IoT Hybrid Cloud Edge Cyber Attack Security

Large scale deployed Internet of Things (IoT) devices using cloud- and edge-based services with complex dynamic IoT networks are prone attacks and data breaches.

Most of times, the goal of the attacker is to prey on information stored or communicated via IoT devices; to disrupt the services provided by IoT devices, to control IoT devices and use them as bots to initiate large-scale DDoS attacks or perform crypto-mining.

Since, IoT devices are exposed on Internet; it is very easy to locate and accesse them Internet. However, if the devices are behind a firewall and not accessible remotely over the internet then some breaches can be avoided. IoT networks also expose services over the Internet which were designed for local networks and never meant to be directly accessible from Internet.

The gateway networks in IoT device landscapes could be: LTE WiFi GPRS Ethernet MAN WLAN GSM WAN

Like “memcached” service which is a local network caching service allows database-driven websites to cache data and objects. Many servers misconfigure this service and allow attackers to access this service over the Internet. This misconfiguration allows attackers to use this service to launch the massive DDoS attacks

Most IoT devices use default or weak passwords which make them easy targets. The open SSH and telnet ports give the attackers opportunity to gain root access to the devices using password dictionaries of common/default factory passwords

Dut to the heterogenous nature of IoT landscape in terms of microcontollers, open source hardware digital signal processors, network operating system, real time operating system, embedded operating system, SIM module. Therefore, IoT devices have vulnerabilities that can be exploited by various malicious scripts that exploit services like JavaScript, etc and manipulate their functions. These scripts are harder to detect than malware because they do not employ spreading mechanisms but just manipulate the data being sent or received by the IoT devices.

Attackers might also aim to factory reset the device or overwrite the operating system with garbage data. They can use Telnet, SSH, HTTP, etc as its attack vectors, which include some known vulnerabilities and simple password dictionary attacks to exploit the code. SSH brute force attack via IP crawlers available on the internet are used by the attacker to obtain the IP address of the edge device.

Injection techniques use hard-coded passwords from dictionary and stops other users from accessing the device and drops communication from telnet (port 23), ssh (port 22), and web interface (port 80, 8080). It also identifies and compromises database services like MySQL and Microsoft SQL running in the network to create new admin “phpminds” with the password “phpgodwith” allowing the hackers access to database. It is also able to start DDoS attacks, based on different transport protocols

There are malwares that deestablish DDoS prevention techniques like Cloudflare. Luabot malware targets Linux systems and is written in the Lua programming language. It uses HTTP-based command and control network. It contains malicious JavaScript. The goal of the JavaScript is to find the actual IP address of the victim behind a Cloudflare proxy server.

NPM’s JavaScript library packages was discovered of malware in the file. Any computer installed or running with the package called ua-parser-js must be assumed to have been compromised.

npm is the default package manager for the JavaScript runtime environment Node.js. It consists of a command line client, also called npm, and an online database of public and paid-for private packages, called the npm registry. The registry is accessed via the client, and the available packages can be browsed and searched via the npm website. The package manager and the registry are managed by npm, Inc.

UAParser.js is JavaScript library to detect Browser, Engine, OS, CPU, and Device type/model from User-Agent data with relatively small footprint?

Compromised computers need to update package to the latest version and need to reset their passwords and rotate security tokens from systems if the library was used

The attacker modified the library to install a password stealer and cryptocurrency miner on computers and servers.

Another recent SQL injection attack was when an attacker could type in an SQL command in the username or password field of a login to enter a database without authorization

The attacker exploited one of DNS server of one cellular provider to get into the wireless GPRS servers. They started with simple disctionary passwords to get into the network. The attacker used SSH protocol for communication, The firewalls for the GPRS network; had it been installed correctly; could have blocked this kind of traffic flow. Multifactor authentication must be enforces wherever there's human link, to prevent disctionary passwords attacks

Companies should work rapidly towards the adoption of Software Defined Networking to detect and mitigate attacks in real-time networks