RESEARCH REPORT

OT/IoT Security Report

What You Need to Know to Fight
Ransomware and IoT Vulnerabilities
July 2021
About
Nozomi Networks Labs is dedicated to reducing cyber risk for the
world’s industrial and critical infrastructure organizations. Through its
cybersecurity research and collaboration with industry and institutions,

Nozomi Networks it helps defend the operational systems that support everyday life.

Labs
The Labs team conducts investigations into industrial device
vulnerabilities and, through a responsible disclosure process,
contributes to the publication of advisories by recognized authorities.

To help the security community with current threats, they publish

timely blogs, research papers and free tools.

The Threat Intelligence and Asset Intelligence services of

Nozomi Networks are supplied by ongoing data generated and
curated by the Labs team.

To find out more, and subscribe to updates, visit nozominetworks/labs

Table of Contents
1. Executive Summary 4

2. Ransomware Insights 9
2.1 Introduction 10
2.2 Notable Ransomware Attacks 13
2.3 Recommendations 16

3. Vulnerability Analysis 18
3.1 Introduction 19
3.2 Recommendations 23

4. IoT Security Camera Spotlight 24

4.1 Introduction 25
4.2 Recommendations 32

5. Conclusions 34
How to Read This Report - This report is ideally read on a device. To navigate back 5.1 What You Need to Know to Fight Ransomware and IoT Vulnerabilities 35
and forth through the report, use the links in the Table of Contents, the links on

section divider pages, or header links. Throughout the body of the text, words in

blue take you to a location with additional information on the topic.

6. References 37

nozominetworks.com 3
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

1. Executive Summary
Ransomware

The first half of 2021 signaled a new dawn for the COVID-19
pandemic, with proof that immunization programs can dramatically Ransomware dominated the news headlines
reduce infection rates and disease severity.1 With a return to normal in the first half of 2021, particularly with
in sight for some countries with advanced economies, the global the attack on Colonial Pipeline. While this
notable incident did not include a direct MOST NOTABLE ATTACK - FIRST HALF OF 2021
economy expanded at a rate of 5.6 percent—the strongest post-
recession pace in 80 years.2 breach of the OT network, pipeline systems Colonial Pipeline
were taken offline by the company, resulting
At the same time, cybercrime has continued to rise sharply, in gas shortages along the U.S. East Coast.
Ransomware Attack
perhaps fueled by its potential for profit, while on the other hand, RANSOM PAID
This highlights the linkage between IT and OT
workforces are overwhelmed and vulnerable. Ransomware attacks,
for example, are estimated to have grown 116% between January
risks. Even if the attack did not cross from IT to $4.4 million
OT, operational systems were disrupted out of
and May of this year3 and ransomware payments are increasing. 4
an abundance of caution with regards to safety. OT IMPACTS

To help defenders of OT/IoT environments and the security While the OT network
Ransomware threats are now a board-level
community, this report focuses on three important areas: topic of conversation. All organizations with OT was not directly breached,
ransomware, new vulnerability disclosures and the security risks systems need to understand how these attacks pipeline systems were taken
of IoT security cameras. It provides insights for re-evaluating are conducted and how to defend against them. offline. The company had
your risk models and security programs, along with actionable
Modern ransomware attacks are increasingly significant losses stemming
recommendations for securing operational systems.
executed by criminal groups using the from six days of downtime
Ransomware as a Service (RaaS) model. These
and the costs of recovery.
groups run much like a cartel, motivated by
profit and involving multiple unrelated parties
acting together in an ecosystem.

nozominetworks.com 4
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

Darkside, the group that attacked Colonial Sample Ransomware as a Service Ecosystem
Pipeline, is an example of a RaaS. It coordinates
GROUP
an effort that carefully prepares and deploys
malware that uses a combination of attack Ransomware Group VICTIM TARGETING
techniques. Often, this leads to the successful • Coordinate the attack
Capable of paying a RANSOM SPLIT
MONETIZATION STRATEGY

20-40%
• Use initial access provided significant ransom
extortion of its victims. by affiliates to further Collect Ransom
infiltrate network • Certain groups exclude victims
based on location, or purpose
• Receive the ransom and (specific countries, hospitals, etc.)
Nozomi Networks Labs studied the internals pay out all parties

of the DarkSide executable and revealed the

malware’s techniques in three areas:
AFFILIATES
y Selecting victims and files

y Ensuring anonymity and anti-detection Botmasters + MONETIZATION STRATEGY

VICTIM TARGETING
Account Resellers Sell access to
Easy to breach
y Preventing data restoration • Provide initial access breached networks
to victim networks

The success of the entire attack

shows the effectiveness of the RaaS Developers + Packers RANSOM SPLIT

60-80%
MONETIZATION STRATEGY
• Develop ransomware used VICTIM TARGETING
Sell malware
model, with a division of labor that
in the attack
None
• May develop additional layers
samples and builders
of protection for ransomware
plays to the strengths of each party.
Unfortunately, another RaaS operator, REvil, also Analysts
• Investigate target’s network to VICTIM TARGETING
flourished in the first half of the year with high identify highest possible ransom None
profile attacks on JBS Foods, Acer, and Quanta, • Look for blackmail material

MONETIZATION STRATEGY
amongst others. This group is setting new Sell their services
records with ransom demands of $50 million Negotiators +
Launderers
or more, and having tremendous impacts on • Negotiate the ransom
VICTIM TARGETING
None
business—further emphasizing the high risk • Launder cryptocurrency after
ransom payment
organizations face from this type of threat.

nozominetworks.com 5
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

Vulnerability Research ICS Vulnerability Trends

Vulnerabilities published by ICS-CERT5

+44% increase +19% increase 1st Out of Bounds Write (CWE-787)
45
increased 44% in the first half of 2021 as
in the total number
compared to the second half of 2020. While of vulnerabilities disclosed
in the actual number
of products affected
2nd Out of Bounds Read (CWE-125)
37
the number of vendors affected rose by just
537
3rd Improper Input Validation (CWE-20)
28
5%, the number of products rose 19%. 139 165
373

Most-disclosed CWEs
Compared to 2020 2H, CWE-787 had a
+64% increase, while CWE-125 and CWE-20
each dropped down one place.
2020 2H 2021 1H 2020 2H 2021 1H

The top three industries affected include

Critical Manufacturing, a grouping 40% +148% growth
1st Critical Manufacturing CWEs disclosed in
23% in vulnerabilities solely
identified as Multiple Industries, and Critical Manufacturing
CWEs disclosed in affecting Critical Manufacturing
Multiple Industries
Energy. The key industry trend is that
vulnerabilities solely affecting the Critical
2nd Multiple Industries 213*
Manufacturing sector rose by 148%.
This poses an additional challenge to
3rd Energy 86
an industry where many segments are
struggling to regain momentum from Top 3 sectors
pandemic-driven shutdowns.6
affected by vulnerabilities 32% 6% 2020 2H 2021 1H
did not change from 2020 2H. CWEs disclosed CWEs disclosed
When the 95 vulnerabilities from
in all other industry in Energy
categories other industry groupings* are
included, the total is 308 for 2021 1H.

