University attacked by its own vending machines and other IOT devices
University attacked by its own vending machines and other IOT devices

An unnamed University was attacked by some 5,000 campus devices from its vending machines to light sensors, “and all IOT devices” according to the Verizon 2017 Data Breach Digest (DBD) being released this month.

Talking to, Laurance Dine leader of Verizon's digital forensics team in Europe, explained that a primary facilitating factor was that the University's administrative network was indvertently connected to its IoT device network.  The attacker appears to have come in through the admin network and changed the default credentials on the devices, and given them new passwords.

The university initially realised that there was a problem when a member of the IT Security Team took a turn on the ‘incident commanders' team and discovered there had been and increasing number of complaints from students across campus about slow or inaccessible network connectivity which had previously been written off.

The name servers responsible for Domain Name Service (DNS) lookups were producing high-volume alerts and showed an abnormal number of sub-domains related to seafood – to the extent that legitimate lookups were being dropped, so most access to the internet was lost.  But the question was, where were the strange seafood DNS lookups coming from and why were there so many.

The Verizon RISK team was called in and all logs were processed for known indicators of malicious activity, with the firewall analysis indentifying more than 5,000 discrete systems which were making hundreds of DNS lookups every 15 minutes, primarily from within the segment of the network dedicated to the IOT infrastructure.  Dine confirmed that had the situation persisted it could have shut down the University, denying access to anything.

Despite the thousands of domains requested, only 15 distinct IP addresses were returned, with four IP  addresses and near 100 domains in recent indicator lists for an emergent IOT botnet. Using brute force on default and wak passwords, the malware gained full control of he devices, and changed the devices' passwords, locking the university out of 5,000 systems.  Initially it seemed that all devices would need to be replaced.  But a packet sniffer identified a clear password and by intercepting a clear password for a compromised IOT device, and carrying out a password change before the next malware update, it was possible to regain control over the devices and switch the system off.

The lessons learned, say Verizon, include ensuring you have separate network zones for IoT systems and air-gap them from other critical networks where possible.  Don't allow direct ingress or egress connectivity to the internet.  Change default credentials on devices and use strong unique passwords.  Monitor events and logs regularly; hunt for endpoint threats, scan from open remote access protocols and disable commonly unused and unsecured features that are not required.  And do include IOT devices in your IT asset inventory plus check for firmware updates from manufacturers.

Verizon declined to say where the university is or when the attack occurred, other than during the past year, but did suggest it indicated a growing threat in IOT devices, even though this was the only ‘self-attacking' botnet it knew of, it did expect more to come.  Describing the growing IOT as a vast DDOS threat, Dine noted, “People who haven't got laptops will be getting connected fridges – they won't know to change default passwords.”

Further conclusions from the report will be covered in future articles.