attacks on these devices can have physical effects, such as switching off the power in a critical location or tampering with voltage to damage sensitive equipment.
Environment monitoring and building automation systems are critical for facilities management, which is a common need in most organizations. Smart buildings perfectly exemplify a cross-industry domain where IT, IoT and OT are converging on the same network. There are several examples of smart buildings exploited by threat actors to render controllers unusable, recruit vulnerable physical access control devices for botnets, or leverage engineering workstations for initial access. These devices dangerously mix the insecure-by-design nature of OT with the internet connectivity of IoT and are often found exposed online even in critical locations.
The riskiest IoMT devices change considerably. Table 2 shows the riskiest IoMT devices in each region. DICOM workstations are the only devices that consistently make the list in every region.
|2||Nuclear Medicine System||CT Scanner||Electrocardiograph||PACS|
|3||PACS||DICOM Workstation||Ultrasound||Medication Dispensing System|
|5||Medical Analyzer||Medication Dispensing System||Mammography System
Two recurring themes in the recent research have been the growing attack surface due to more devices being connected to enterprise networks and how threat actors leverage these devices to achieve their goals.
The attack surface now encompasses IT, IoT and OT in almost every organization, with the addition of IoMT in healthcare. It is not enough to focus defenses on risky devices in one category since attackers can leverage devices of different categories to carry out attacks. Forescout has demonstrated this with R4IoT, an attack that starts with an IP camera (IoT), moves to a workstation (IT) and disables PLCs (OT).
You need proper risk assessment to understand how your attack surface is growing. However, assessing device risk is not easy. For instance, to determine whether a device is vulnerable or not, granular classification information is needed, such as device type, vendor, model and firmware version.
The security vendor is at GITEX 2022 to show how cybercriminals use vulnerabilities in IoT devices to exploit for initial access and lateral movement to IT and OT devices, with the objective of causing physical disruption of business operations, for financial gains.
Visitors to the Forescout Stand H1-B40, in Hall 1, at the Dubai World Trade Center (DWTC) will be able to get first-hand information on the company’s security solutions, be part of interactive demos, and have all of their cybersecurity queries answered. The security vendor will also be showcasing its Completed Project Memoria, the most extensive study of TCP/IP stacks that uncovered 97 new vulnerabilities impacting over 400 vendors.
GITEX 2022 is taking place from 10 to 14 October 2022, at DWTC.