* Other industry groupings refers to vulnerabilities that CISA indicates involve a group that includes, for example Commercial Facilities, Energy and Critical Manufacturing. CISA also has “Multiple” and
“Multiple Sector” groups of vulnerabilities, which do not identify specific industries, and thus those numbers have not been included in industry-specific statistics.

nozominetworks.com 6
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

IoT Security Camera Vulnerabilities the infrastructure sector growing the fastest.7 to users’ audio/visual (A/V) streams to see
the data in cleartext.
Over the last six months, Nozomi Networks
Today’s OT networks are very different has discovered and disclosed three Furthermore, in certain scenarios, the
than the OT networks of ten years ago. The surveillance camera vulnerabilities for P2P vendor has access to cleartext A/V
fourth industrial revolution and pandemic- companies that use Peer-to-Peer (P2P) streams and can access local user lists and
fueled digital transformation are driving the functionality to provide remote access to passwords. This is a striking violation of
convergence of IT and OT. OT environments audio/video streams. confidentiality expectations. The Live Video
now include more off-the-shelf-technology,
We examined cameras from both Reolink In March of this year, a very public security Feeds of 150,000
including IT machines and IoT devices.
and ThroughTek in our lab. While Reolink camera cyberattack occurred. The affected Security Cameras
IoT security cameras are an example a of develops and uses its own P2P functionality, vendor was Verkada and the outcome was that
were Exposed
device that is used extensively by many ThroughTek provides a P2P SDK that is used perpetrators gained access to the live video
organizations, including those in industrial by many original equipment manufacturers feeds of thousands of surveillance cameras. in the Verkada
sectors. The global video surveillance market (OEMs) of security cameras and IoT devices.
The entry point for the attack was an
Cyberattack
size is expected to grow from US $45.5 billion Attackers were also able to
Our research revealed vulnerabilities for both internet-exposed support server. From
in 2020 to US $74.6 billion by 2025, with use by
vendors that allow anyone who gains access there, the threat actors obtained privileged execute shell commands on
account credentials that eventually allowed
breached cameras, providing an
access to A/V streams.
entry point for lateral movement
VIDEO SURVEILLANCE MARKET SIZE GROWTH EXPECTATION While remote viewing of A/V streams is a on victims’ networks. This could
popular capability, careful due diligence
From to lead to consequences such
is required when selecting a product and
US $45.5 billion US $74.6 billion a vendor. It’s important to know what as data theft, ransomware
in 2020 by 2025 technology is used to provide remote access deployment or system disruption.
and what measures the vendor has taken to
ensure cybersecurity and data privacy.

nozominetworks.com 7
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

Conclusions and Recommendations With regards to vulnerabilities, simply knowing diligence on the technology and vendors By providing insights into
the numbers for a given timeframe is not under consideration.
key areas of the threat and
the way to assess risk. Instead, assess your
A successful ransomware attack can be As the pandemic becomes more manageable vulnerability landscape, this
security fundamentals against major threats,
extremely debilitating, leaving victims with and economies strengthen, cybercrime will
like REvil or emerging new ransomware, and report aims to help organizations
no other option than to meet the hackers’ continue to rise.
harden your attack surface. assess and enhance their
demands. Taking proactive steps to prevent
To help network defenders, this report
ransomware infection is key to significantly When selecting an IoT device, bear in mind security posture.
includes ten actionable measures to take
reducing risk. that these devices are often insecure-by-
now to protect your operations.
design. If you need a capability like remote We encourage companies to
The first area to focus on for ransomware
viewing of surveillance video, do your due move forward with improving
prevention is reducing opportunities
for initial access to your networks. This OT/IoT visibility, security
includes having spear-phishing protection and monitoring. With the
TEN MEASURES TO TAKE IMMEDIATELY
in place, implementing security awareness
sophistication and ruthlessness
training, and requiring multi-factor
of today’s adversaries, it is also
authentication wherever possible.
important to adopt a post-
Strengthening defense in depth measures, as Malware OT Network Network Threat Secure Remote
per the cybersecurity standard most relevant Infection Monitoring Segmentation Intelligence Access breach mindset.
Prevention
to your organization, is also important.
Continuous advancement of your
With ransomware attacks increasing in IT/OT security posture is the best
frequency and sophistication, adopt a post-
way to ensure the availability,
breach mindset. For example, have a detailed Post-Breach Disaster Attack Surface IoT Vendor IoT Network
plan for a failure in IT that could impact OT, Mindset Recovery Reduction and Device Monitoring safety and confidentiality of your
Planning Selection
complete with operational continuity and operational systems.
disaster recovery components.

nozominetworks.com 8
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

2
Ransomware Insights
2.1 Introduction 10 2.3 Recommendations 16
2.1.1 Ransomware as a Service (RaaS) 10 2.3.1 Malware Infection Prevention 16
2.1.2 The RaaS Ecosystem 11 2.3.2 OT Network Monitoring 16

2.1.3 Ryuk and the Ransomware Kill Chain 12 2.3.3 Network Segmentation 16

2.1.4 Automated Attack Execution 12 2.3.4 Threat Intelligence 16

2.2 Notable Ransomware Attacks 13 2.3.5 Secure Remote Access 16

2.2.1 DarkSide Attack on Colonial Pipeline 13 2.3.6 Adopting a Post-Breach Mindset 17

2.2.2 REvil Attack on JBS Foods and Others 14 2.3.7 Disaster Recovery Planning 17

2.2.3 Timeline of Notable Year-to-Date

Ransomware Attacks 15

nozominetworks.com 9
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

2.1 Introduction
2.1.1 Ransomware as a Service
(RaaS)
Ransomware attacks have been increasing in frequency and impact over
the past several years, with attacks on industrial organizations rising 500%
between 2018 and 2020.8 The high rate of growth continues upwards this Many of today’s ransomware attacks
year, with another 116% increase just between January and May of 2021.9 involve shadowy organizations that
communicate on darknet forums—but
Such attacks reached new heights in May with the ransomware attack on
they are anything but lightweight in terms Ransomware
Colonial Pipeline, a company that transports 45% of the U.S. East Coast
fuel supply.10 The attack affected some of the company’s IT systems and in
of how they conduct their operations. Losses Are
response, the company took certain systems offline to contain the threat, While some ransomware groups are Escalating
temporarily halting all pipeline operations.11 While the OT network was large enough to work independently
not directly breached, the outcome was a six-day period of gas shortages. and carry out every step of an attack
RANSOM PAYMENTS

+43%
themselves, this approach is waning.
Next, a ransomware attack hit JBS Foods, a major meat processing
Increasingly, the Ransomware as a
company with facilities across the U.S., Australia, the UK, and other
Service (RaaS) model, which involves
countries.12 This threat to our food supply also hit the headlines, between Q4 2020 and Q1 2021,
many players, is gaining popularity. jumping from $154,108
significantly raising ransomware awareness for the public,
to $220,298.13
governments, and critical infrastructure asset owners. The coordinated action of different parties
working together, each playing to their TOTAL LOSSES EXPECTED TO REACH
While neither of these attacks was executed against operational

$20 billion
strengths, makes ransomware groups powerful
systems, each resulted in disruptions to those systems. The outages,
adversaries. And, with multi-step, always
and the media attention they generated, elevated cybersecurity
evolving malware available for purchase, the this year from global
discussions in board rooms around the world. It’s critical that all
criminals driving ransomware attacks do not ransomware damage.14
organizations with OT systems understand how modern ransomware
need technical skills themselves.
attacks are conducted and how to defend against them.

nozominetworks.com 10
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

2.1.2 The RaaS Ecosystem Sample Ransomware as a Service Ecosystem

GROUP

DarkSide, the group made famous by its

attack on Colonial Pipeline, is one example of Ransomware Group VICTIM TARGETING
• Coordinate the attack
a modern RaaS group. Capable of paying a RANSOM SPLIT
MONETIZATION STRATEGY

20-40%
• Use initial access provided significant ransom
by affiliates to further Collect Ransom
infiltrate network • Certain groups exclude victims
These groups run much like a cartel, motivated based on location, or purpose
• Receive the ransom and (specific countries, hospitals, etc.)
by profit and involving multiple, unrelated pay out all parties

parties acting together in an ecosystem.

For example, experienced malware writers AFFILIATES

focus on the development of the core

Botmasters +
ransomware code, while other parties VICTIM TARGETING
MONETIZATION STRATEGY
Account Resellers Sell access to
specialize in gaining access to networks or Easy to breach
• Provide initial access breached networks
to victim networks
negotiating ransoms.

