Microsoft security researchers have observed that a Russian-base cyber-espionage group compromises IoT devices to infiltrate corporate networks.
What was compromised?
Microsoft Threat Intelligence Center attributed the attacks to the STRONTIUM APT group, also known as APT28 and Fancy Bear.
A detailed picture
The researchers noted that the threat group compromises IoT devices in order to gain access to corporate networks. In two of the cases observed by them, the passwords for the IoT devices were deployed without changing the default manufacturer's passwords and in the third instance, the latest security update had not been applied to the device.
“After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets. They were also seen enumerating administrative groups to attempt further exploitation. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting,” researchers explained.