Scanning for DNS

Most people don't think of Big Box stores as technology centers. Brick-and-mortar retail is filled with aisles and carts and lines and people manning registers. But in reality, every store has become its own digital microcosm. Point-of-sale (POS) systems, inventory management tools, security cameras, and increasingly, in-store digital experiences—a trend known as "smart supermarkets" that include both smart carts and smart shelves that automatically track items for purchase.

Recently, a member of the ExtraHop customer success team was doing remote training with a large retail customer in North America. The retailer is your traditional Big Box store. They sell it all—groceries, clothing, toys, hardware, furniture. And they have a large footprint on the order of several thousand stores.

During the training, the security team asked to look at a view of an individual store to see what would come up. They chose a random store, and immediately started to see DNS lookups for a hostname that looked eerily like a model number: SCAN3500—and there was no domain, like '.customer.com' or '.local'—just that hostname. This immediately jumped out as odd. Usually lookups are machine.company.com (just replace 'www' with 'machine name'). Just seeing 'machine' without the domain might be okay at home, but it has no place in any real-world network.

After a moment of head-scratching, one of the trainees chimed in with, "I think that's a scanner."

Sure enough, a quick web search for 'SCAN3500 scanner' confirmed that the device in question was indeed a digital grocery scanner widely used in Big Box retail. Now the question was, "what else is the scanner doing?"

A search of records in Reveal(x) found that this same scanner was reaching out at 1 AM local time every night to what looks like the Linux update infrastructure.

"Wait, the scanners run Linux?" remarked one incredulous analyst.

Another web search confirmed that, yes, the scanners run Linux. It also confirmed that this particular model of scanner was an end-of-life product which the manufacturer was no longer updating. An end-of-life product attempting to update itself can become a beacon for threat actors, announcing a point of entry that's likely running out-of-date software and thus vulnerable to compromise. Now imagine the nightmare of having one or more of those in every one of your stores.

On February 4, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released a brief on the recently disclosed exploitation of Accellion file transfer appliances. In the report CISA explicitly mentions the following under 'Mitigations':

Evaluate potential solutions for migration to a supported file-sharing platform after completing appropriate testing. [ . . . ] Replacing software and firmware/hardware before it reaches EOL significantly reduces risks and costs.

Whether it's a file transfer appliance, a grocery scanner, or a medical device, end-of-life devices introduce cyber risk into the IT environment.

This kicked off several areas of investigation to determine the scope of the vulnerability. The security team immediately began working to determine whether this extended beyond one store and one scanner. If a company-wide misconfiguration left the scanners attempting to update themselves, it could easily lead to a configuration management nightmare with different scanners running different levels of software.

They also started looking into whether the DNS lookup for 'SCAN3500' is a default setting. If so, it would indicate that some scanners weren't properly deployed and are still using default settings, which can include default credentials that are exceptionally vulnerable to hacking.

All food puns intended.