The diagram to the right shows one model of Developers + Packers RANSOM SPLIT

60-80%
MONETIZATION STRATEGY
the players involved in a RaaS organization. • Develop ransomware used VICTIM TARGETING
Sell malware
in the attack
None
• May develop additional layers
samples and builders
The structure is fluid, however, with of protection for ransomware

different ransomware groups using various

combinations of roles and ransom splits.15 Analysts
• Investigate target’s network to VICTIM TARGETING
identify highest possible ransom None
• Look for blackmail material

MONETIZATION STRATEGY
Sell their services
Negotiators +
Launderers VICTIM TARGETING
• Negotiate the ransom
None
• Launder cryptocurrency after
ransom payment

nozominetworks.com 11
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

2.1.3 Ryuk and the Ransomware network, the length of time from infection to 2.1.4 Automated Attack Execution
Kill Chain ransomware execution can be as little as a
couple of hours.
Once a ransomware attack starts, it proceeds
This group is particularly heinous because automatically. No further commands are
In addition to the multiplicity of players involved
of its targeting of healthcare facilities, which needed to complete the compromise.17
in executing a ransomware attack, the malware
are already under pressure dealing with the
itself is often made of multiple components.
COVID-19 pandemic. For network defenders, the challenge of Paying Up Doesn’t
A prime example is the kill chain used by
Ryuk is estimated to have collected over
understanding what’s happening on the
network during a ransomware attack, and
Always Pay Off
Ryuk ransomware group. The diagram
$150 million in ransom, with an average
below shows eight different components, reacting quickly enough, is significant.

80%
ransom of $750,000 from each victim. Their
each of which might be sourced from
different developers.
largest confirmed payment came to 2,200 The best defense is to prevent
bitcoin, or approximately $34 million. 16
of organizations who pay a
the attack in the first place, and
Ryuk also stands out for the speed of its ransom experience another
attacks. Depending on the targeted tips on this are provided in the
attack. Nearly half of victims
Recommendations section. believe the second attack is by
the same threat actors.18

Ryuk Kill Chain 8%

of ransomware victims fully
recover their data. On average,
.domain Ryuk those that paid only got back
{ } 65% of encrypted files, and 29%
could only restore less than half.19

Phishing BazarLoader Cobalt Strike Domain ZeroLogon Additional Ransomware

email execution deployment discovery against DC asset discovery deployment

nozominetworks.com 12
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

2.2 Notable Ransomware Attacks

2.2.1 DarkSide Attack on Colonial complete with screenshots and code
Pipeline samples, are described in the related blog.20
Following is a summary of what we found.

The malware DarkSide deployed against Selection of Victims and Files

Colonial Pipeline is a good example of similar
The malware first collects basic information
malware attacking organizations around
about its victim’s computer systems to learn
the globe. Carefully prepared and deployed,
the details of the technical environment.
it uses a combination of techniques to
It skips victims from certain geographical
successfully extort its victims.
regions by checking the language used by
Nozomi Networks Labs studied the internals their systems. (Notably, DarkSide does not
of the DarkSide executable, and revealed the attack systems that use Russian or other
The malware obtains the affected computer’s name.
techniques used by its machine code in three Eastern European languages.21)
areas: selecting victims and files, ensuring
Next, DarkSide determines what files to
anonymity and anti-detection, and preventing Preventing Data Restoration unusable on targeted machines. It also
encrypt. If malware attempts to encrypt all
data restoration. The full details of our findings, attempts to disable various backup
the files available on the system, it quickly If system administrators could quickly and
solutions by searching for them by name
makes the system unusable—leaving the easily restore the affected data without
and deleting them.
victim without information on how to contact paying money to criminals, ransomware
attacks would not succeed. The authors of y Symmetric and Asymmetric Encryption:
the attackers. The time required to encrypt all
DarkSide incorporate multiple techniques to To balance the need to encrypt with the
the files also slows the attack. For both these
ensure ransom is paid: need to encrypt quickly, DarkSide encrypts
reasons, DarkSide is particularly selective
victims’ files with a symmetric encryption
about the files it encrypts, examining file
y Backup Destruction: DarkSide ensures algorithm and then encrypts the symmetric
directories, names and extensions.
that standard backup solutions are keys with their asymmetric public key.

nozominetworks.com 13
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

DarkSide is just one example of a modern its operations, providing decryptors to all their the company’s production systems were is estimated to have impacted up to 1,500
ransomware family that combines multiple affiliates for the targets they attacked, and disrupted. The hackers demanded $50 organizations in dozens of countries around
time-tested techniques to achieve its goal. It paying all outstanding financial obligations. million for a decryptor, vulnerability report the world, including a supermarket chain
also highlights the effectiveness of the RaaS It is speculated that media and government and deletion of stolen files. Acer countered in Sweden, schools in New Zealand and
model—with a division of effort that plays to the attention led them to retreat underground.23 with an offer of $10 million, but it’s unknown hundreds of U.S. companies. REvil has
strengths of each party, threat actors have found The U.S. Department of Justice, for example, if any payment was made. 25, 26
demanded a $70 million ransom.29
a lucrative strategy to optimize their capabilities. recovered $2.3 million of the $4.4 million
REvil followed up the Acer attack with one
ransom paid by Colonial Pipeline.24
In the case of DarkSide, it is estimated that on Quanta, which manufactures MacBooks
their more than 40 victims have paid $90 for Apple. The cyber criminals claimed to Such an attack can be
DarkSide’s actions were followed
million in total bitcoin, with $15.5 million have stolen blueprints for Apple’s latest particularly insidious to
by other ransomware operators address. Once a breach happens,
going to the development group and $74.7 products and demanded a $50 million
million going to affiliates.22 and forums shutting down public ransom. Apparently Quanta did not pay the the victim would generally reach
operations. It is speculated these ransom and REvil went after Apple instead.27 for these tools to work their way
out of a bad situation, but when
groups will likely resurface in the In May, REvil conducted its infamous attack
Victims the tool itself is the problem, or is
future, with different names and on JBS Foods, the largest meat producer
40+ in the world, forcing it to shut down all its
unavailable, it adds complexity to
updated ransomware code. the recovery efforts.
U.S. beef plants. It also disrupted other
Amount Paid (in bitcoin)

$90 million
American, Canadian and Australian facilities, Chris Grove, Technology Evangelist,
2.2.2 REvil Attack on JBS Foods Nozomi Networks in response to the
affecting the global supply chain. The
and Others Kaseya attack 30
company paid an $11 million ransom to help
restore operations.28
Note that our blog on this topic includes REvil, also known as Sodinokibi, is a RaaS
At the time of publishing this report, REvil Like Darkside, the REvil ransomware group
DarkSide IOCs and a script for decrypting operator that was particularly active in the
continues to make waves with its attack is believed to be based in Russia. Unlike
embedded strings. first half of 2021.
on Kaseya, a provider of a Software as a Darkside, its notoriety has not yet forced it to
Some final words on DarkSide—on May 13, 2021, In March, the computer manufacturer Service network management tool. This shut down operations.
the group announced it was shutting down Acer’s office network was hit—none of cunning supply chain/ransomware attack

nozominetworks.com 14
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

2.2.3 Timeline of Notable Year-to-Date Ransomware Attacks

The events shown here are examples of ransomware attacks from around the
world that either disrupted operations or involved large ransom demands.

