In the first half of 2023, malware activity in OT and IoT environments worldwide jumped 10x and alerts on unwanted applications doubled as nation-states, criminal groups and hacktivists continue to target healthcare, energy and manufacturing, according to the latest Nozomi Networks Labs OT & IoT Security Report: Unpacking the Threat Landscape with Unique Telemetry Data.

Unique telemetry from Nozomi Networks Labs collected from OT and IoT environments covering a variety of use cases and industries worldwide found malware-related security threats spiked 10x over the last six months.  

In the broad category of malware and potentially unwanted applications, activity increased 96%. Threat activity related to access controls more than doubled. Poor authentication and password hygiene topped the list of critical alerts for a second consecutive reporting period though activity in that category declined 22% over the previous reporting period.

"There is good news and bad news in this latest report," says Chris Grove, Nozomi Networks Director of Cybersecurity Strategy. 

"A significant decrease in activity per customer in categories such as authentication and password issues and suspicious or unexpected network behaviour suggests that efforts to secure systems in these areas may be paying off. On the other hand, malware activity increased dramatically, reflecting an escalating threat landscape. Its time to put the pedal to the metal in shoring up our defenses."

Below is the list of top critical threat activity in real world environments over the last six months:

1.     Authentication and Password Issue down 22%

2.     Network Anomalies and Attacks up 15%

3.     Operational Technology (OT) Specific Threats down 20%

4.     Suspicious or Unexpected Network Behavior down 45%

5.     Access Control and Authorisation up 128%

6.     Malware and Potentially Unwanted Applications up 96%

Specific to malware, denial-of-service (DOS) activity remains one of the most prevalent attacks against OT systems. This is followed by the remote access trojan (RAT) category commonly used by attackers to establish control over compromised machines. Distributed denial of service (DDoS) threats are the top threat In IoT network domains.

Data from IoT Honeypots

Malicious IoT botnets remain active this year. Nozomi Networks Labs uncovered growing security concerns as botnets continue to use default credentials in attempts to access IoT devices.

From January through June 2023, Nozomi Networks honeypots found an average of 813 unique attacks daily the highest attack day hit 1,342 on May 1st; top attacker IP addresses were associated with China, the United States, South Korea, Taiwan and India; and brute-force attempts remain a popular technique to gain system access default credentials are one of the main ways threat actors gain access to IoT/

ICS Vulnerabilities

On the vulnerability front, Manufacturing and Energy and Water/Wastewater remain the most vulnerable industries. Food & Agriculture and Chemicals move into the top five replacing Transportation and Healthcare, which were among the top 5 most vulnerable sectors in the previous six-month reporting period. 

In the first half of 2023, CISA released 641 Common Vulnerabilities and Exposures (CVEs). 62 vendors were impacted, and Out-of-Bounds Read and Out-of-Bounds Write vulnerabilities remained in the top CWEs – both are susceptible to several different attacks including buffer overflow attacks.