A university IT system was brought to a near-standstill by a cyberattack from inside its own firewall, when more than 5,000 connected devices on its internal network — from vending machines to lighting systems — became infected with malware, according to a new report.
Verizon’s 2017 Data Breach Digest report, released here at the massive RSA security conference in San Fransisco on Tuesday, contains 16 sanitized and anonymized case studies investigated by its Research, Investigations, Solutions and Knowledge, or RISK, team over the last year.
“It’s a way of getting across the reality of data breaches,” said Bryan Sartin, executive director of Verizon Global Security Services. “The entries are written by key players at our client [companies], so it also gives you a little bit of the human dimension … what it’s like to be at the center of an incident,” Sartin told CyberScoop during a brief interview at the Verizon booth.
The company says that to preserve the anonymity of its clients, the report modifies or excludes “certain details of each real-world situation including changing names [and] geographic locations.”
The case-study code-named Panda Monium describes an incident at a university whose IT security staff suddenly found the network slowed to a crawl by a massive number of Domain Name System lookups. DNS translates written internet addresses — like www.CyberScoop.com, for instance — into the numeric IP addresses that computers use to find websites.
The university’s DNS servers were, it turned out, being overloaded by more than 5,000 connected Internet of Things devices, that were sending address lookups every 15 minutes for seafood restaurants — overwhelming them with requests so that real users couldn’t connect to the websites they were trying to reach.
“This was a network effectively carrying out a [Distributed Denial of Service, or] DDoS attack against itself,” said Jason Street of security firm Pwnie Express.
The IoT devices had been infected by malicious software that guessed weak or default passwords, installed itself on the device, and then changed the password — effectively locking out the IT department.
“This was a mess,” wrote the university’s IT security incident commander. “Short of replacing every soda machine and lamp-post, I was at a loss as to how to remediate the situation.”
Fortunately, the new passwords the malware programmed into the devices were communicated unencrypted with the malware’s command and control infrastructure, and the university’s IT security staff were able to recover it through scanning their network traffic and then use the new password to regain control of the infected devices.
In many enterprises, explained Pwnie Express CEO Paul Paget, the IT department has little control over or even visibility into, connected IoT devices. Their security is notoriously poor, in part because manufacturers certainly can’t be relied upon to build them securely.
And because these devices are inside the firewall — the virtual barrier around the enterprise’s network — blocking the attacks can be very hard.
“Can you imagine how such an attack might affect a major corporation?” he asked CyberScoop during an interview, “What would happen if they can’t use the internet, can’t send email?”
“It’s not theoretical,” he added, “This is happening more and more. We see it with our customers all the time.”