FEBRUARY 2021 APRIL 2021 MAY 2021 MAY 2021

Kia Motors 31 MARCH 2021

Quanta 35
Brenntag 37
Irish Department of Health39
Automobile Manufacturer CNA Financial 33 Technology Supplier Chemical Distribution Company Healthcare Services
Cybersecurity Insurance Provider

Ransomware Group: DoppelPaymer Ransomware Group: REvil Ransomware Group: DarkSide Ransomware Group: Conti
Ransom Demand: $20 Million Ransomware Group: Phoenix Ransom Demand: $50 Million Ransom Demand: $7.5 Million Ransom Demand: $20 Million
Ransom Paid: Unknown Ransom Paid: $40 Million Ransom Paid: Not Paid Ransom Paid: $4.4 Million Ransom Paid: Not Paid

MARCH 2021 APRIL 2021 MAY 2021 MAY 2021 MAY 2021

Acer 32
RaceTrac Petroleum 34
Colonial Pipeline 36
AXA Group 38
JBS Foods40
Computer Manufacturer Retail Gasoline Company Fuel Pipeline Cybersecurity Insurance Provider Global Meat/Protein Producer

Ransomware Group: REvil Ransomware Group: Clop Ransomware Group: DarkSide Ransomware Group: Avaddon Ransomware Group: REvil
Ransom Demand: $50 Million Ransom Paid: Unknown Ransom Paid: $4.4 Million Ransom Paid: Unknown Ransom Paid: $11 Million
Ransom Paid: Unknown

nozominetworks.com 15
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

2.3 Recommendations
2.3.1 Malware Infection Prevention 2.3.2 OT Network Monitoring Good cybersecurity is a process where 2.3.4 Threat Intelligence
humans and tools interact to provide the
strongest possible defense. Utilizing network
A successful ransomware Since the initial access is Traditional threat detection
monitoring is a practical way to automate
attack can be extremely often gained separately capabilities provide context
and accelerate threat detection, improving
debilitating, leaving from and prior to the actual around suspicious actors
defenses against emerging threats.
victims with no other ransomware attack, it’s related to known threats.
option than to meet the important to continually
2.3.3 Network Segmentation For example, up-to-date threat intelligence
hackers’ demands. At the same time, there monitor networks for intrusions and mitigate
with IoCs for BazaarLoader, which can signal
are proactive steps your organization can take vulnerabilities as quickly as possible.
the coming of Ryuk, helps identify intrusion
to significantly reduce risk. Prioritize robust segmentation
Even if a group has access to your networks, it and provide time for defensive action.
between IT and OT networks
Following security best practices and may be possible to stop the threat before that
with firewall rules that
educating employees on security hygiene will access is used for an attack. Ransomware 2.3.5 Secure Remote Access
consider the requirements of
reduce the likelihood of a breach. The first groups often remain inside target networks
each zone.
area to focus on is reducing the opportunity for extended periods of time, moving laterally
First and foremost, only
for initial access to your networks. This to maximize their impact. Within the OT environment, segment the
devices that are uniquely
includes: network as per the best practices outlined in
With OT network monitoring, if an attack identifiable and actively
the IEC 62443 standard to restrict the lateral
y Mail content scanning and filtering to occurs, it is quickly identified and alerts are managed should be
movement of ransomware.
thwart malicious campaigns sent out. This enables defenders to contain used to access internal
y Security awareness among all employees to the attack through actions such as new infrastructure. Authentication for VPNs and
avoid falling victim to phishing campaigns firewall rules, or by taking further actions to appliances should force users to pick strong
stop malicious behavior. passwords and make use of multi-factor

nozominetworks.com 16
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

authentication. Once a user is connected to 2.3.6 Adopting a Post-Breach Mindset operations safely. It's best to practice a
the network, access controls and strongly mindset that asks: "We've been breached ...
enforced policies should be used to minimize now what?" Enterprises must now
In addition to changing your
accessible endpoints. Moreover, access to be prepared for the
approach to cybersecurity,
any external services should be logged and 2.3.7 Disaster Recovery Planning inevitable ransomware attack.
like implementing a Zero
carefully monitored to detect any breach
Trust model, adopting a That’s why in in addition to
attempts or anomalies.
post-breach mindset can A post-breach mindset strengthening defenses, it’s
While remote access appliances are usually accelerate a cybersecurity cultural shift that should include a disaster equally important to invest in
essential, they can also be a fruitful source of increases resilience. recovery plan to handle business resilience in the face
vulnerabilities for threat actors to exploit. For scenarios where multiple of an attack.
When an organization experiences a
example, vulnerabilities like CVE-2019-11510 computer-based systems are affected
severe cybersecurity breach, they prioritize This post-breach mindset
and CVE-2019-19781 have been extensively simultaneously and production is dropped or
the cybersecurity conversation, mobilize establishes a strong
abused by various actors, so threat models halted completely. And, global organizations
budgets, and implement business continuity cybersecurity culture that
should carefully evaluate this type of risk. should thoroughly consider how they would
processes in a short amount of time. A post- asks the tough questions,
handle disruptions impacting multiple
For some companies, it might be valuable breach mindset drives a dramatically lower anticipates worst-case
geographies at the same time.
to follow approaches like the Zero Trust likelihood of falling victim to a cyberattack.43 scenarios and establishes a
holistic model to security, where the focus is What if you could gain all these benefits A characteristic case study would be Norsk recovery and containment
on users, assets and resources rather than a without experiencing the trauma and losses Hydro, which suffered a ransomware attack
strategy aimed at maximizing
static network-based perimeter and network of a breach? in 2019, and forced to halt around 170 plants.
your organization’s resiliency,
segmentation. While it can be challenging to Its response wasn’t just action-oriented in
With ransomware attacks on industrial long before an attack occurs.
deploy and migrate to such an architecture terms of how quickly it responded to the
organization rapidly rising, it’s safer to
without impacting business continuity or technical challenges of the attack, but also Edgard Capedevielle, CEO, Nozomi
assume that you will be attacked rather than Networks, in response to the JBS
user productivity, useful case studies by on the communications side. The company
wonder if you will. And, planning for failures Foods attack45
enterprises like Microsoft41 and Google,42 choose to be completely transparent about
in IT that can impact OT helps everyone
detailing their experiences, are available. the situation and was widely praised by the
understand what it takes to maintain
security community.44

nozominetworks.com 17
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

3
Vulnerability Analysis
3.1 Introduction 19
3.1.1 ICS Vulnerabilities 19
3.1.1.1 Supply Chain Vulnerabilities 21

3.1.2 Medical Device Vulnerabilities 22

3.2 Recommendations 23
3.2.1 Attack Surface Reduction 23

nozominetworks.com 18
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

3.1 Introduction
3.1.1 ICS Vulnerabilities
537
Industrial Control Systems (ICS) typically include many devices, both legacy and new, that
are not designed with today’s security requirements in mind. Over the last decade, industrial
373
and OT networks have increasingly become targets, as researchers reveal more and more
+44% increase
vulnerabilities that could be exploited by opportunistic threat actors. in the total number
of vulnerabilities disclosed
To help defenders, Nozomi Networks Labs analyzed the new vulnerabilities published by
2020 2H 2021 1H
ICS-CERT, a program run by CISA, a U.S. government body. 46 While there are other sources
of vulnerabilities than ICS-CERT, if a vulnerability is important, it is covered by ICS-CERT.

Vulnerabilities increased 44% in the first half of 2021 as compared to the second half of 2020. 57
54
While the number of vendors affected rose by just 5%, the number of products rose 19%. -5% decrease
of vendors affected by
The top three industries affected include Critical Manufacturing, a grouping identified the vulnerabilities disclosed

as Multiple Industries by CISA, and Energy. The most important detail of the industry
breakdown is that vulnerabilities solely affecting the Critical Manufacturing sector rose by 2020 2H 2021 1H

148%. This poses an additional challenge to an industry where many segments are struggling
to regain momentum from pandemic-driven shutdowns.47 139 165
Analyzing new vulnerabilities helps organizations understand which ICS devices or software +19% increase
have recently come under public scrutiny and is an input into determining security priorities. in the actual number
of products affected

2020 2H 2021 1H

nozominetworks.com 19
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

+148% growth -32% decrease

in vulnerabilities solely
in vulnerabilities solely
Most-disclosed
affecting Critical Manufacturing
affecting the Energy sector
CWEs in 2021
213* 44 Compared to 2020 2H, CWE-787 had
30* a +64% increase, while CWE-125 and
86 CWE-20 each dropped down one place.

