Many of you will remember the KNXlock attack campaign, which was uncovered and reported by Limes Security in 2022 and 2023. In this campaign, attackers leveraged OT specific functions in the building automation standard KNX. For victims who had their KNX-based building automation system exposed on the internet, this resulted in being locked out of their own smart building capabilities, with little chance of recovery, expect for a rip-and-replace approach. Details of the original attack campaign, which was still observed to continue throughout 2023, are available here.
This reminds a bit of compromised devices found on Shodan, where grey-hat hackers utilized default credentials to log in, and then changed the hostname to “hacked router help default credentials”, to somehow try to notify the owner of the device that something was amiss. At this point it is unknown whether the same threat actor who started the KNXlock campaign employs this new tactic, or a different one who is leveraging this known security issue with a new method. Also in the latter cases, no ransom requests have been reported.