In its latest report, Nozomi Networks Labs evaluates the threats targeting the Operational Technology (OT) and Internet of Things (IoT) devices from July to December 2022.
Regarding the attacks on IoT devices, Nozomi Networks Labs shares insights based on data collected by its IoT honeypots.
The top countries where compromised devices were used to execute attacks were China, US, and South Korea. Regarding attack source locations, the UK has been replaced by Japan as the top attacker country in the second half of 2022.
Default credentials are one of the main ways threat actors gain access to IoT devices, and the same default usernames and passwords were used to access different systems, but with 2x or 3x frequency compared to earlier in 2022. These include: nproc:nproc, admin:admin, admin:1234, root:root, etc.
The top attacker IP made over 70,000 attempts compared to only 30,000 attempts in the first six months of 2022. Some IPs were used repeatedly which indicates that threat actors were able to maintain persistence in compromised devices for a long period of time. Reusing the same IP addresses which previously belonged to legitimate organizations, threat actors can disguise their malicious activity by making it appear to be coming from a trusted source which could throw off Intrusion Detection Systems.
Following initial access, threat actors execute commands on a system that will allow them to maintain persistence and escalate privileges. The top 4 executed commands – enable, shell, sh and system – are more prevalent in comparison to the other commands and found in the scripts of multiple malware families.
If you want to learn more about Nozomi Network’s 2022 2H OT/IoT Security Report, you can download it here.