2020 2H 2021 1H
2020 2H 2021 1H
Out of Bounds Write (CWE 787) 45
When the 95 vulnerabilities from When the 133 vulnerabilities from
other industry groupings* are other industry groupings* are

included, the total is 308 for 2021 1H. included, the total is 163 for 2021 1H. Out of Bounds Read (CWE 125) 37

40% 23% Improper Input Validation (CWE-20) 28

Top 3 sectors CWEs disclosed in
CWEs disclosed in
affected by vulnerabilities Critical Manufacturing
Multiple Industries
did not change from 2020 2H.
Integer Overflow or Wraparound (CWE-190) 28
1st Critical Manufacturing

2nd Multiple Industries

Stack-Based Buffer overflow (CWE-121) 22

3rd Energy 32% 6%

CWEs disclosed CWEs disclosed 0 10 20 30 40 50
in all other industry in Energy
categories

* Other industry groupings refers to vulnerabilities that CISA indicates involve a group that includes, for example Commercial Facilities, Energy and Critical Manufacturing. CISA also has “Multiple” and “Multiple Sector” groups of vulnerabilities, which do
not identify specific industries, and thus those numbers have not been included in industry-specific statistics.

nozominetworks.com 20
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

3.1.1.1 Supply Chain Vulnerabilities itself—Siemens—is proactively researching

and reporting issues to ICS-CERT.
Analyzing the raw data extracted from ICS
advisories tells one aspect of the vulnerability Other advisories such as icsa-21-019-0149
story. A second aspect emerges when we refer to new vulnerabilities in a software
perform a further, more specific analysis. component, such as dnsmasq. In this
Quite a few of the vulnerabilities disclosed case the software component is used in
in 2021 H1 are in fact related to the software countless number of products, some of
supply chain behind ICS products. Software which are used in ICS.
supply chain is a very broad term that
Finally there are advisories such as
doesn't necessarily capture the nuances of
icsa-20-203-01, 50 initially released in 2020,
each specific situation.
that describe vulnerabilities in a license
For example, there are advisories such server used in ICS products. The advisory
as icsa-21-131-04,48 where some of the was recently updated to include new targets
documented vulnerabilities refer to known that are now known to be vulnerable.
security issues in the secure remote access
component from the vendor VNC. For asset owners, the first step to
improving security posture is to
identify the products, and their
components, that are reachable
through the network.

This reveals the initial attack

The new advisory reflects the fact that it is now
surface, and recommendations
known that the Siemens product containing
the VNC component has the vulnerabilities
for securing it are provided in
too. This advisory also shows how the vendor section 3.2.1.

nozominetworks.com 21
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

55
3.1.2 Medical Device Vulnerabilities for security researchers. While this is
understandable for scarce medical
hardware during a pandemic, the software
Besides advisories for ICS, CISA also 25
part of the equipment does not have the 13
publishes vulnerability advisories for medical
equipment. These advisories are labeled
same intrinsic limitations. Nonetheless, ICS medical 9
8
6
ICSMA to distinguish them. Although
the opportunity to conduct a security
assessment of a medical software solution
advisories decreased
there are thousands of medical device
is a privilege for many researchers. in several areas
manufacturers in the U.S., not to mention Disclosed Affected Affected
Vulnerabilities Vendors Products
others made globally and used in the Second, based on data, it appears that
U.S., very few companies are coordinating medical platforms tend to have a high 2020 2H 2021 1H

vulnerability disclosures with CISA. 51 vulnerability density. This suggests that these
products have a lower cybersecurity maturity
In the first half of 2021 there were 537 ICS
level as compared to products that face the
Medical Device
advisories disclosed and only 25 medical
daily scrutiny of attackers, such as browsers. Top CWEs Summary
device ones.
The vulnerability data from the two periods
Improper Neutralization of Input During Web Page
The trend with ICS-CERT medical shown in the charts to the right is too limited 2
2021 1H Generation ('Cross-Site Scripting') (CWE-79)
advisories is that each one bundles to assume that it represents a meaningful
trend. It is simply a starting point for 23 other unique CWEs 1
together several vulnerabilities.
understanding the types of vulnerabilities
Based on our experience researching in medical devices. Furthermore, the low
vulnerabilities in this sector, this is an
Improper Authentication (CWE-287) 6
number of vulnerabilities does not mean
2020 2H
indication of two phenomena. that these devices are inherently safer than Improper Neutralization of Input During Web Page
other ICS devices—rather, it likely reflects Generation ('Cross-Site Scripting') (CWE-79)
4
First, accessing medical devices and their
limited research.
corresponding software is a challenge

nozominetworks.com 22
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

3.2 Recommendations
3.2.1 Attack Surface Reduction Once this methodology has been applied
at the infrastructure level, it can be further
employed at the granularity of single
To reduce risk, organizations
applications. For example, limiting the
should carefully monitor
functionality available in the authentication and
their attack surface and limit
authorization of medical software programs.
the exposure of services to
those strictly required for proper operations. CISA’s recommendations for
This concept applies to systems accessible reducing exposure across
from the open internet, to limit the probability operational technologies include
of a remote attacker gaining a foothold within
a section on having a resilience
a network. It also applies to systems internal
to a network, to reduce the opportunity for plan, which applies equally
lateral movement of threat actors. to ICS and medical systems. 52

nozominetworks.com 23
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

4
IoT Security
Camera Spotlight
4.1 Introduction 25
4.1.1 Security Cameras and Remote Access to Audio/Visual Streams 25
4.1.2 P2P Architecture 26
4.1.3 Reolink Research Findings 27
4.1.4 ThroughTek Research Findings 29
4.1.5 Verkada Security Camera Breach 30
4.2 Recommendations 32
4.2.1 Vendor and Security Camera Selection 32
4.2.2 Deploy Network Monitoring Before Deploying IoT Devices 32

nozominetworks.com 24
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

4.1 Introduction
4.1.1 Security Cameras and Remote to access the A/V stream and the device
Access to Audio/Visual Streams that serves the data. The device could be a
IoT security cameras are used extensively by industrial and the camera or a network video recorder (NVR), a
critical infrastructure sectors. According to research firm Markets specialized device that stores video data.
and Markets, the global video surveillance market size is expected to Security cameras are often part of a system
that provides remote access to audio/ In August 2020, security researcher Paul
grow from US $45.5 billion in 2020 to US $74.6 billion by 2025. 53
video (A/V) streams. This capability can be Marrapese published extensive research
The infrastructure sector—including transportation, city surveillance, achieved with a P2P functionality, which detailing security issues affecting the P2P
public places, and utilities—is expected to have the highest growth involves sharing data over the internet. implementations of some vendors. 55 By
rate during that period. Given the prevalence and growing use of IoT exploiting these vulnerabilities, an attacker
The end user does not know exactly how
cameras, it’s important to understand their security risks. can intercept the A/V stream at will.
the data is being transmitted or how
Over the last six months, Nozomi Networks has discovered and secure the transmission is. Unfortunately, What concerned Nozomi Networks Labs
disclosed three surveillance camera vulnerabilities for companies the data sharing technology being used is the most about Marrapese’s brilliant work
that use Peer-to-Peer (P2P) functionality to provide access to audio/ not necessarily secure. was the sheer number of end users affected

video streams. Additionally, we’ve reported on an IoT security camera by the problems identified, and the lack of
The aim of P2P is to avoid having to explicitly
official documentation describing how P2P
cyberattack that resulted in unauthorized access to the live video configure a firewall to provide users with
functionality works.
feeds of 150,000 surveillance cameras and their full archive. 54 remote video data. Instead, a connection is
established through a set technique commonly By examining devices we had in
To protect organizations from security camera risk and contribute to
defined by the umbrella term "hole punching”.
the security community at large, we’re sharing the insights we gained our lab, it became clear that the
through researching surveillance system vulnerabilities. We also The technical details vary between vendors privacy and security implications
provide guidance on vendor considerations and how to mitigate risks. and third-party providers of this functionality.
of using a camera’s “P2P” feature
However, a typical scenario involves an
internet-reachable node which acts as a are not clearly explained to users.
mediator between the client who wants

nozominetworks.com 25
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

4.1.2 P2P Architecture Here are the steps required for remote Sample P2P Architecture Diagram
viewing of an A/V stream:

The P2P architecture used for remote video

viewing is very similar across different 0. The Vendor P2P Server (V-P2P-S) is
available as a host accessible on the Vendor P2P
vendors, including Reolink and ThroughTek.
internet. Server (V-P2P-S)
While Reolink develops and uses its own
Allows the C-P2P-S
P2P functionality, ThroughTek provides a P2P to connect to EUC.*

SDK that is used by many OEMs of security

1. The Customer P2P Server (C-P2P-S) 1. Registers its 2. Sends UID
cameras and IoT devices. UID and IP of C-P2P-S
starts up and if the P2P functionality
is active, communicates its UID and IP
address to the V-P2P-S. 3. Sends username
and password

2. The End User Client (EUC) sends

the V-P2P-S the UID of the C-P2P-2.
Customer P2P End User
Server (C-P2P-S) Client (EUC)
Sends its UID identifier Sends UID to V-P2P-S.
3. The V-P2P-S sends the EUC to the V-P2P-S. Once authenticated,
Transmits A/V stream.
username/password to the C-P2P-S. views A/V streams.

