Verizon: malware turned a university’s soda machines into a botnet that downed its own network

A university recently came under a traffic attack from thousands of its own internet-connected and malware-infected soda machines, according to Verizon Enterprise.

An incident response manager at an unnamed university that had Verizon on a retainer details its episode with the Internet of Things distributed denial of service (DDoS) attack in the latest edition of Verizon’s Data Breach Digest.

According to Verizon’s report, the university’s IT help desk had brushed off a spike in complaints from students about network connectivity problems. However, as the number of complaints rose, it was escalated to the manager who initiated an investigation that revealed thousands of networked things, such as soda machines and lights, were clogging up the network with junk traffic.

The university’s name servers, which are responsible for Domain Name Service (DNS) lookups, “showed an abnormal number of sub-domains related to seafood”, according to Verizon’s brief.

“As the servers struggled to keep up, legitimate lookups were being dropped—preventing access to the majority of the internet. While this explained the “slow network” issues, it raised much more concerning questions. From where were all these unusual DNS lookups coming from? And why were there so many of them? Were students suddenly interested in seafood dinners?”, wrote the incident response manager.

Further analysis of firewall logs revealed that over 5,000 of the university’s internet-connected things were compromised with an unspecified malware.

While it’s not clear when the attack happened and Verizon doesn't name the malware, the account of the outbreak suggests it could be a variant of the infamous Mirai malware that was behind the 600 Gbps attack on cybercrime reporter Brian Krebs’ blog in September and several other high-impact attacks.

Early variants of the Mirai were designed to brute-force or guess a device’s default passwords for unsecured IoT devices, such as such as web cams and digital video recorders, and piggy-backing their network connections to direct attacks at specified targets.

According to the incident response manager, Verizon provided the university a report detailing known indicators of compromise (IOCs) found in the university's firewall and DNS logs.

“Of the thousands of domains requested, only 15 distinct IP addresses were returned. Four of these IP addresses and close to 100 of the domains appeared in recent indicator lists for an emergent IoT botnet,” says Verizon’s report.

“This botnet spread from device to device by brute forcing default and weak passwords. Once the password was known, the malware had full control of the device and would check in with command infrastructure for updates and change the device’s password – locking us out of the 5,000 systems.”

The university was able to regain control of the compromised devices by using a packet inspection tool that was able to glean the replacement passwords since the malware was often communicating to command servers over an unencrypted HTTP connection.

“The plan was to intercept the clear text password for a compromised IoT device over the wire and then use that information to perform a password change before the next malware update. If conducted properly and quickly, we could regain control of our IoT devices,” the incident response manager wrote.

Verizon says that it only took a few hours to collect a complete list of the attacker’s passwords, which allowed it to write a script that automatically updated the passwords and removed the infection simultaneously across all infected devices.

Tags botnetIoTMirai source code

Show Comments