Forescout Research reveals alarming rise in cyberattacks, emphasizes need for better critical infrastructure cybersecurity

Data published by Forescout Research – Vedere Labs reveals that there were over 420 million recorded attacks throughout the year, averaging 13 attacks per second. This represents a 30 percent increase compared to the previous year.  The company emphasizes the need for stronger cybersecurity measures in the critical infrastructure sector, as it has faced a continuous stream of attacks, as highlighted in the 2023 Global Threat Roundup.

Titled, ‘Trends in cyberattacks, exploits, and malware: 2023 Global Threat Roundup Report,’ the research arm of Forescout Technologies said that the top 10 countries accounted for 77 percent of the malicious traffic, with a spike in attacks originating from China. 48 percent of attacks came from IPs managed by ISPs, 32 percent from organizations in business, government, and other sectors, and 10 percent from hosting or cloud providers. This reflects an increase in the use of compromised devices to launch attacks, whether directly or via ‘residential proxies.’ 

It also identified that web applications were the most attacked service type followed by remote management protocols, as remote management services were often targeted with specific usernames linked to IoT devices, whereas web applications were often targeted with vulnerability exploits. 

The Vedere Labs report also disclosed that exploits against software libraries decreased partly because of Log4j exploits losing popularity. Exploits against network infrastructure and IoT devices increased. The most targeted IoT devices were IP cameras, building automation, and network-attached storage. Only 35 percent of exploited vulnerabilities appeared in CISA KEV (Known Exploited Vulnerabilities). 

Additionally, five OT (operational technology) protocols were constantly targeted: Modbus (a third of attacks), Ethernet/IP, Step7, DNP3 (with around 18 percent each), and IEC10X with 10 percent of attacks. The remaining 2 percent represent many other protocols, of which the majority is BACnet. Most attacks target protocols used in industrial automation and the power sector. Building automation protocols are less often scanned, but exploits against building automation are more common. 

It also revealed that the post-exploitation actions focused on persistence stood at 50 percent, up from 3 percent in 2022, discovery and execution. Most observed commands are for generic Linux systems, but there were also commands executed specifically for network operating systems that run on popular routers. 

Vedere Labs also observed an equal amount of remote access trojans (RATs) and information stealers (infostealers) as the most popular type of malware. Botnets and other downloaders come in third and fourth, followed by crypto miners and then a variety of other malware, such as keyloggers and adware. The most popular malware families observed were the Agent Tesla RAT (16 percent), then variants of the Mirai botnet (15  percent), and the Redline infostealer (10 percent).

Data also identified that Cobalt Strike remained the most popular command and control (C2) server at 46 percent, followed by Metasploit at 16 percent, and the emerging Sliver C2 at 13 percent. Most C2s are in the United States (40 percent), followed by China (10 percent) and Russia (8 percent). Cyber hackers targeted 163 countries, with the U.S. being the most targeted by far, with 168 hackers aiming at the country. In second place came the U.K. with 88, then Germany with 77, India with 72 and Japan with 66. Most hackers were in China (155), Russia (88), and Iran (45). Together, these three countries accounted for almost half of the threat hacker groups in Forescout’s database. 

The research report also disclosed that government, media and entertainment, and financial services were the industries most targeted by these hackers. Additionally, most attacks observed are opportunistic. However, there were exploits targeting very specific networking devices to obtain precise information about them and drop malware. These attacks often use public proof-of-concept scripts.

Elisa Costante, vice president of research at Forescout Research – Vedere Labs, highlights the potential for positive change, stating, “While it’s true that current efforts have fallen short in fully harnessing crucial technology to fortify critical assets and assess risks, there is an opportunity for improvement.” 

She adds that the key lies in achieving comprehensive visibility, ensuring real-time contextual awareness of every device, whether managed or unmanaged. “By doing so, large enterprises can transition from a reactive defense posture to a more proactive approach, steering clear of the futile game of security whack-a-mole. This shift towards enhanced visibility and proactive defense strategies signals a brighter outlook for critical infrastructure.”

Data revealed that OT finds itself under relentless assault, with five key protocols bearing the brunt of persistent attacks. The primary targets include protocols used in industrial automation and power sectors, such as Modbus, subject to a staggering one-third of all attacks, closely followed by Ethernet/IP, Step7, and DNP3, each accounting for approximately 18 percent of the onslaught. IEC10X rounds out this list with 10 percent of attacks, leaving the remaining 2 percent distributed among various protocols, with BACnet emerging as the majority. 

It added that building automation protocols like BACnet experience less frequent scans. However, the relative scarcity of scans belies an alarming trend—targeted exploits against vulnerabilities in building automation devices are more prevalent.

Forescout assesses that monitoring the traffic to and from OT devices is as critical as monitoring IT traffic. Attackers are constantly probing these assets for weaknesses, and many organizations will be blind to that because they lack visibility into their OT infrastructure.

In conclusion, the Forescout Research – Vedere Labs report recommends that organizations focus on three key pillars of cybersecurity – risk and exposure management, network security, and threat detection and response. 

​​Forescout advises organizations to manage risk and exposure by identifying all network-connected assets and assessing their security posture, including vulnerabilities, credentials, and open ports; changing default credentials to strong, unique passwords for each device; and disabling unused services and patching vulnerabilities to prevent exploitation. It also recommends conducting a comprehensive risk assessment based on the understood attack surface, and mitigating risks using a holistic, automated approach that covers the entire enterprise, rather than focusing on specific networks or device. 

When it comes to network security, Forescout suggests not exposing unmanaged devices directly on the internet. Segment the network to isolate IT, IoT, and OT devices, limiting network connections to only specifically allowed management and engineering workstations or among unmanaged devices that need to communicate. Segmentation should not happen only between IT and OT, but even within IT and OT networks to prevent lateral movement and data exfiltration. Restrict external communication paths and isolate or contain vulnerable devices in zones as a mitigating control if they cannot be patched or until they can be patched. 

To tackle threat detection and response, Forescout advises using an IoT/OT-aware, DPI-capable monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions such as vulnerability exploitation, password guessing, and unauthorized use of OT protocols. Anomalous and malformed traffic should be blocked, or at least alert network operators to its presence. 

Beyond network monitoring, extended detection and response (XDR) solutions are an important consideration. They collect telemetry and logs from various sources, including security tools, applications, infrastructure, cloud, and other enrichment sources, correlate attack signals to generate high-fidelity threats for analyst investigation and provide the ability to automate response actions across the enterprise. 

The Forescout Research – Vedere Labs report underlines that the most important takeaway is that traditional cyber hygiene practices must address every asset on the network, prioritizing the most critical attack surface based on up-to-date threat and business intelligence. 

In December, Forescout Research arm Vedere Labs uncovered 21 fresh vulnerabilities that specifically target OT/IoT routers that can be found deployed across multiple critical infrastructure sectors. Among these Sierra:21 vulnerabilities, one is classified as critical severity, while nine are considered high severity and the remaining eleven are of medium severity. These routers are responsible for connecting critical local networks to the Internet through cellular connections like 3G and 4G.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.