4. The EUC is authenticated and

starts viewing the A/V stream.

4. Views A/V stream

* In general, the V-P2P-S only handles the “directory” part of the protocol. It does not proxy the A/V stream. However,
if the performance of the connection between the C-P2P-S and the EUC is low, it might proxy the A/V stream.

nozominetworks.com 26
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

4.1.3 Reolink Research Findings components of the P2P architecture. You can
learn the technical details of how we did this
in our blog on this topic.56
In our research lab we created a setup VULNERABILITIES DISCLOSED BY NOZOMI NETWORKS
similar to the one described in the Reolink Surprisingly, our findings showed that the
documentation and shown in the P2P communication between the NVR and the
architecture diagram on the previous P2P client was lacking any sort of secure Reolink P2P Protocol
page. Our scope, however, was limited to key exchange encryption. In our own tests
we were able to reproduce the A/V content
Deobfuscation and Credentials
understanding how the A/V stream was
secured when traversing the internet. in cleartext. Leak — CVE-2020-25173
We used a combination of background
Vendor CWE-321
research and reverse engineering to
dissect and analyze the traffic between the Reolink Use of Hard-coded Cryptographic Key

Equipment CWE-319

P2P Protocol Cleartext Transmission of Sensitive Information

Security Cameras with P2P Sector Description

Communications The communication between Reolink NVR,

Functionality Pose a High P2P servers and applications is obfuscated with
Confidentiality Risk Disclosure Date
a custom protocol that relies on a hardcoded
Jan. 19, 2021 key. By deobfuscating the protocol, it is
Anyone who gains access to client/NVR traffic can view the possible to access the cleartext content of the
ICS Advisory
A/V stream. Furthermore, the P2P vendor also has access to communication. During the tests, this was
ICSA-21-019-02 observed to contain the P2P credentials.
cleartext A/V streams when the relay feature is used.

nozominetworks.com 27
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

In some situations, the connection between of local users registered with the NVR and
a client and the NVR is not stable enough. In their corresponding cleartext passwords.
these cases, the Reolink P2P implementation
The immediate consequence of this VULNERABILITIES DISCLOSED BY NOZOMI NETWORKS
allows for the P2P server to act as a relay node,
design is that an actor who can access
effectively behaving as a man-in-the-middle.
this network traffic can fetch the local
Coupling the lack of an end-to-end encryption users’ credentials. With a bit of protocol Reolink P2P Video/Audio Lack
with the relay feature de facto exposes the
cleartext A/V stream to the vendor.
deobfuscation, they can log into the NVR
using a regular Reolink client.
of Encryption and Stream
Reconstruction — CVE-2020-25169
While investigating the protocol exchange We struggle to understand why the vendor
between the Reolink P2P server and the wants this sort of credential information
Vendor CWE-321
NVR, we noticed another security issue. The and access.
vendor’s server also pulls together the list Reolink Use of Hard-coded Cryptographic Key

Equipment CWE-319

P2P Protocol Cleartext Transmission of Sensitive Information

P2P Security Camera Vendors Can Sector Description

Communications Reolink P2P video/audio stream is transmitted

View Video Streams and Access without any encryption. Any actor who can
User Credentials Disclosure Date
access the client/NVR traffic as it traverses
Jan. 19, 2021 the internet can access its content with no
Vendors can view cleartext audio/visual streams and
confidentiality for the parties involved.
access local user lists and passwords—a striking violation ICS Advisory

ICSA-21-019-02
of confidentiality expectations.

nozominetworks.com 28
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

4.1.4 ThroughTek Research Findings ThroughTek’s P2P Software Development Kit

(SDK) uses the same P2P design architecture
as Reolink to provide remote access to audio/
While the Reolink vulnerabilities applied to VULNERABILITIES DISCLOSED BY NOZOMI NETWORKS
visual streams.
their own security cameras, the situation
with ThroughTek is different. A peculiarity of P2P SDKs, though, is that OEMs

ThroughTek creates a software component

are not just licensing a P2P software library. ThroughTek P2P SDK —
that is part of the supply chain for many
They also receive infrastructure services (the
offsite P2P server) for authenticating clients and
CVE-2021-32934
original equipment manufacturers (OEMs)
servers and handling the A/V stream.
of consumer-grade security cameras and IoT
devices. The company states that its solution We researched the ThroughTek P2P SDK by
Vendor CWE-319
is used by several million connected devices.57 testing it with a NVR in our lab. The technical
details of this work are detailed in our blog. 58 ThroughTek Cleartext Transmission of Sensitive Information

Equipment Description

P2P SDK The affected ThroughTek P2P products do not

sufficiently protect data transferred between the
P2P Security Camera and IoT Sector local device and ThroughTek servers. This can
Communications allow an attacker to access sensitive information,
Vulnerabilities Are Widespread such as camera feeds.
Disclosure Date
ThroughTek’s P2P SDK is used by many vendors, for millions of
June 15, 2021
assets. It’s difficult for organizations or individuals to know if this
software component is used in their devices. The best way to ensure ICS Advisory

privacy and confidentiality is to disable remote viewing functionality. ICSA-21-166-01

nozominetworks.com 29
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

Our findings resulted in the discovery and 4.1.5 Verkada Security Camera Breach when images of their facilities were shared
disclosure of a vulnerability regarding the over the internet.
cleartext exposure of sensitive information.
While P2P vulnerabilities may or may not Technical details provided by the vendor
The consequences of the vulnerabilities of result in breaches and exposure of confidential indicate the attackers gained access to an
both Reolink and ThroughTek are similar: information, in March of this year a very public internet-exposed server used by Verkada’s
since this traffic traverses the internet, security camera cyberattack occurred. support team to carry out maintenance
an attacker who is able to access it can operations on customer cameras. Within The Live Video
reconstruct the A/V stream.
The affected vendor was Verkada and the
outcome was that perpetrators gained
this system, the intruders gained privileged Feeds of 150,000
Because ThroughTek’s P2P library has been access to the live video feeds of 150,000
account credentials that eventually allowed
access to surveillance cameras deployed at
Security Cameras
integrated by multiple vendors into many surveillance cameras. Unauthorized viewing
thousands of customer sites. were Exposed
different devices over the years, it’s virtually
impossible for a third party to track the
of images from inside hospitals, jails and
manufacturing facilities brought home the In addition to acquiring the video streams,
in the Verkada
affected products. The threat model under risks involved in leveraging IoT devices for the attackers were able to execute shell Cyberattack
which this type of vulnerability is exploitable legitimate business purposes. Most of the commands on the breached cameras. 59
Attackers were also able to
is the limiting factor for its actual impact. victims of this attack only found out about it This is particularly worrisome because
execute shell commands on
it’s unlikely that all Verkada customers
In essence, any actor that can access the breached cameras, providing an
deployed the devices in a perfectly
network traffic between the NVR and the
secured Zero Trust environment. entry point for lateral movement
end user, including the P2P third-party server
provider in some scenarios, could access and Although the vendor declared that all the on victims’ networks. This could
view confidential A/V streams. shell commands issued through the internal lead to consequences such
tool were logged, from the point of view of as data theft, ransomware
a breached end user, this information might
deployment or system disruption.
not be enough to investigate the situation.
It’s always difficult to predict what an

nozominetworks.com 30
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

advanced malicious actor, with a specific plan

in mind, can come up with.

