IoT botnet bogs down college campus network

Verizon releases a sneak peek into a case in its annual breach report.

College campus building

Verizon’s annual Data Breach Investigations Report is scheduled to come out soon, but the team released an incident involving a college campus being hit by an internet of things (IoT) botnet — a botnet that took control of 5,000 systems.

The Verizon RISK Team performs cyber investigations for hundreds of commercial enterprises and government agencies annually. In 2015, Verizon's team was retained to investigate more than 500 cybersecurity incidents occurring in over 40 countries. (See last year's cases.) As a sneak peek of its latest report, Verizon released a case of an unnamed university attacked by a botnet.

Senior members of the university’s help desk had been receiving an increasing number of complaints from students across campus about slow or inaccessible network connectivity. Even with limited access, the help desk had found a number of concerns. The name servers, responsible for Domain Name Service (DNS) lookups, were producing high-volume alerts and showed an abnormal number of sub-domains related to seafood, according to the Verizon report.

“As the servers struggled to keep up, legitimate lookups were being dropped — preventing access to the majority of the internet. While this explained the 'slow network' issues, it raised more concerning questions. From where were all these unusual DNS lookups coming? And why were there so many of them? Were students suddenly interested in seafood dinners? Unlikely,” the university employee noted.

Verizon’s RISK team requested that the university IT team collect the network and firewall logs and pass them along for review. All the logs were processed for known indicators of malicious activity and firewall logs were used to identify the sources of these requests.

The firewall analysis identified more than 5,000 discrete systems making hundreds of DNS lookups every 15 minutes. Of these, nearly all systems were found to be living on the segment of the network dedicated to the university's IoT infrastructure. Everything from light bulbs to vending machines had been connected to the network. While these IoT systems were supposed to be isolated from the rest of the network, it was found that they were all configured to use DNS servers in a different subnet, the university reported.

Of the thousands of domains requested, only 15 distinct IP addresses were returned. Four of these IP addresses and close to 100 of the domains appeared in recent indicator lists for an emergent IoT botnet. This botnet spread from device to device by brute forcing default and weak passwords. Once the password was known, the malware had full control of the device and would check in with command infrastructure for updates and change the device’s password – locking the IT team out of the 5,000 systems.

“This was a mess. Short of replacing every soda machine and lamp post, I was at a loss for how to remediate the situation. We had known repeatable processes and procedures for replacing infrastructure and application servers, but nothing for an IoT outbreak. The RISK Team was there to provide insight into how to proceed,” the university employee said.

Fortunately, there was a less drastic option than replacing all the IoT devices on campus. An analysis of previous malware samples had shown that the control password, used to issue commands to infected systems, was also used as the newly updated device password. These commands were typically received via HTTP and in many cases did not rely on SSL to encrypt the transmissions.

“If this was the case for our compromise, a full packet capture device could be used to inspect the network traffic and identify the new device password. The plan was to intercept the clear text password for a compromised IoT device over the wire and then use that information to perform a password change before the next malware update. If conducted properly and quickly, we could regain control of our IoT devices,” the report said.

While they waited for the full packet capture solution to be set up, the IT department head instructed the network operations team to shut down all network access for the university’s IoT segments once they had intercepted the malware password.

With the packet capture device operational, it was a matter of hours before the university had a complete listing of new passwords assigned to devices. “With these passwords, one of our developers was able to write a script, which allowed us to log in, update the password, and remove the infection across all devices at once. The whole process took a matter of minutes and I made a mental note to save that script for later – although I prayed that we would never need it again,” the university employee stated.

verizon Verizon

Verizon reported that the underlying problem is that many IoT manufacturers are primarily designing their devices for functionality, and proper security testing often takes a back seat. It’s even more necessary with IoT devices that the buyer scrutinizes the security of any devices they use. IoT botnets spread quickly because they don’t face some of the problems conventional botnets do, due to the fact that IoT devices are often rarely patched or updated.

New! Download the State of Cybercrime 2017 report