Rewterz Threat Alert – Russian State Hackers are using IoT Devices to Breach Enterprise Networks

Severity

High

Analysis Summary

Strontium (APT28) has resurfaced again, this time targeting VoIP phones, printers, and video decoders. Attacks have been observed in the wild said the Microsoft Threat Intelligence Center, one of the OS maker’s cyber-security divisions. The hacker group tried to exploit a VOIP phone, an office printer, and a video decoder, Microsoft said.

The investigation uncovered that an actor had used these devices to gain initial access to corporate networks, In two of the cases, the passwords for the devices were deployed without changing the default manufacturer’s passwords and in the third instance the latest security update had not been applied to the device.

Microsoft said hackers used the compromised IoT devices as an entry point into their targets’ internal networks, where they’d scan for other vulnerable systems to expand this initial foothold.

“After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets,” Microsoft said.

“They were also seen enumerating administrative groups to attempt further exploitation. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting.

Microsoft said it identified and blocked these attacks in their early stages, so its investigators weren’t able to determine what Strontium was trying to steal from the compromised networks.

Indicators of Compromise

IP(s) / Hostname(s)

• 167[.]114[.]153[.]55
• 94[.]237[.]37[.]28
• 82[.]118[.]242[.]171
• 31[.]220[.]61[.]251
• 128[.]199[.]199[.]187

Remediation

Block threat indicators at your respective controls.