Furthermore, it’s not uncommon for anybody

with red team experience to prepare an
engagement where the only entry point
within an organization is represented by a
shell on an IoT device. In these scenarios, a
popular option is to upload the tools required
for lateral movement on a third-party website,
then download the tools and run them from
the IoT device, based on the specific needs.

Testing of a Verkada D40 camera in the Nozomi Networks lab showed that it interacts with several external hosts for
regular firmware updates, remote access to the video feed and maintenance operations.

nozominetworks.com 31
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

4.2 Recommendations
4.2.1 Vendor and Security Camera y What is the jurisdiction of the vendor(s)? mainly in the adoption phase for OT and the target network using the camera as
Selection What laws are in place to ensure the IoT environments. It is especially important a launchpad, an attacker would have to
confidentiality of your data? in these environments, however, as they perform reconnaissance to better understand
are particularly lacking secure-by-design the target. This would involve activities such
Whether you’re an Regarding security systems that use P2P
products and systems. as port scanning or credential guessing
organization in the functionality, only enable this functionality if
against hosts inside the local network.
critical infrastructure, the vendor can provide a thorough technical The functioning of IoT devices is often opaque,
Both are clear deviations from the device’s
manufacturing or explanation of its design. How do they but monitoring their network behavior with
established baseline behavior and would
government sector, or a ensure that the algorithms used in their anomaly detection provides much-needed
generate timely anomaly alerts.
home user of security cameras, careful due products are secure? alerts that highlight unusual behavior.
diligence when purchasing security cameras Detecting post-infection nefarious activities
Overall, it’s important to carefully evaluate In the case of the Verkada cyberattack,
is highly recommended. is fairly trivial with network monitoring
the trade-offs between simple-to-use remote for example, a network learning system
technologies like those from our company.
If you want to take advantage of remote viewing viewing capabilities, and the privacy and would understand that communication
And, it’s important to recognize that today
of A/V streams, ask these questions: security risks of security camera systems. with api.control.verkada.com and
we’re discussing Verkada, but tomorrow it
index.control.verkada.com over HTTPS
y What measures has the vendor taken to will be a new vendor, and yesterday was a
4.2.2 Deploy Network Monitoring is expected for this device and use that as
ensure cybersecurity and data privacy? different attack.
Before Deploying IoT Devices a behavior baseline. If an attacker were to
y What technology is used to provide remote remotely access a shell running on the device Knowing that the threat of attack is constant,
access? If a software components is through the vendor’s interface, any action they it’s crucial to have independent and reliable
involved, what is it and how secure is it? Network monitoring is a
then take would deviate from the established cybersecurity monitoring technology already
foundational element of
y What is the reputation of the vendor(s)? baseline, and be flagged as an alert. in place to manage the risks posed by IoT
mature security programs
What are their privacy policies? security cameras.
for IT networks but is With the goal of further compromising

nozominetworks.com 32
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

Furthermore, having monitoring in place Not having these types of records severely
before an incident happens can mean the impacts the recovery efforts.
difference between fully recovering, and not.
In a Zero Trust model, using a cybersecurity
If the response plan is simply to patch up
monitoring system to watch for signs of
the infected devices—without tracing the
infection could have reduced the impacts
rest of the attackers’ footsteps—you’ll likely
to some of Verkada’s victims. For example,
end up needing multiple remediations. The
one publicly known victim became aware of
malicious code could still be in another part
their infection only after it was revealed in
of the enterprise, and operators may have to
posts on Twitter. Had behavior monitoring
disinfect and attempt to remove malicious
and anomaly detection been in place, the
code again.
company’s cybersecurity team would have
Understanding the following is as important been alerted on initial connection attempts
as identifying the initial actor vector: from the infected device. This would have
provided them with the opportunity to
y Reconnaissance activities: what the
respond before the attackers were able to do
attackers searched for
any further damage.
y Lateral movement: where they navigated to

y Persistence: what other systems they may

have breached

y Exfiltration: what data was compromised

or downloaded

nozominetworks.com 33
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

5
Conclusions
5.1 What You Need to Know to Fight Ransomware and IoT Vulnerabilities 35

nozominetworks.com 34
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

5.1 What You Need to Know to Fight

Ransomware and IoT Vulnerabilities
The Colonial Pipeline breach is a Monitoring ICS-CERT advisories, prioritizing It’s more important than ever to secure
dramatic and instructive example of vulnerabilities and patching or mitigating operational technology systems. In this
In a dynamic and escalating threat
the significant risks of ransomware. to combat the top risks are a cornerstone regard, security gaps related to people,
environment, this report highlights While the OT network was not directly of any industrial security program. processes and technology have a large
security risks in three threat breached, pipeline systems were shut impact. For example, the separation of IT
areas. These are ransomware, new The post-pandemic economy is speeding
down for six days. This attack highlights and OT in organizations with increasingly
up, increasing demands on critical
vulnerability disclosures and the the linkage that exists between IT and connected IoT and OT systems, can lead
infrastructure, manufacturing and
security risks of IoT security cameras. OT, even if the malware does not cross to blind spots.
demand across all sectors.
between systems.
Understanding these risks and
thinking through the consequences We urge you to adopt a post-breach
of your organization being attacked or mindset, intensify your focus on cyber The overall cybersecurity market has
exposed by them should help you re- resiliency, and review your business
realized that preventing all attacks is an
evaluate your cybersecurity posture. continuity plans.
unrealistic goal. Emphasis is shifting to
As ransomware and vulnerabilities This includes making sure your security
detecting potential attacks and limiting
proliferate, make sure your defenders teams can act quickly if a breach occurs,
and work hand-in-hand with other intruders’ ability to achieve their objectives
have the tools they need. This
includes real-time visibility of IT, OT
business groups for disaster recovery. if they gain access. The shift underway
and IoT assets and actionable threat Vulnerability disclosures are on the rise is toward a zero trust or deny-by-default
and vulnerability information. and will continue to be a challenge for security posture. 60
security teams.

nozominetworks.com 35
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

The right technology and and threats, and alerts security teams to
changes that could indicate advanced
threat information can greatly
attacks or critical incidents.
assist by providing integrated FIND OUT ABOUT VANTAGE
To facilitate cybersecurity across large,
information that eliminates blind
complex distributed networks, Nozomi
spots. For example, the Nozomi Networks Vantage provides SaaS-powered
Networks solution significantly security and visibility for OT and IoT
networks. It is an easy-to-deploy, easy-to-
advances OT/IoT visibility and
access solution that delivers the immediate
cybersecurity, plus it integrates
awareness of cyber threats, risks and
with IT tools and processes. anomalies needed to respond faster and
ensure operational resilience.
Our solution automatically creates a current
Nozomi Networks Vantage™ leverages the power and
inventory and visualization of all assets
in OT and IoT environments, revealing simplicity of SaaS to boost operational resilience across
the complete attack surface. It delivers OT, IoT, and IT networks.
ongoing threat and vulnerability intelligence
that reduces both the mean-time-to- Find out why global industry leaders choose Nozomi
detection and the mean-time-to-response. Networks to secure their operational technology systems.
It also monitors behavior for anomalies

Request See Customer

a Demo Reviews

nozominetworks.com 36
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

6. References
1. “When will the COVID-19 Pandemic End?,” Charumilind, S., Craven, M., Lamb, J., Sabow, A., & Wilson, M, 15. “Ransomware World in 2021: Who, How and Why,” Securelist, May 12, 2021.

McKinsey & Company, March 29, 2021. 16. “Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware ‘one’ Group via Cobalt Strike,” Kremez, V.,

2. “Global Economic Prospects,” The World Bank, June 8, 2021. Advanced Intel, November 6, 2020.

3. “Already a Record-Breaking Year for Ransomware, 2021 May Just Be Warming Up,” Wolff, A., SonicWall, June 21, 2021. 17. “Ransomware Kill Chain: Part 1: Why Ransomware Is Not A Typical Cyberattack,” Hornetsecurity.

4. “Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound,” Coveware, April 26, 2021. 18. “Ransomware: The True Cost to Business,” Bezvershenko, L., Galov, D., Kwiatkowski, I., Cybereason, June 16, 2021.

