Nozomi research reveals growing threats to critical infrastructure from OT and IoT network anomalies

New research from Nozomi Networks has disclosed that ​​pervasive OT (operational technology) and IoT network anomalies raise red flags as threats to critical infrastructure become more sophisticated. Vulnerabilities within critical manufacturing also surged 230 percent – a cause for concern as threat hackers have far more opportunities to access networks and cause these anomalies.   

Unique telemetry from Nozomi Networks Labs, collected from OT and IoT environments covering a variety of use cases and industries across 25 countries, finds network anomalies and attacks represented the most significant portion (38 percent) of threats during the second half of 2023. The most concerning of these network anomalies, which can indicate highly sophisticated threat actors being involved, increased by 19 percent over the previous reporting period.

‘Network scans’ topped the list of network anomalies and attack alerts, followed closely by ‘TCP flood’ attacks which involve sending large amounts of traffic to systems aiming to cause damage by bringing those systems down or making them inaccessible. ‘TCP flood’ and ‘anomalous packets’ alert types exhibited significant increases in both total alerts and averages per customer in the last six months, increasing more than two and six times, respectively.  

“These trends should serve as a warning that attackers are adopting more sophisticated methods to directly target critical infrastructure, and could be indicative of rising global hostilities,” Chris Grove, director of cybersecurity strategy at Nozomi Networks, said in a media statement. “The significant uptick in anomalies could mean that the threat actors are getting past the first line of defense while penetrating deeper than many would have initially believed, which would require a high level of sophistication. The defenders have gotten better at protecting against the basics, but these alerts tell us that the attackers are quickly evolving in order to bypass them.”

Nozomi Networks Labs also analyzed a wealth of data on malicious activities against IoT devices and botnets continue to use default credentials in attempts to access IoT devices. “Brute-force attempts remain a popular technique to gain system access – default credentials remain one of the main ways threat actors gain access to IoT. Remote Code Execution (RCE) also remains a popular technique – it’s frequently used in targeted attacks, as well as in the propagation of various types of malicious software.” 

Furthermore, adversaries targeting industrial control systems continue to deploy living-off-the-land attacks that are ‘cheaper to deploy, have higher success rates, are more difficult to detect, require more rapid industrial response, and can have immediate direct safety and engineering impacts.’

The Nozomi data showed that critical manufacturing topped the list of most vulnerable industries with the number of reported Common Vulnerabilities and Exposures (CVEs) rising to 621. “That’s an alarming 230% increase over the previous reporting period. This massive rise in reported vulnerabilities illustrates the considerable challenge this sector faces as it continues to embrace digitalization. There’s an urgent need for critical manufacturers to invest in robust cybersecurity measures capable of covering potential attacks from the endpoint to the air.” 

It also identified that for a third consecutive reporting period, manufacturing and energy and water/wastewater remained the most vulnerable industries – though the total number of vulnerabilities reported in the energy sector dropped 46 percent from the previous period, and water/wastewater vulnerabilities dropped 16 percent. Of note, healthcare and public health, government facilities, transportation systems, and emergency services all made the top 10. 

Nozomi mapped all the IP addresses from which the attacks against our honeypots were initiated to the corresponding countries. “In countries with more widespread automation, it is natural that the total number of smart devices connected to the internet is higher, resulting in a bigger attack surface, which may result in more devices being compromised,” the report added.

The report disclosed that once attackers believe they have compromised a vulnerable device, they often start executing shell commands to either explore the environment or achieve persistence to survive the reboot or remediation procedures. “While some of them are generic auxiliary commands to enable shell access like the top ‘enable,’ ‘sh,’ ‘shell,’ and ‘system,’ the others are quite interesting.” 

Nozomi added that the last command that involves ‘echo’ is one of many similar commands used by malware sequentially to assemble the next stage payload from the specified bytes concatenated to each other.

Addressing malicious payloads being delivered by attackers as part of the infection, Nozomi said that it can be seen that attackers preferred utilizing 32-bit ARM ELF payloads. “This matches our findings published in the previous report. 32-bit MIPS payloads take the third place, just as they did six months ago. The multi-architectural payloads (usually shell scripts) are taking a significantly bigger chunk of all the samples collected compared to the previous report,” it added. 

Nozomi identifies that threat hackers continue to aggressively probe enterprise/IT, OT, and IoT networks across the globe and are growing in capacity and sophistication of capabilities and enhanced TTPs. “To minimize risk and maximize operational resiliency, critical infrastructure organizations should prioritize proactive defense strategies that include network segmentation, asset discovery, vulnerability management, patching, logging, endpoint detection, and threat intelligence.” 

It added that there is also a growing need for actionable asset and threat intelligence that can be used by different stakeholders within an organization such as IT teams, compliance officers, and risk managers who may have different perspectives on security issues. This includes deploying asset intelligence; implementing the latest patches to VPN technology; using privileged access management; using multi-factor authentication (MFA) not susceptible to vishing or SIM swapping; making frequent password changes; and increasing employee training on vishing and overall social engineering.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.