{"id":13545,"date":"2024-01-30T16:59:35","date_gmt":"2024-01-30T15:59:35","guid":{"rendered":"https:\/\/limessecurity.ninja\/a-new-twist-in-the-knxlock-attack-campaign\/"},"modified":"2026-03-04T08:55:25","modified_gmt":"2026-03-04T07:55:25","slug":"a-new-twist-in-the-knxlock-attack-campaign","status":"publish","type":"post","link":"https:\/\/limessecurity.com\/en\/a-new-twist-in-the-knxlock-attack-campaign\/","title":{"rendered":"A new Twist in the KNXlock Attack Campaign"},"content":{"rendered":"[vc_row type=”in_container” full_screen_row_position=”middle” column_margin=”default” column_direction=”default” column_direction_tablet=”default” column_direction_phone=”default” scene_position=”center” top_padding=”30″ text_color=”dark” text_align=”left” row_border_radius=”none” row_border_radius_applies=”bg” overflow=”visible” overlay_strength=”0.3″ gradient_direction=”left_to_right” shape_divider_position=”bottom” bg_image_animation=”none” gradient_type=”default” shape_type=””][vc_column column_padding=”no-extra-padding” column_padding_tablet=”inherit” column_padding_phone=”inherit” column_padding_position=”all” column_element_direction_desktop=”default” column_element_spacing=”default” desktop_text_alignment=”default” tablet_text_alignment=”default” phone_text_alignment=”default” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_backdrop_filter=”none” column_shadow=”none” column_border_radius=”none” column_link_target=”_self” column_position=”default” gradient_direction=”left_to_right” overlay_strength=”0.3″ width=”1\/1″ tablet_width_inherit=”default” animation_type=”default” bg_image_animation=”none” border_type=”simple” column_border_width=”none” column_border_style=”solid”][vc_column_text css=”” text_direction=”default”]Many of you will remember the KNXlock attack campaign, which was uncovered and reported by Limes Security in 2022 and 2023. In this campaign, attackers leveraged OT specific functions in the building automation standard KNX. For victims who had their KNX-based building automation system exposed on the internet, this resulted in being locked out of their own smart building capabilities, with little chance of recovery, expect for a rip-and-replace approach. Details of the original attack campaign, which was still observed to continue throughout 2023, are available here<\/a>.[\/vc_column_text][\/vc_column][\/vc_row][vc_row type=”in_container” full_screen_row_position=”middle” column_margin=”default” column_direction=”default” column_direction_tablet=”default” column_direction_phone=”default” scene_position=”center” text_color=”dark” text_align=”left” row_border_radius=”none” row_border_radius_applies=”bg” overflow=”visible” overlay_strength=”0.3″ gradient_direction=”left_to_right” shape_divider_position=”bottom” bg_image_animation=”none”][vc_column column_padding=”no-extra-padding” column_padding_tablet=”inherit” column_padding_phone=”inherit” column_padding_position=”all” column_element_direction_desktop=”default” column_element_spacing=”default” desktop_text_alignment=”default” tablet_text_alignment=”default” phone_text_alignment=”default” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_backdrop_filter=”none” column_shadow=”none” column_border_radius=”none” column_link_target=”_self” column_position=”default” gradient_direction=”left_to_right” overlay_strength=”0.3″ width=”1\/1″ tablet_width_inherit=”default” animation_type=”default” bg_image_animation=”none” border_type=”simple” column_border_width=”none” column_border_style=”solid”][image_with_animation image_url=”5942″ image_size=”full” animation_type=”entrance” animation=”None” animation_movement_type=”transform_y” hover_animation=”none” alignment=”” border_radius=”none” box_shadow=”none” image_loading=”default” max_width=”100%” max_width_mobile=”default”][\/vc_column][\/vc_row][vc_row type=”in_container” full_screen_row_position=”middle” column_margin=”default” column_direction=”default” column_direction_tablet=”default” column_direction_phone=”default” scene_position=”center” top_padding=”30″ text_color=”dark” text_align=”left” row_border_radius=”none” row_border_radius_applies=”bg” overflow=”visible” overlay_strength=”0.3″ gradient_direction=”left_to_right” shape_divider_position=”bottom” bg_image_animation=”none” gradient_type=”default” shape_type=””][vc_column column_padding=”padding-3-percent” column_padding_tablet=”inherit” column_padding_phone=”inherit” column_padding_position=”all” column_element_direction_desktop=”default” column_element_spacing=”default” desktop_text_alignment=”default” tablet_text_alignment=”default” phone_text_alignment=”default” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_backdrop_filter=”none” column_shadow=”small_depth” column_border_radius=”none” column_link_target=”_self” column_position=”default” gradient_direction=”left_to_right” overlay_strength=”0.3″ width=”1\/1″ tablet_width_inherit=”default” animation_type=”default” bg_image_animation=”none” border_type=”simple” column_border_width=”2px” column_border_color=”#9e1510″ column_border_style=”solid” column_padding_type=”default” gradient_type=”default”][vc_column_text css=”” text_direction=”default”]Latest status as of January 2024: The attack campaign is surprisingly still ongoing, as we are still receiving requests from compromised building owners, both private home owners as well as commercial building operators. But lately, the actions in the attack campaign changed: <\/p>\n

