Wiper malware and IoT botnets dominate H1 2022 threat landscape

Nozomi Networks Labs’ latest OT/IoT security report finds wiper malware, IoT botnet activity, and the Russia/Ukraine war impacted the threat landscape in the first half of 2022.

“This year’s cyber threat landscape is complex,” said Roya Gordon, Nozomi Networks OT/IoT Security Research Evangelist. “Many factors including increasing numbers of connected devices, the sophistication of malicious actors, and shifts in attack motivations are increasing the risk for a breach or cyber-physical attack. Fortunately, security defenses are evolving too. Solutions are available now to give critical infrastructure organizations the network visibility, dynamic threat detection, and actionable intelligence they need to minimize risk and maximize resilience.”

Since Russia’s invasion of Ukraine began in February 2022, Nozomi Networks Labs researchers have observed activity from a variety of threat actors, including hacktivists, nation-state APTs, and cybercriminals. They also observed the widespread use of wiper malware and the emergence of an Industroyer variant, dubbed Industroyer2, designed to exploit the IEC-104 protocol, which is commonly used in industrial settings.

Furthermore, malicious IoT botnet activity was on the rise and becoming more sophisticated in the first half of 2022. Nozomi Networks Labs deployed a series of honeypots to attract these malicious botnets and capture their activity in order to gain a better understanding of how threat actors target IoT. Analysts from Nozomi Networks Labs discovered growing security concerns for both hard-coded passwords and internet interfaces for end-user credentials in this study. Nozomi Networks honeypots discovered the following between January and June 2022:

• March was the most active month with close to 5,000 unique attacker IP addresses collected.
• The top attacker IP addresses were associated with China and the United States.
• “root” and “admin” credentials were most often targeted and used in multiple variations as a way for threat actors to access all system commands and user accounts. 

Manufacturing and energy remain the most vulnerable industries in terms of vulnerability, followed by healthcare and commercial facilities. In the first half of 2022:

• CISA released 560 Common Vulnerabilities and Exposures (CVEs) – down 14% from the second half of 2021
• The number of impacted vendors went up 27%
• Affected products were also up 19% from the second half of 2021 

The “OT/IoT Security Report” from Nozomi Networks provides security professionals with the most recent insights needed to re-evaluate risk models and security initiatives, as well as actionable recommendations for securing critical infrastructure. This most recent report includes:

• A review of the current state of cybersecurity 
• Trends in the threat landscape, and solutions for addressing them 
• A recap of the Russia/Ukraine crisis, highlighting new related malicious tools and malware 
• Insights into IoT botnets, corresponding IoCs and threat actor TTPs
• Recommendations and forecasting analysis