A cybersecurity threat analysis for the second half of 2022: Cyber attacks via botnets on critical infrastructures with IoT / OT continued and targeted rail transport, energy sector, manufacturing and hospitals.
The latest OT/IoT Security Report from Nozomi Networks Labs reveals that wiper malware, IoT botnet activity, and the Ukraine War were major drivers of the 2022 threat landscape. As in the first half of 2022, the company's researchers have observed cybercriminals shifting their tactics from data theft and distributed denial of service (DDoS) attacks to more destructive malware. The aim here was to destabilize the critical infrastructure and to strengthen their political position in the Ukraine war.
Rail traffic as a target
"Over the past six months, cyberattacks have increased significantly, causing severe disruption across industries from transportation to healthcare," said Roya Gordon, Nozomi Networks OT/IoT Security Research Evangelist. “Rail transport in particular has been hit by attacks, which has led to the introduction of measures to protect rail operators and their facilities. As cyber threats continue to evolve and intensify, it is important for organizations to understand how OT/IoT is being threatened and what actions are needed to protect critical assets.”
Nozomi Networks Labs analysis of digital breach alerts or attempts at customers over the past six months found that weak/plaintext passwords and weak encryption pose the top threats to critical infrastructure access. Brute force and DDoS attempts followed. Trojans were the most frequently detected malware targeting enterprise IT networks, Remote Access Tools (RATs) were the top malware used against OT, and DDoS malware was the preferred use against IoT devices.
IoT botnets continue to attack
The activity of malicious IoT botnets remained high and even increased in the second half of 2022. Nozomi Networks Labs reported growing security concerns as botnets continue to use standard credentials to access IoT devices.
From July to December 2022, experts at Nozomi Networks also found the following using honeypots:
- Attacks peaked in July, October, and December, with more than 5.000 individual attacks each.
- Most of the attackers' IP addresses came from China, the USA, South Korea and Taiwan.
- "Root" and "admin" credentials are still the most commonly used by attackers to gain initial access and escalate their privileges once on the network.
In terms of industry vulnerability, manufacturing and energy remain the most vulnerable. This is followed by the areas of water/wastewater, health care and transport systems. In the last six months of 2022 the following was determined:
- CISA released 218 Common Vulnerabilities and Exposures (CVEs) -- a 61 percent decrease from the first half of the year.
- 70 providers were affected - an increase of 16 percent compared to the previous reporting period.
- The number of affected products has also increased by 2022 percent compared to the first half of 6.
Nozomi Networks' OT/IoT Security Report: A Deep Look into the ICS Threat Landscape provides security professionals with the latest insights they need to reassess risk models and security initiatives, as well as actionable recommendations for securing critical infrastructure.
More at NozomiNetworks.com
About Nozomi Networks
Nozomi Networks accelerates digital transformation by protecting critical infrastructure, industrial and government organizations from cyber threats. Nozomi Networks' solution provides exceptional network and asset visibility, threat detection and insights for OT and IoT environments. Customers rely on it to minimize risk and complexity while maximizing operational resilience.