Shikitega: Anatomy of an IoT/OT Threat

This past week researchers at AT&T Alien Labs disclosed a new vulnerability aimed at IoT/OT devices, the Shikitega malware.  Shikitega is designed to compromise Linux and IoT devices of virtually any size; the main “dropper” of the malware is only 376 bytes (yes, bytes) and can be run on even the smallest of devices.  So whether it is an IP camera, a Raspberry Pi-based IoT gateway, or many other OT devices used by enterprises, the attack surface that can be leveraged by Shikitega is as vast and physically sprawled as the IoT devices within your business. 

Another aspect of Shikitega is how stealthy and persistent it is.  Without question this is an advanced threat – it uses polymorphic encoding that enables it to decrypt itself in stages, and dynamically assesses memory for where to place itself (making it harder to stop than threats that target memory the same way each time).  The payload it drops is equally stealthy – it initially deploys a Monero cryptocurrency miner but also will deploy a more extensive Metsploit tookkit named “Mettle” that houses a variety of weapons, from webcam control to credential stealing. 

What makes Shikitega so dangerous (and why organizations can’t ignore this threat) falls into a couple of main areas.  First, it is hard to detect because of how it is designed to avoid traditional threat detection.  That’s a key reason why the Viakoo Action Platform has a service assurance module (Viakoo Service Assurance Manager).  By monitoring overall IoT system performance and behavior across the workflow, not only do you get immediate alerting when things go wrong, but more importantly you get a digital twin containing historical operational data to see when and where things change form their baseline.  While traditional threat detection may not catch Shikitega, being alerted when onboard memory utilization in an IoT device exceeds thresholds can be a clue that the device is infected. 

Secondly, Shikitega is not there to infect a single device –  it’s designed to be efficient at spreading across the entire IoT workflow by using polymorphic encoding.  The “command and control” for Shikitega can be hosted in the cloud, which many IoT systems rely on for operations. In addition, commands and files are executed in memory, foiling anti-virus solutions that scan storage.  That’s why as part of an IoT security platform you must have the ability to look at tightly-coupled workflows separately from loosely-coupled devices (some IoT security solutions view the whole world as just loosely coupled, a major flaw when it comes to threats like Shikitega).  In the case of a tightly-coupled IoT system, knowing what devices are connected to specific applications and infrastructure (like networking and storage) is critical to anticipating which systems are likely to be infected and where to focus remediation efforts. 

With Shikitega the “arms race” of leveraging vulnerable IoT devices has taken a more serious turn, but the good news is there are actions you can and should be taking now to prevent it from crippling your business.  First is to ensure all your assets are visible through using an agentless asset discovery solutions that can detect and categorize both IT and IoT/OT devices.  With a complete inventory in hand, using an IoT security platform that interoperates with your discovery solution can enhance the asset data with information about which devices are tightly-coupled and historical information about their performance.  Using service assurance, set and monitor device behavior (such as memory utilization, network traffic, or CPU loading) that would signal an active infection is taking place.  And while mitigating the threat using network access control is good in the short term, be prepared to remediate and repatriate all devices back to full network citizenship through using an automated patch/update mechanism that can reach all devices regardless of network segmentation. 

As a new threat, Viakoo Labs will be keeping close tabs on what researchers find and what best practices emerge on how to deal with it.  We’ll be hosting a webinar on September 21st at 10am Pacific/1pm Eastern that will go into more details on the anatomy of this threat, and why organizations can become more resilient to it.  Come join us and share your thoughts – register at https://www.brighttalk.com/webcast/18853/558629

Share this