The cyberattack aimed at Viasat that briefly knocked KA-SAT modems offline on February 24, 2022, the very same day Russian army forces invaded Ukraine, is considered to have been the consequence of wiper malware, in accordance to the newest investigation from SentinelOne.
The conclusions arrive as the U.S. telecom enterprise disclosed that it was the target of a multifaceted and deliberate” cyberattack versus its KA-SAT network, linking it to a “ground-primarily based network intrusion by an attacker exploiting a misconfiguration in a VPN equipment to acquire remote access to the trusted management phase of the KA-SAT network.”
Upon getting obtain, the adversary issued “damaging instructions” on tens of 1000’s of modems belonging to the satellite broadband company that “overwrote important knowledge in flash memory on the modems, rendering the modems unable to entry the network, but not permanently unusable.”
But SentinelOne mentioned it uncovered a new piece of malware on March 15 that casts the whole incident in a fresh new gentle – a source chain compromise of the KA-SAT management system to produce the wiper, dubbed AcidRain, to the modems and routers and achieve scalable disruption.
AcidRain is fashioned as a 32-bit MIPS ELF executable that “performs an in-depth wipe of the filesystem and a variety of identified storage system files,” scientists Juan Andres Guerrero-Saade and Max van Amerongen claimed. “If the code is running as root, AcidRain performs an preliminary recursive overwrite and delete of non-regular data files in the filesystem.”
The moment the wiping approach is comprehensive, the machine is rebooted to render it inoperable. This tends to make AcidRain the seventh wiper strain to be uncovered since the start off of the yr in connection with the Russo-Ukrainian war immediately after WhisperGate, WhisperKill, HermeticWiper, IsaacWiper, CaddyWiper, and DoubleZero.
Further more assessment of the wiper sample has also uncovered an “fascinating” code overlap with a third phase plugin (“dstr”) used in attacks involving a malware household termed VPNFilter, which has been attributed to the Russian Sandworm (aka Voodoo Bear) team.
In late February 2022, intelligence companies from the U.K. and the U.S. disclosed a successor to VPNFilter, calling the replacement framework Cyclops Blink.
That getting mentioned, it really is still unclear how the danger actors attained entry to the VPN. In a statement shared with Ars Technica, Viasat verified that data destroying malware was certainly deployed on modems working with “reputable administration” commands but has refrained from sharing even further details citing an ongoing investigation.
Identified this write-up interesting? Observe THN on Fb, Twitter and LinkedIn to go through extra exceptional content we post.
Some elements of this article are sourced from: