Dolce Vita’s EventTracker SIEM system detected a compromised IoT device launching an attack against a client server in time to prevent and defeat it. The IoT device, which was a network-attached multi-function printer (capable of printing, scanning, copying, and fax) had a printer vendor-managed connection which evidently became compromised, resulting in the printer administrative credential being overwritten, and the device began a dictionary attack against one of the servers with sensitive data.

The SIEM system detected and alerted on the unusual behavior which allowed the attack to be stopped, initially by disconnecting the device from the network and then by altering specific firewall rules. After additional research the decision was taken to wipe the printer device firmware and reconfigure the device.

The graphic shows the initial attack developing in early July. Following the detection by the SIEM system investigation revealed the device which was being used to mount the attack. After reconnecting the device to the network several periods of testing were done to develop additional information (resulting in several “spikes” of attack attempts). Since late June the issue has been resolved and the knowledge gained was used to protect other clients.