An unnamed university has suffered a DDoS attack at the hand of its own IoT devices, according to a sneak preview of Verizon's upcoming yearly data breach report.
The DDoS attack was caused by an unnamed IoT malware strain that connected to the university's smart devices, changed their default password, and then launched brute-force attacks to guess the admin credentials of nearby devices.
Investigators said that the hacked devices would then start an abnormally high level of DNS lookups that flooded the university's DNS server, which in turn resulted in the server dropping many DNS requests, including legitimate student traffic.
The university's IT team said that many of these rogue DNS requests were related to seafood-related domains.
In all the attack, the good news was that the university had fragmented its internal network, and placed all IoT devices, such as light bulbs and vending machines, on their separate subnet.
After a close inspection of server and firewall logs, Verizon's on-call investigative crew identified four suspicious IP addresses and close to 100 malicious domains, previously linked to an IoT botnet. This allowed the team to identify the malware and link it to a previously known strain.
Knowing who they were dealing with, Verizon found a flaw in the malware's mode of operation, which was the fact that the malware sent the new device admin password via unencrypted HTTP. Also, the same password was used for all infected devices.
This flaw allowed the university's IT staff to log network traffic, catch the new password, and write a script to reverse the malware's actions.
After this, it was only a trivial task to take down the university's IoT subnet and launch the script to regain control over all IoT devices using a custom-set password.
The university said that over 5,000 smart devices had been taken over during this incident. More on the event's response and mitigation is available via a sneak preview of Verizon's 2017 Data Breach Digest report.
The Verizon Data Breach Digest is a yearly report that details some of the strangest security-related incidents that the Verizon Enterprise division has dealt in the past year.
Last year, the report included accounts of how hackers had broken into a water treatment facility and modified water treatment parameters without even knowing what they were doing.
Another case detailed how sea pirates hired hackers to break into the systems of sea shipping companies, gather information on ships and their cargos, and then attack only vessels with high-value merchandise.
The robbed companies suspected something was wrong because pirates would board the ship and go straight to specific shipment boxes instead of sifting through all cargo. Verizon's 2017 Data Breach Digest report will be released at the end of the month, the start of March.