A malicious advertising campaign originating out of Eastern Europe and operating since at least mid-June is targeting Internet of Things (IoT) devices connected to home networks, according to executives with GeoEdge, which offers ad security and quality solutions to online and mobile advertisers.
The executives said the “malvertising” campaign – which was uncovered by GeoEdge’s security research team with AdTech partners InMobi and Verve Group – came out of Ukraine and Slovenia and reached as far as the United States, though CEO Amnon Siev it has since been contained.
With many people still working from home due to the global COVID-19 pandemic, an attack on IoT devices connected to home networks pose a threat to organizations whose employees may be doing their work on those same home networks, Siev told eSecurity Planet. And with many IoT devices unprotected during the pandemic, the potential for an attack is substantial.
“The new vector reveals browsing the web on the Wi-Fi network may open a gate to IoT attacks, which may have many impacts, including attacking enterprises,” he said.
Malvertising is Evolving
According to GeoEdge, the widely distributed attack is an escalation in malvertising campaigns, where malware is spread via the injection of malicious code into online display ads through online ad networks and passing that code into connected devices.
This new campaign is the first to use online ads to silently install apps on home network-connected IoT devices. The attackers don’t need to be particularly skilled to pull off such an attack, according to GeoEdge officials. They essentially need a basic understanding of device API documentation, some capability with JavaScript and low-level online advertising skills.
The IT industry and online advertising world can expect similar attacks to follow a similar pattern, Siev said, adding that it represents the “evolution of malvertising.” The attack itself is low-cost with little sophistication. However, the distribution of the campaign is broad, which means the impact is high, he said.
As with most malvertising campaigns, the ad networks were generally unaware about the malicious content. With this attack, end users targeted by the attack didn’t have to click on the infected ad or navigate to a malicious web page to kick off the attack on the IoT devices. In most ways, the attack followed traditional malvertising means, Siev said.
“This malicious campaign displays a fake Nike ad to the end user, but it also contains additional ‘fingerprinting’ code that is used to verify that it executes on an actual mobile device, in order to identify and hide from automated security scanning tools that are often used by security researchers,” he said. “Once it identified such tools, it hides the malicious payload via cloaking to camouflage [itself and] appear as a benign, legitimate ad.”
An Attack by a Criminal Ring
The CEO said the attacks were launched by a criminal ring rather than a state-sponsored group, though he didn’t identify the name of the group. GeoEdge also couldn’t say how many victims there were or what kinds of IoT devices were being attacked.
Siev also couldn’t say exactly what the attackers were looking for or how they were manipulating the devices but did say that generally bad actors target IoT devices to either steal personal information or money like credit card numbers and to manipulate home systems like gates, safes and door locks. They also may sell the personal data they find on the dark web.
IoT a Security Concern
The IoT for years has worried security professionals, who see it as greatly expanding the attack surface. The devices can range from the smallest sensors to machines on factory floors and include both consumer and corporate machines. Device developers at times will spend their money on features rather than security and the data on the devices often move between the devices and the cloud or on-premises data centers.
IoT device security has also attracted the attention of federal government officials (see The IoT Cybersecurity Act of 2020: Implications for Devices).
Cisco Systems is predicting that by 2023, there will be almost 30 billion connected devices and network connections, a rise from 18.4 billion in 2018. Of those, almost half – 14.7 billion – of network devices will be IoT devices, up from the 33 percent three years ago, Cisco officials said. That makes home and industrial IoT an attractive target for bad actors who want to leverage malvertising, according to GeoEdge executives.
Will Get Worse Before It Improves
Simon Aldama, principal security advisor at IT services management company Netenrich, told eSecurity Planet that the risks associated with IoT security currently will get worse before they get better. Too often manufacturers prioritize releasing their products to market and interface connectivity rather than effective controls, all of which is made more difficult by the weak implementation of IoT standards, frameworks and basic security in designs.
Aldama also said that the threat to enterprises in work-from-home scenarios is “hugely significant.”
“Home networks are unhardened, unsegmented, unmanaged, unmonitored and sometimes consisting of up to 70 devices with unpatched vulnerabilities available for exploitation,” he said. “Organizations expect cyber campaigns to exploit soft targets such as these to disrupt operations and associated supply chains. The delivery of malicious code through advertising supply chains is an insidious attack spanning over the course of 15 years. Threat actors have the capability to silently exploit millions of user endpoints without interacting with web page elements to carry out attacks such as ransomware delivery, identity theft, crypto mining or other forms of criminal monetization.”
Spending on Digital Display Ads Increasing
Online display ads likely will continue to be an attractive target to cybercriminals. According to eMarketer, total digital ad spending will reach $455.3 billion in 2021, with 55.2 percent going to display advertising and 40.2 percent to search. The gap between the two ad models continues to tip in favor of display advertising, the firm said. Three years ago, there was only a 10 percent difference in spending between display and search ads. Helping to fuel the change are consumers increasingly embracing social media and digital video.
“The consumer move to a preference for digital-first interactions will grow the potential threat landscape that can be targeted by attackers,” Tyler Shields, chief marketing officer at JupiterOne, which offers cyber asset management and governance solutions, told eSecurity Planet. “More apps, more data in the cloud, more digital experiences mean more targets of both opportunity and chance. There will be a continued increase in data compromise as we move more and more of our daily life into the cloud. We’ve really only just begun to see the expansion of digital experiences and the attacks that will grow alongside them.”
There are steps enterprises can take to reduce the risk presented by employees working on insecure home networks, Aldama said. They include allowing conditional access to corporate infrastructure to hardened devices issued by IT, updating work-from-home policies and procedures, and security awareness training for those working remotely. In addition, organizations can adopt Secure Access Service Edge (SASE) access methods.
Ultimately, there’s only so much that users can do, GeoEdge’s Siev said.
“For users, antivirus [and] firewalls are not sufficient,” he said. “Responsibility lies in the hands of website owners and ad platforms to integrate a real-time ad quality tool.”