Have you ever heard of siegeware? This type of ransomware has been around for some time but has rarely been discussed. Attacks on intelligent buildings are still far from ordinary, but the ever-increasing ransomware attacks may change that. Learn more about siegeware and find out how to avoid this threat.
Imagine being in control of an intelligent building. It could be an office, an apartment complex, or a hospital. Suddenly, issues start to arise — the doors refuse to lock or unlock, the heating becomes uncontrollable, or the lifts get stuck. If the control system is unresponsive, you may find a message urging you to pay a ransom immediately, or the system will remain offline. Sound unreal? With the emergence of siegeware and ransomware that targets smart buildings, people should know that this scenario is real. Smart building operators and owners should get familiar with the threat and prepare their response strategy.
Ransomware becomes siegeware
With IoT (internet of things) on the rise, cybercriminals can quickly get hold of one’s property and use it for the purpose of extortion — be it via computers, phones, or cars (in which case we talk about jackware). Siegeware exploits the digital systems of a networked building, and in some cases uses the access to cause chaos — for example by cutting the power, shutting down lifts, switching off air conditioning systems, or everything at the same time. The building owner is then forced to believe that they will only get control back after paying a generous ransom — but that will not always solve the situation. In the past, criminals have only rarely released the infected systems after siegeware had been triggered. Some may think of siegeware as a made-up issue, but this threat has been around for quite some time now.
Siegeware in real life
An executive at a real estate company managing a dozen buildings in several US cities received the following message on his smartphone: “We have hacked all the control systems in your building at XXX Street 400 and will switch them off for three days if you do not pay 50,000 dollars in Bitcoin within 24 hours.” The building at that address is one of several medical clinics in the company’s portfolio that use “building automation systems” (BAS) to remotely control heating, air conditioning and ventilation, as well as fire alarms and management systems that include lighting, security systems, and more. The administrator usually has up to eight different systems under remote control. The company had the foresight to develop an effective crisis response plan and did not act on the attempted blackmail. Although the scenario was entirely new for them, the IT team was able to initiate backup measures rapidly. In the end, everyday operations at the hospital were only disrupted temporarily; the incident was of little consequence.
Source: WeLiveSecurity, 2019
Remote access: source of comfort, or danger?
With the increasing degree of automation and connectivity, “taking buildings hostage” is quite relatively straightforward: Threat actors “only” have to hack the BAS through the internet to control all functionalities completely. They are taking advantage of the possibilities offered by remote maintenance, which is supposed to increase comfort at a reduced cost. Nowadays, technicians can solve issues or implement new settings from a central command desk elsewhere in the country. This becomes problematic when remote access is designed for performance and not security. Often, manufacturers rely only on a simple combination of a username and a password as access protection. Security by design, defence mechanisms against brute force attacks, or multifactor authentication (MFA) could provide more security, but they are too often omitted for cost reasons.
Victims are surprisingly easy to find
How do cybercriminals find their victims? The search engine “Shodan” (www.shodan.io) makes it relatively easy. A search for “BAS” leads to around 11,095 potential targets worldwide that could be reached via the public internet. These include 1,162 in the US (as of 06/06/2022). They’re all neatly listed and supplemented with lots of additional data, from the IP address to SSL information and the router used. In 2015, the University of Michigan came up with Censys, which works similarly to Shodan and enabled hackers to search for internet-connected devices easily.
With this knowledge and a list of victims, an attacker has virtually free rein. In the simplest case, they try to gain access using standard usernames with the corresponding password for the relevant system type. Default credentials for different systems can be found online — and, unfortunately, many BAS operators continue to use those defaults without coming up with a more secure access solution. Even if the credentials were changed, there is often no notification system or limit on the number of unsuccessful login attempts, making it possible for cybercriminals to repeatedly try and hack the accounts until they are successful.
Hackers may rely on the most frequently used credentials and information captured from the dark web, or resort to brute force methods and/or login crackers. The latter is very popular and easy to find on the internet, plus they are getting more advanced and successful — often with minimal effort required. As a result, siegeware attacks can be carried out even by average cybercriminals without extensive know-how.
Taking charge of security
How can you reduce the risk of siegeware? Two main questions determine future action: How high is the degree of automation of building technology, and how well is the access protected? Builders, property managers, and contractors should sit down together and discuss problematic security and remote access areas. As handy as it is to have remote access at all times via a web-based login, the administrator/owner often lacks knowledge about the possible dangers.
When using a BAS, all parties involved should ask themselves the following questions:
- Did we change the login credentials from default to a more secure combination of a unique login and a password/passphrase?
- Is the login located behind a firewall?
- Is the access secured by multifactor authentication?
- Is there a restriction on failed login attempts, including blocking?
- Do we get a notification with any unsuccessful login attempts?
- Is there a limited list of people with access to the BAS?
- Do we have a maintenance contract with the supplier that commands them to update our software regularly?
- Do we disconnect the system from the internet when the connection is unnecessary?
- Did we prepare an operational crisis response plan so that if any issue occurs we know whom to contact and what to do if any issue occurs?
If the answer to any of these questions is no, it is possible that your BAS may be vulnerable to cyberattack. Apart from causing discomfort, dealing with a siegeware attack can cost large sums of money. If the incident becomes publicly discussed, the company attack may be viewed as unreliable or unsafe. Building owners can also face legal action and high fines. Overall, siegeware has a much more significant impact than just causing a few doors to lock or the heating to stop for a while. It pays off to be aware of the risks and try to protect your BAS.