a phone, camera, computer mouse, and other electronics swirling in an abstracted white spiral on a dark blue background

The New Endpoint Edge Under Attack

a phone, camera, computer mouse, and other electronics swirling in an abstracted white spiral on a dark blue background

Back in 2016, we all got an awakening to the immense cyber threat posed by the growing number of Internet of Things (IoT) devices around the world. In that year, the Mirai malware infected networked devices around the world, including IP cameras and home routers, and leveraged that botnet to orchestrate disruptive distributed denial of service (DDoS) attacks.

While that attack perhaps opened the world’s eyes to the danger of IoT devices, the landscape of connected devices has only grown exponentially since. Estimates predict that there are now 14.4 billion active IoT connections in 2022, a number that is expected to grow to 27 billion by 2025. With that astronomical rise in devices comes new levels of risk.

We got a taste of what that new risk looks like in our current device landscape recently with the ZuoRAT remote access trojan, which leverages small office/home office (SOHO) routers, and even homes routers, such as those from Asus, Cisco and Netgear, to gain access to the local network and then gain access to additional systems within the corporate network. This is exactly the type of attack that we fear with IoT devices, including low-end networking devices – leveraging poorly secured connected devices to access critical corporate systems.

Researchers from Black Lotus Labs, the threat intel arm of Lumen Technologies, recently discovered the sophisticated campaign targeting routers from Asus, Cisco and Netgear in North America and Europe. The nature of the attack suggested that the attackers were sophisticated in nature, especially due to use of rarer techniques such as DNS and HTTP hijacking congruently that suggest a state-sponsored organization, the researchers said.

The ZuoRAT vulnerabilities should serve as another wakeup call that we face immense risk from our current device landscape – one that must be addressed imminently. Yet, this isn’t our first wakeup call to the risk posed by connected devices. If we had an awakening years ago with Mirai, why are we still back in the same position in 2022? One reason is that the risk landscape around IoT devices hasn’t meaningfully shifted, even in the six years since the Mirai botnet wreaked havoc around the world. In general, there remains a lack of visibility and control over these devices, both in the home and the corporate office.

What’s more, our current IoT landscape has only grown more complicated since the Mirai attacks in 2016, especially over the past two years. Our new work from home reality, prompted by the pandemic but proving to have its staying power as a format for work, has extended the corporate risk landscape further from the office to the home. As ZuoRAT shows from attacking home office and small office routers, there is a significant weakness in the armor of organizations due to remote work.

For CISOs, it is imperative to address this risk by gaining visibility and demanding security for the entire Internet supply chain and networking environments where their users/employees operate in, including their homes. ZuoRAT showcases a multi layered attack which exploited vulnerabilities on low-end poorly secured devices to gain intelligence on the high-end highly protected devices employees use at home. Just using endpoint security alone leaves you vulnerable to these attacks.

It’s time to demand that ISPs embed security into their routers (new and legacy, both have little to no protection today), and provide LAN based security for the unmanaged devices in their users’ networks. Otherwise, these networks and devices will continue to provide a peephole into your organizations’ security and a steppingstone to breaking it – potentially leading to absolute control of the network.