5. “ICS-CERT Advisories,” Department of Homeland Security. 19. “The State of Ransomware 2021,” Sophos, April 27, 2021.

6. “2021 Manufacturing Industry Outlook,” Wellener, P., Deloitte. 20. “Colonial Pipeline Ransomware Attack: Revealing How DarkSide Works,” Kleymenov, A., Nozomi Networks,

7. “IoT Security Market by Type (Network Security & Cloud Security), Component, Solution (Identity and May 19, 2021.

Access Management, Security Analytics, & Device Authentication & Management), Service, Application 21. “Colonial Pipeline Hack Claimed by Russian Group DarkSide Spurs Emergency Order from White

Area, and Region — Global Forecast to 2025,” MarketsandMarkets, July 2020. House,” Collier, K., NBC News, May 10, 2021.

8. “Ransomware and Critical Infrastructure,” Jablanski, D., Kelly, M., Guidehouse Insights, 1Q 2021. 22. “DarkSide Ransomware Has Netted Over $90 million in Bitcoin,” Elliptic, May 18, 2021.

9. “Already a Record-Breaking Year for Ransomware, 2021 May Just Be Warming Up,” Wolff, A., SonicWall, June 21, 2021. 23. “The Moral Underground? Ransomware Operators Retreat After Colonial Pipeline Hack,” Otto, G., Intel471,

10. “Panic buying strikes Southeastern United States as shuttered pipeline resumes operations,” Englund, W., May 14, 2021.

Nakashima, E., The Washington Post, May 12, 2021. 24. “Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists

11. “U.S. Pipeline Cyberattack Forces Closure,” Eaton, C., Volz, D., The Wall Street Journal, May 8, 2021. Darkside,” Department of Justice, Office of Public Affairs, June 7, 2021.

12. “JBS cyberattack: From gas to meat, hackers are hitting the nation, and consumers, where it hurts,” 25. “Computer giant Acer hit by $50 million ransomware attack,” Abrams, L., BleepingComputer, March 19, 2021.

Rosenbaum, E., CNBC, June 2, 2021. 26. “Ransomware gang demands $50 million from computer maker Acer,” Cimpanu, C., The Record, March 19, 2021.

13. “Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound,” Coveware, April 26, 2021. 27. “Apple supplier Quanta hit with $50 million ransomware attack from REvil,” Coombs, V., TechRepublic,

14. “Global Ransomware Damage Costs Predicted To Reach $20 Billion (USD) By 2021,” Morgan, S., Cybercrime April 21, 2021.

Magazine, October 21, 2019. 28. “JBS Paid $11 Million to Resolve Ransomware Attack,” Bunge, J., The Wall Street Journal, June 9, 2021.

nozominetworks.com 37
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

29. “A Ransomware Attack Hit Up To 1,500 Businesses. A Cybersecurity Expert On What's Next,” Fadel, L., NPR, 46. “ICS-CERT Advisories,” Department of Homeland Security.

July 6, 2021. 47. “2021 Manufacturing Industry Outlook,” Wellener, P., Deloitte.

30. “Latest ransomware attack appears to hit hundreds of American businesses,” The Guardian, July 3, 2021 48. “ICS Advisory (ICSA-21-131-04): Siemens SINAMICS Medium Voltage Products Remove Access (Update A),”

31. “Kia Motors America Suffers Ransomware Attack, $20 Million Ransom,” Abrams, L., BleepingComputer, Cybersecurity and Infrastructure Security Agency, June 8, 2021.

February 17, 2021. 49. “ICS Advisory (ICSA-21-019-01): dnsmasq by Simon Kelley (Update A),” Cybersecurity and Infrastructure

32. “Computer giant Acer hit by $50 million ransomware attack,” Abrams, L., BleepingComputer, March 19, 2021. Security Agency, March 9, 2021.

33. “CNA Financial Paid $40 Million in Ransom After March Cyberattack,” Mehrotra, K., Turton, W., Bloomberg, 50. “ICS Advisory (ICSA-20-203-01): Wibu-Systems CodeMeter (Update E),” Cybersecurity and Infrastructure

May 20, 2021. Security Agency, February 11, 2021.

34. “Ransom Gangs Emailing Victim Customers for Leverage,” Krebs, C., KrebsonSecurity, April 5, 2021. 51. “Talking About Cybersecurity Vulnerabilities in Medical Devices Shouldn’t Be Taboo,” Tamari, N., HIT

35. “Apple Targeted In $50 Million Ransomware Hack of Supplier Quanta,” Mehrotra, K., Bloomberg, April 20, 2021. Consultant Media, June 17, 2021.

36. “Colonial Pipeline Boss Confirms $4.4M Ransom Payment,” BBC News, May 19, 2021. 52. “Alert (AA20-205A): NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational

Technologies and Control Systems,” Cybersecurity and Infrastructure Security Agency, July 23, 2020.
37. “Chemical distributor pays $4.4. million to DarkSide ransomware,” Abrams, L., BleepingComputer, May 13, 2021.

53. “Video Surveillance Market by System, Offering (Hardware (Camera, Storage Device, Monitor), Software
38. “Asia Division of Cyber Insurance Company Hit with Ransomware Attack,” Greig, J., ZDNet, May 18, 2021.
(Video Analytics, Video Management System) & Service (VSaaS)), Vertical (Commercial, Infrastructure,
39. “Irish Cyber-Attack: Hackers Bail Out Irish Health Service for Free,” BBC News, May 21, 2021.
Residential), and Geography - Global Forecast to 2025,” MarketsandMarkets, April 2020.
40. “JBS Paid $11 Million to Resolve Ransomware Attack,” Bunge, J., The Wall Street Journal, June 9, 2021.
54. “Defending Against IoT Security Camera Hacks Like Verkada,” Di Pinto, A., Nozomi Networks, March 12, 2021.
41. “Zero Trust and its role in securing the new normal,” Lin, J., Hines, C., Microsoft, May 26, 2020.
55. “Security Cameras Vulnerable to Hijacking,” Marrapese, P., Hacked.camera.
42. “BeyondCorp,” Google Cloud.
56. “New Reolink P2P Vulnerabilities Show IoT Security Camera Risks,” Di Pinto, A., Nozomi Networks, January 19, 2021.
43. “Responding to the Colonial Pipeline Breach & CISA Ransomware Alert,” Capdevielle, E., Nozomi Networks,
57. “Cloud Platform Solution for Transmission Efficiency and Data Security,” Throughtek.
May 13, 2021.
58. “New IoT Security Risk: ThroughTek Supply Chain Vulnerability,” Nozomi Networks Labs, June 15, 2021.
44. “Hackers hit Norsk Hydro with ransomware. The company responded with transparency,” Briggs, B.,
59. “Defending Against IoT Security Camera Hacks Like Verkada,” Di Pinto, A., Nozomi Networks, March 12, 2021.
Microsoft, December 16, 2019.

60. “Ransomware and Critical Infrastructure,” Jablanski, D., Kelly, M., Guidehouse Insights, 1Q 2021.
45. “JBS Paid $11M to REvil Gang Even After Restoring Operations,” Montalbano, E., ThreatPost, June 10, 2021.

nozominetworks.com 38
TABLE OF CONTENTS EXECUTIVE SUMMARY RANSOMWARE INSIGHTS VULNERABILITY ANALYSIS IOT SECURITY CAMERA SPOTLIGHT CONCLUSIONS REFERENCES

Nozomi Networks
The Leading Solution for OT and IoT Security and Visibility
Nozomi Networks accelerates digital transformation by protecting the world’s critical infrastructure,
industrial and government organizations from cyber threats. Our solution delivers exceptional network
and asset visibility, threat detection, and insights for OT and IoT environments. Customers rely on us to
minimize risk and complexity while maximizing operational resilience.

© 2021 Nozomi Networks, Inc.

All Rights Reserved.
NN-SEC-RP-FULL-2021-1H-001
nozominetworks.com
nozominetworks.com 39