According to Network World, an unnamed university’s vending machines, smart light bulbs and 5,000 other IoT devices were recently hijacked. Sounds fishy, huh? As it turned out, the attack on the school’s internal network was actually caused by a series of seafood-related DNS requests that appeared every fifteen minutes.
This story comes from a preview of Verizon’s 2017 Data Breach Digest Scenario. It outlines how the university’s network noticed a burst of interest in seafood-related domains, as well as an abnormal number of sub-domains related to seafood. Name servers responsible for Doman Name Service (DNS) lookups were struggling to keep up with the increased traffic, causing legit searches to be dropped and preventing access to a majority of the internet.
Verizon RISK (Research, Investigations, Solutions and Knowledge) Team investigated the issue (presumably the university was a Verizon customer) and discovered that the university’s vending machines, light bulbs and thousands of other IoT devices were making seafood-related DNS requests every 15 minutes. Four of the returned IP addresses and about 100 of the requested domains showed up in an indicator list for an evolving IoT botnet. The botnet spread from one device to another by forcing weak and default passwords. After gaining control of the device, the malware would change the device’s password and lock out the university.
The university was able to recover their devices by using a packet sniffer to intercept the new, clear-text passwords for compromised IoT devices and reset them. The report advises other organizations to “create separate network zones for IoT systems and air-gap them from other critical networks where possible,” and limit the amount of information stored in one place.
Read the full article at Network World here. Learn more about Verizon’s sneak peek report that includes mitigation and response tips here. Also, read more about the security risks present in IoT devices from WatchGuard CTO Corey Nachreiner and more about past botnets here on Secplicity.