Virtualization Technology News and Information
VMblog Expert Interview: Zscaler Talks ThreatLabz Research Findings and IoT Security Trends


The Zscaler ThreatLabz research team recently released a critical deep dive into the use of sanctioned and unsanctioned IoT devices during a time when businesses were forced to move to a remote working environment.  Their new report, "IoT in the Enterprise: Empty Office Edition," analyzed over 575 million device transactions and 300,000 IoT-specific malware attacks blocked by Zscaler over the course of two weeks in December 2020. 

To find out more about the findings, and discuss recent IoT security trends, we spoke with Zscaler's, CISO and VP of Security Research and Operations, Deepen Desai.

VMblog:  What was the most surprising result of this report?

Deepen Desai:  Zscaler's "IoT in the Enterprise: Empty Office Edition," report analyzed over 575 million device transactions and 300,000 IoT-specific malware attacks blocked by our organization. From this research, we were most surprised by the 700 percent increase in IoT malware on corporate networks and the fact that entertainment and home and automation devices posed the most risk due to their variety, low percentage of encrypted communication, and connections to suspicious destinations. We were also surprised to find that Gafgyt and Mirai - IoT malware families popularly used in botnets - accounted for 97 percent of all the IoT malware payloads blocked by the Zscaler cloud.

VMblog:  This 700 percent increase in IoT-specific malware attacks that you mention; how significant of a role did COVID-19 play in this increase?

Desai:  The COVID-19 pandemic is affecting every facet of our daily lives, including the ways cybercriminals exploit their victims. It has left many corporate offices eerily quiet and devoid of employees and cybercriminals took notice. Throughout our research over the last 18 months, our team has seen a drastic increase in suspicious activity across the world, with many malicious actors searching and exploiting the vulnerabilities left unaddressed due to the pandemic. Each user in every organization must develop a heightened state of awareness, as cybercriminals will continue to use the current global crisis as an opportunity to target and compromise end-user systems.

VMblog:  How did the IoT-specific malware attacks vary from region to region and country to country?

Desai:  Our report revealed that most attack servers were located in China, the United States, and India. These are the geographic locations where the servers used for attacks were based, though it isn't always where the cybercriminals themselves were located. Additionally, most targets of IoT-based attacks were in Ireland, the United States, and China.

ThreatLabz looked at the countries that IoT devices were routing data to- referred to as "destinations." Most of this communication is legitimate, with the IoT devices doing what they are designed to do, which is send and receive data. The United States was by far the top destination, receiving 69 percent of traffic, followed by Great Britain (11 percent) and Ireland (10 percent).

VMblog:  Are there any key trends the ThreatLabz team observed in types of devices attacked?

Desai:  IoT device exploits can provide attackers with access both to the device and to connected networks, which enables all sorts of malicious activity. Mirai and Gafgyt are particularly known for using devices to create botnets-networks of devices under an attacker's control that allow for large-scale coordinated attacks. Botnets have been used for distributed denial-of-service (DDoS) attacks, financial breaches, cryptocurrency mining, and targeted intrusions, just to name a few. The Mirai botnet is known for waging what was the largest DDoS attack in history back in 2016, causing widespread internet outages.

ThreatLabz evaluated attempted botnet callbacks as part of this malware study, and found that attackers were targeting IoT devices such as CCTVs, DVRs, NVRs, and internet routers, as well as other networking devices.

Additionally, as the "Internet of Things" expands to new categories, a greater variety of devices continue to come online which may be completely off the radar of IT teams. While these devices are all connected to the internet, they have varying levels of security, meaning that a malicious actor could breach an insecure device once and then use that entry point to laterally attack corporate networks. This is why we advocate a zero trust approach, which can insulate less-secure devices and protect sensitive network data.

VMblog:  How exactly does a Zero Trust infrastructure help enterprise organizations against cyberattacks?

Desai:  Organizations across industries have thousands of IoT devices on their networks, and these devices have proven to be particularly vulnerable to attacks. As IoT devices grow in volume and variety, Zero Trust is critical. Isolating IoT networks and implementing identity-based access controls are among the most important measures that organizations can take to mitigate risk. ZscalerTM Zero Trust ExchangeTM platform enables true zero trust by connecting dynamically authenticated devices directly to the applications they need without ever exposing the network.

VMblog:  What can organizations do to protect themselves from this growing number of insecure IoT devices?


  • Gain visibility into all your network devices. Deploy solutions able to review and analyze network logs to understand all devices communicating across your network and what they do.
  • Change all default passwords. Password control may not always be possible, but a basic first step for deploying corporate-owned IoT devices should be to update passwords and deploy two-factor authentication.
  • Update and patch regularly. Many industries-particularly manufacturing and healthcare-rely on IoT devices for their day-to-day workflows. Make sure you stay apprised of any new vulnerabilities that are discovered, and that you keep device security up-to-date with the latest patches.
  • Implement a zero trust security architecture. Enforce strict policies for your corporate assets so that users and devices can access only what they need, and only after authentication. Restrict communication to relevant IPs, ASNs, and ports needed for external access. Unsanctioned IoT devices that require internet access should go through traffic inspection and be blocked from all corporate data, ideally through a proxy. The only way to stop shadow IoT devices from posing a threat to corporate networks is to eliminate implicit-trust policies and tightly control access to sensitive data using dynamic identity-based authentication - also known as zero trust.

VMblog:  Where can readers learn more about Zscaler and research conducted by their ThreatLabz team?

Desai:  You can learn more about the report and our ThreatLab team at:


Published Tuesday, August 03, 2021 7:32 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<August 2021>