In a recent surge of those cyberattacks targeting KNX devices, attackers are employing a new tactic when gaining access and successfully compromising a KNX system. The attackers are randomly setting keys and appending messages such as \u201csystem hacked bcu key xx1234xx.\u201d[\/vc_column_text][\/vc_column][\/vc_row][vc_row type=”in_container” full_screen_row_position=”middle” column_margin=”default” column_direction=”default” column_direction_tablet=”default” column_direction_phone=”default” scene_position=”center” top_padding=”30″ text_color=”dark” text_align=”left” row_border_radius=”none” row_border_radius_applies=”bg” overflow=”visible” overlay_strength=”0.3″ gradient_direction=”left_to_right” shape_divider_position=”bottom” bg_image_animation=”none” gradient_type=”default” shape_type=””][vc_column column_padding=”no-extra-padding” column_padding_tablet=”inherit” column_padding_phone=”inherit” column_padding_position=”all” column_element_direction_desktop=”default” column_element_spacing=”default” desktop_text_alignment=”default” tablet_text_alignment=”default” phone_text_alignment=”default” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_backdrop_filter=”none” column_shadow=”none” column_border_radius=”none” column_link_target=”_self” column_position=”default” gradient_direction=”left_to_right” overlay_strength=”0.3″ width=”1\/1″ tablet_width_inherit=”default” animation_type=”default” bg_image_animation=”none” border_type=”simple” column_border_width=”none” column_border_style=”solid”][vc_column_text text_direction=”default”]This reminds a bit of compromised devices found on Shodan, where grey-hat hackers utilized default credentials to log in, and then changed the hostname to \u201chacked router help default credentials\u201d, to somehow try to notify the owner of the device that something was amiss. At this point it is unknown whether the same threat actor who started the KNXlock campaign employs this new tactic, or a different one who is leveraging this known security issue with a new method. Also in the latter cases, no ransom requests have been reported.[\/vc_column_text][\/vc_column][\/vc_row][vc_row type=”in_container” full_screen_row_position=”middle” column_margin=”default” column_direction=”default” column_direction_tablet=”default” column_direction_phone=”default” scene_position=”center” top_padding=”30″ text_color=”dark” text_align=”left” row_border_radius=”none” row_border_radius_applies=”bg” overflow=”visible” overlay_strength=”0.3″ gradient_direction=”left_to_right” shape_divider_position=”bottom” bg_image_animation=”none” gradient_type=”default” shape_type=””][vc_column column_padding=”padding-3-percent” column_padding_tablet=”inherit” column_padding_phone=”inherit” column_padding_position=”all” column_element_direction_desktop=”default” column_element_spacing=”default” desktop_text_alignment=”default” tablet_text_alignment=”default” phone_text_alignment=”default” background_color=”rgba(158,21,16,0.1)” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_backdrop_filter=”none” column_shadow=”small_depth” column_border_radius=”none” column_link_target=”_self” column_position=”default” gradient_direction=”left_to_right” overlay_strength=”0.3″ width=”1\/1″ tablet_width_inherit=”default” animation_type=”default” bg_image_animation=”none” border_type=”simple” column_border_width=”2px” column_border_color=”#9e1510″ column_border_style=”solid” column_padding_type=”default” gradient_type=”default”][vc_column_text text_direction=”default”]Regardless of who is running this new tactic, our research team at Limes Security has developed a specialized tool designed to assist in the self-recovery of a compromised KNX device. Affected users\/owners of a compromised KNX system who find a message similar to \u201csystem hacked bcu key xx1234xx.\u201d are recommended to download the tool KNXunlocker<\/a>. Through a reduced key space, guessing of the correct BCU key und thus recovery may be possible within a few hours using a regular PC. Through that, we hope some victims might be able to regain access to their compromised KNX system on their own.[\/vc_column_text][nectar_btn size=”medium” open_new_tab=”true” button_style=”regular” button_color_2=”Accent-Color” icon_family=”none” text=”KNXunlocker” url=”https:\/\/github.com\/f0rw4rd\/knxunlocker”][\/vc_column][\/vc_row]\n","protected":false},"excerpt":{"rendered":"

[vc_row type=”in_container” full_screen_row_position=”middle” column_margin=”default” column_direction=”default” column_direction_tablet=”default” column_direction_phone=”default” scene_position=”center” top_padding=”30″ text_color=”dark” text_align=”left” row_border_radius=”none” row_border_radius_applies=”bg” overflow=”visible” overlay_strength=”0.3″ gradient_direction=”left_to_right” shape_divider_position=”bottom” bg_image_animation=”none” gradient_type=”default” shape_type=””][vc_column column_padding=”no-extra-padding” column_padding_tablet=”inherit” column_padding_phone=”inherit” column_padding_position=”all” column_element_direction_desktop=”default” column_element_spacing=”default” desktop_text_alignment=”default” tablet_text_alignment=”default” phone_text_alignment=”default” background_color_opacity=”1″…<\/p>\n","protected":false},"author":5,"featured_media":13546,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[316],"tags":[],"class_list":{"0":"post-13545","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-insights"},"_links":{"self":[{"href":"https:\/\/limessecurity.com\/en\/wp-json\/wp\/v2\/posts\/13545","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/limessecurity.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/limessecurity.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/limessecurity.com\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/limessecurity.com\/en\/wp-json\/wp\/v2\/comments?post=13545"}],"version-history":[{"count":0,"href":"https:\/\/limessecurity.com\/en\/wp-json\/wp\/v2\/posts\/13545\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/limessecurity.com\/en\/wp-json\/wp\/v2\/media\/13546"}],"wp:attachment":[{"href":"https:\/\/limessecurity.com\/en\/wp-json\/wp\/v2\/media?parent=13545"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/limessecurity.com\/en\/wp-json\/wp\/v2\/categories?post=13545"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/limessecurity.com\/en\/wp-json\/wp\/v2\/tags?post=13545"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}