Open MQTT broker → smart-estate takeover
Shodan-indexed MQTT broker on TCP/1883 with no auth. Subscribe to '#' to harvest every device topic; publish to relays/locks/lights/thermostats.
§ Context
Assumed environment: target organisation runs an MQTT broker (Mosquitto / EMQX) exposed publicly without auth — a depressingly common SMB / industrial config.
§ Steps
- 01Subscribe with retained payload backdoorInitial AccessT1078— Valid Accounts
- 02Enumerate device topicsDiscoveryT1087— Account Discovery
- 03Shodan: port:1883 anonReconnaissanceW-RECON-API-DISCO— API Endpoint Discovery
- 04mosquitto_sub -h <ip> -t '#'Initial AccessIOT-MQTT-OPEN— MQTT Broker Open / No Auth
- 05Publish to control topics (relays / lights / locks)ImpactOT-MODBUS-WRITE— Modbus TCP Write to PLC
§ References
- T1078Valid Accounts
- T1087Account Discovery
§ Frequently asked
- What is the "Open MQTT broker → smart-estate takeover" attack path?
- Shodan-indexed MQTT broker on TCP/1883 with no auth. Subscribe to '#' to harvest every device topic; publish to relays/locks/lights/thermostats. It chains 5 steps drawn from real-world offensive-security techniques.
- What starting position does this attack require?
- The first step is Subscribe with retained payload backdoor (T1078) — a initial access primitive. Assumed environment: target organisation runs an MQTT broker (Mosquitto / EMQX) exposed publicly without auth — a depressingly common SMB / industrial config.
- What is the final impact of this kill-chain?
- The final step lands on Publish to control topics (relays / lights / locks) (OT-MODBUS-WRITE), which falls under Impact. From here, an operator typically pivots into post-exploitation or maintains persistence.
- How can defenders detect or prevent this attack?
- Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.
§ Related dossiers
- Shared techniques3
SSRF → IMDS → cloud creds → lateral
An image-fetcher / link-preview endpoint fetches attacker-controlled URLs server-side. Pivot to the cloud metadata service and steal the instance role credentials.
- Shared techniques2
z/OS TN3270 → RACF userID brute → mainframe shell
Internet-/intranet-exposed TN3270 mainframe terminal. Userids follow predictable HR scheme. Brute-force passwords; many environments allow short / dictionary passwords for legacy reasons.
- Shared techniques2
Open MongoDB → dump every collection
Shodan-indexed MongoDB on 27017 with no auth. Connect, list databases, dump every collection. Often the second stage is a ransom note in a new 'README' collection.
- Shared techniques2
Slack token in CI log → DM history → vendor mailbox compromise
A CI run echoed a Slack xoxb-/xoxp- token. Use it to read DMs, harvest password-reset links and vendor invitations, pivot into the corporate mailbox.
- Shared techniques2
HMI default credentials → operations disruption
Wonderware / iFix HMI exposed to the corporate network with vendor-default credentials. Operators see attacker-controlled values + commands sent to PLCs through legit channels.
- Shared techniques2
Engineering workstation → push payload to PLC
Compromise the OT engineer's laptop (corporate-network adjacent, jumphost-reachable). Use legit engineering tools (TIA Portal / Studio 5000) to download attacker ladder logic to the PLC.