Although the institution has not been identified by name, the IT security staff contacted the Verizon RISK team (Research, Investigations, Solutions and Knowledge) after it received complaints from a number of students about slow or unresponsive Internet service.
Seafood sub-domain requests point to campus vending machines
According to Verizon’s Data Breach Digest report, the team discovered a flood of requests on the university’s DNS servers “associated with a particularly high number of sub-domains related to seafood” that were originating from over 5,000 discrete systems “making hundreds of DNS lookups every 15 minutes”.
Apparently, the attackers had gained access to the university’s smart vending machines and a variety of other IoT devices, including connected lights, by loading them with botnet software designed to control them as a group that would send such requests through the university’s central IT department servers. The software, according to the report, had also been capable of changing individual machine passwords thereby locking out IT staff from the network of several thousand systems.
Verizon intercepted botnet calls by changing device passwords
Verizon’s team was able to inspect the network traffic using a packet sniffer, “intercept the clear text password for a compromised IoT device,” and then perform a password change prior to the next malware update. While the source of the botnet remains unknown, a senior member of the IT security team was thankfully able to identify the suspicious situation after a sudden influx of seafood requests.
“While these IoT systems were supposed to be isolated from the rest of the network, it was clear that they were all configured to use DNS servers in a different subnet,” the incident responder explained. “Of the thousands of domains requested, only 15 distinct IP addresses were returned. Four of these IP addresses and close to 100 of the domains appeared in recent indicator lists for an emergent IoT botnet. This botnet spread from device to device by brute-forcing default and weak passwords.”
“With the packet capture device operational, it was only a matter of hours before we had a complete listing of new passwords assigned to devices. With these passwords, one of our developers was able to write a script, which allowed us to log in, update the password, and remove the infection across all devices at once.”
The company’s Data Breach Digest was rather kind and helpful, advising the security team to create separate zones for IoT systems and “air-gap” them from other critical networks where possible. “Don’t keep all your eggs in one basket,” it reads.