The cyber attacks concentrating on the energy sector in Denmark previous calendar year may well not have had the involvement of the Russia-linked Sandworm hacking group, new conclusions from Forescout present.
The intrusions, which specific around 22 Danish energy corporations in May 2023, transpired in two distinct waves, 1 which exploited a security flaw in Zyxel firewall (CVE-2023-28771) and a abide by-on activity cluster that noticed the attackers deploy Mirai botnet variants on infected hosts by using an as-however-not known first access vector.
The first wave took spot on May 11, while the next wave lasted from May possibly 22 to 31, 2023. In just one this sort of attack detected on Might 24, it was observed that the compromised technique was speaking with IP addresses (217.57.80[.]18 and 70.62.153[.]174) that ended up beforehand employed as command-and-command (C2) for the now-dismantled Cyclops Blink botnet.
Forescout’s nearer evaluation of the attack marketing campaign, however, has unveiled that not only were the two waves unrelated, but also unlikely the function of the state-sponsored group owing to the point the 2nd wave was portion of a broader mass exploitation marketing campaign in opposition to unpatched Zyxel firewalls. It is really at the moment not recognised who is behind the twin sets of attacks.
“The campaign described as the ‘second wave’ of attacks on Denmark, started out in advance of and ongoing right after [the 10-day time period], targeting firewalls indiscriminately in a really related manner, only transforming staging servers periodically,” the company stated in a report aptly titled “Clearing the Fog of War.”
There is proof to advise that the attacks may well have begun as early as February 16 applying other known flaws Zyxel gadgets (CVE-2020-9054 and CVE-2022-30525) together with CVE-2023-28771, and persisted as late as October 2023, with the exercise singling out various entities throughout Europe and the U.S.
“This is further more proof that exploitation of CVE-2023-27881, fairly than currently being confined to Danish critical infrastructure, is ongoing and targeting exposed devices, some of which just occur to be Zyxel firewalls safeguarding critical infrastructure organizations,” Forescout extra.
Identified this post intriguing? Stick to us on Twitter and LinkedIn to study far more special content material we post.
Some parts of this short article are sourced from: