IoT cybersecurity for MSPs: guarding against ransomware in the connected world

| By:
Bryson Medlock

At one of my first jobs as a teenager, we had a video surveillance system, and one of my duties was to swap out the VHS tape when closing. There was a whole system in place for when the tapes should be swapped, how to label them, and how to store them off-site for long-term archival.

Modern video surveillance systems no longer require as much hands-on intervention to continue functioning. Rather than recording to tape, they record to DVRs that are then backed up to the cloud. It isn’t just surveillance systems getting online these days either—we also have HVAC systems, physical door locks, lights, and other facilities-related devices. And that doesn’t even cover essentials such as network switches, routers, data storage via a NAS, SAN, or VoIP, and a whole host of other specific-use network appliances.

Anyone managing a network today can tell you there’s always more than workstations and servers. All these connected devices are commonly referred to as the Internet of Things (IoT) and together make up a potentially significant attack surface.

While there are some different protocols used for IoT today, most devices produced support TCP/IP, which means they can access the web and be accessed from the web. Over the past couple of decades, the IoT industry has really taken off, and there’s some connected version of virtually every electronic device created. I can even monitor and control the temperature of my smoker when smoking a brisket!

This mad rush to create the latest and greatest smart device has outpaced regulations and standards regarding cybersecurity, and as a result, we find ourselves surrounded by a tangle of vulnerable devices scattered around our homes and offices.

When investigating a breach, the ConnectWise Cyber Research Unit (CRU)  has found most initial access is either due to a successful phishing attack or the reuse of leaked credentials. For the rest of the cases, initial access is usually gained through a vulnerable IoT device—making it the third most common attack vector.

While the threat landscape is constantly evolving, there are several methods and threat actors that repeatedly target IoT devices and MSPs. Below, we get into two examples of these prevalent cyberthreats and the solutions you can use to prevent, detect, and respond to them.


Perhaps the most prolific offender targeting IoT devices is Mirai and its variants. Mirai is a worm and a botnet first discovered in 2016 that specifically targets IoT. It was primarily used for performing DDoS attacks against Minecraft servers, and its primary purpose today is still DDoS. Soon after it was first discovered, the source code for Mirai was publicly released, and multiple variants have been created based on the original source. For the sake of simplicity, we’ll be referring to Mirai and all its variants simply as Mirai.

Mirai spreads by exploiting vulnerabilities in IoT devices such as routers, DVRs, and IP cameras. Once a device is infected, it immediately begins scanning the internet, attempting to exploit more devices and spread. At last count, there are nearly 60 different vulnerabilities Mirai actively attempts to exploit, the oldest dating back to 2007.

The CRU has been monitoring Mirai activity for years using data collected from our ConnectWise SIEM™ customers who deploy an IDS sensor. All this vulnerability scanning Mirai performs is extremely noisy, making it easy to detect if you’re monitoring your network traffic. The vulnerabilities being exploited are all known and have either been patched or the device they apply to has reached end-of-life. Even though patches are available, we’ve been keeping track of the infected devices—scanning our customers and seeing nearly 5,000 new infected devices per month. This is a daunting number and highlights the fact that many homes and offices are still falling behind when it comes to securing IoT devices.

Volt Typhoon

Back in May of 2023, we shared some information about a Chinese APT group known as Volt Typhoon. This APT has been active since mid-2021 and mostly targets critical infrastructure. They’ve been in the news most recently for targeting US military bases. For initial access, they have been known to exploit CVE-2022-40684, which is an authentication bypass in Fortinet FortiOS, affecting Fortinet secure web gateways and switches.

This group also tries to mask their activity by routing traffic through compromised small office and home (SOHO) IoT devices, such as routers, firewalls, and VPN appliances. The list of compromised IoT devices they have used include ASUS, Cisco RV, Draytek Vigor, FatPipe IPVPN/MPVPN/WARP, Fortinet Fortigate, Netgear Prosafe, and Zyxel USG devices.

Asset and patch management

Mitigating IoT threats really comes down to following best practices. Unfortunately, IoT devices are often easy to overlook, and new smart devices can pop up without notice. This is even more difficult for MSPs.

An SMB owner may not think to let their MSP know when they install a new TV in a conference room or upgrade their surveillance system, but each of these could add new attack vectors to their organization.  So, the first step to getting a good handle on IoT security is implementing good asset management procedures with automated discovery.

Once you have an up-to-date list of assets, all those assets—yes, even the smart toaster—need to be included in your patch management policy to keep these devices up to date. While zero days always occur, the vast majority of the IoT vulnerabilities that we see exploited over and over are years old with patches available.

Network segmentation

Perhaps even more important than keeping your IoT devices up to date is architecting your network securely. Does the DVR need to access the file server? Does the TV need to access Exchange? We always recommend planning your network segmentation with an “assume breach” mindset. Assume the copier gets compromised and a malicious actor has full system-level access. What other resources on the network could they then get access to? What controls can you put in place to limit access? Wherever possible, segment off those IoT devices and keep the network traffic separate.

Network and log monitoring

We love logs in the CRU. Send us the right logs, and we can tell you everything a threat actor has done on a compromised system. Of course, threat actors know this as well, which is why clearing out a systems logs is a common tactic. If the logs have been cleared out, it then becomes nearly impossible for a forensics investigation to really get a full story of how a device was compromised and what was done.

This is one reason a SIEM is such an important tool. A SIEM provides long-term log retention that a threat actor can’t clear. Of course, this is only a secondary function of a SIEM. The primary function of a SIEM is to monitor data from multiple sources and identify, then alert on, suspicious behavior. We spend a lot of time talking about Windows and Microsoft 365 logs, but did you know the ConnectWise SIEM can also parse, store, and alert on syslog data? Syslog is a logging format and protocol available in many IoT devices. If your device supports syslog, you can send us that data, and we can start monitoring your IoT devices.

It isn’t only logs that go into a SIEM—it can also monitor and alert on network traffic. By including an IDS sensor with the ConnectWise SIEM, we can collect metadata, called NetFlow, about your network activity that can be used to identify anomalous behavior. This network traffic is also matched against signatures of known malicious activity that are regularly updated. For example, it’s the network traffic from our IDS where we get most of our data related to Mirai.

For more information about critical network traffic monitoring, watch our on-demand webinar, Master Network Monitoring: An MSP’s Guide.

ConnectWise can help secure IoT devices

One of the goals of the CRU is to help keep MSPs informed about the actual threats facing them and their clients. Exploiting IoT devices is the third most common cyberthreat method, and it poses a significant risk to MSPs. As many of these devices are often overlooked, awareness and planning—with some help from ConnectWise SIEM and ConnectWise SOC Services™—can go a long way towards mitigating this risk.