Today, the number and diversity of connected devices continue to grow in enterprises, no matter which sector they operate in. This has created a new challenge for organizations as they need to understand and manage the risks they are exposed to.
We keep saying that the attack surface is expanding, and that's because it now spans IT, IoT, and OT for most enterprises, with the addition of IoMT in healthcare. However, IT devices are still the primary target for malware, including ransomware, and are considered the main entry vector threat actors exploit initially.
In this regard, a recent report on the riskiest connected devices for enterprise networks observed that routers and wireless access points are becoming the most common entry points for malware and advanced persistent threats.
A new modus operandi for an attack campaign known as ZuoRAT has recently come to light that has managed to fly under the radar for nearly two years. This threat campaign is extremely sophisticated and primarily targets small office or home office routers, using the router as the entry vector. How does it work?
First, a compiled MIPS file is sent to the routers. This file is a malware called ZuoRAT, designed to gather information about devices and the LAN to gain access after infecting the computer.
Once installed, the malware enumerates the hosts and the internal LAN. It can also grab network packets transmitted through the compromised device and launch a man-in-the-middle attack, such as DNS and HTTP hijacking, based on a predefined set of rules. The hijacking operation causes the connected devices to deploy shellcode loaders on machines in the local network.
The next step is moving from the router to the workstations on the network, deploying a Windows loader that is used to download and execute one of three trojans: CBeacon, GoBeacon, or CobaltStrike.
This campaign typically targets US and European organizations. At least 80 targets have been affected over a nine-month period, but it is suspected that many more may have been targeted.
This threat can only be mitigated by deploying well-configured and up-to-date detection solutions.
Impenetrable wireless networks and a secure enterprise network
The rise of working from home and hybrid work has changed how employees connect to the Internet and complicate risk management for IT managers. Corporate teams now constantly access the Internet from an often-unprotected home network rather than from the protected network in the physical office.
This generates new security needs that can be addressed by incorporating secure Wi-Fi access points and wireless network management software that delivers optimized connectivity. As well as supplying a comprehensive and practical set of wireless functions, they provide the secure encryption required by today's work environments. But the key benefit is the high level of visibility, which enables detailed monitoring and reporting of the wireless environment, giving IT administrators the insight they need to determine how well Wi-Fi access points perform. This makes it possible to view the device status and, more importantly, the device's health, making it easier to keep up with updates and avoid potential vulnerabilities.
Combining this solution with a firewall protects users against sophisticated attacks such as ZuoRAT, as it will prevent any malware hidden in encrypted traffic from accessing the enterprise network. At Akubra, a company that designs, manufactures, and distributes iconic Australian hats, they knew that this was the route they needed to take to significantly reduce the number of threats targeting their servers. WatchGuard solutions have enabled Akubra’s IT team to always make the right decisions and maintain optimal security levels, resulting in increased productivity and employee satisfaction.
As the Akubra case shows, having the right protection solutions means that businesses can focus their efforts on other areas that add value to their business. All businesses need Internet access today. The best way to protect the riskiest connected devices in their environment is to look for a cybersecurity provider that offers the advanced solutions they need.