One Article Review
| Source |  Fortinet ThreatSignal |
|---|---|
| Identifiant | 4381922 |
| Date de publication | 2022-04-01 14:09:48 (vue: 2022-04-01 22:05:28) |
| Titre | AcidRain Wiper Suspected in Satellite Broadband Outage in Europe |
| Texte | FortiGuard Labs is aware a report that a new wiper malware was deployed and destroyed data on modems and routers for KA-SAT satellite broadband services, resulting in service outages across Europe on February 24th, 2022. The service interruption also caused the disconnection of remote access to 5,800 wind turbines in Europe. According to security vendor SentinelOne, AcidRain wiper shares similarities with a VPNFilter stage 3 destructive plugin. The Federal Bureau of Investigation (FBI) and Department of Justice disrupted the VPNFilter botnet by seizing a domain that was part of the Command-and-Control (C2) infrastructure. The Russian-connected the Sofacy threat actor (also known as APT28, Sednit, Pawn Storm, Fancy Bear, and Tsar) is believed to have operated the VPNFilter botnet. Why is this Significant?This is significant not only because a new wiper malware was used in the attack but also because the attack caused service interruption for satellite broadband services in Europe, including Ukraine, and 5,800 wind turbines in Europe were knocked offline.Also, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released a joint advisory on March 17th, 2022, warning of cyberattacks on U.S. and international satellite communication (SATCOM) networks. What Happened?According to the statement released by Viasat, a provider of KA-SAT satellite broadband services, the attack occurred in two phases.1. On February 24th, 2022, "malicious traffic were detected emanating from several SurfBeam2 and SurfBeam 2+ modems and/or associated customer premise equipment (CPE) physically located within Ukraine and serviced by one of the KA-SAT consumer-oriented network partitions. This targeted denial of service attack made it difficult for many modems to remain online." 2. Then, the company started to observe a gradual decline of the connected modems. Subsequently, a large number of additional modems across much of Europe exited the network and they did not re-enter to the network. The statement continues as saying that the attacker gained remote access to the trusted management segment of the KA-SAT network through a misconfigured VPN appliance. The threat actor moved laterally through the network and ultimately sent "legitimate, targeted management commands on a large number of residential modems simultaneously. Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable."The belief is that "these destructive commands" refer to AcidRain wiper malware.What is VPNFilter malware?VPNFilter is a IoT malware that was first reported in mid-2018 and targeted home and Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices. The malware is not only capable of performing data exfiltration but also rendering devices completely inoperable.FortiGuard Labs published a research blog series on VPNFilter malware in 2018. See the Appendix for a link to "VPNFilter Malware - Critical Update" and "VPNFilter Update - New Attack Modules Documented".What is the threat actor Sofacy?Sofacy is a threat actor who is believed to operate for Russian interests. The threat actor has been in operation since at least 2007 and targets a wide range of sectors including government, military and security organizations.One of the most infamous activities carried out by the Sofacy group is their alleged involvement in hacking "networks and endpoints associated with the U.S. election" in 2016, in which the FBI the US Department of Homeland Security (DHS) released a join advisory on December 29th, 2016.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against AcidRain wiper malware believed to have been used in the attack:ELF/AcidRain.A!tr |
| Envoyé | Oui |
| Condensat | 17th 2007 2016 2018 2022 24th 29th 800 access according acidrain across activities actor additional advisory against agency alleged also and/or appendix appliance apt28 associated attached attack attack:elf/acidrain attacker aware bear because been belief believed blog botnet broadband bureau but capable carried caused cisa command commands communication company completely connected consumer continues control coverage cpe critical customer cyberattacks cybersecurity data december decline denial department deployed destroyed destructive detected devices dhs did difficult disconnection disrupted documented domain election emanating endpoints enter equipment europe exfiltration exited fancy fbi february federal first flash following fortiguard from gained government gradual group hacking happened has have home homeland including infamous infrastructure inoperable interests international interruption investigation involvement iot join joint justice key knocked known labs large laterally least legitimate link located made malicious malware management many march memory mid military misconfigured modems modules most moved much nas network networks new not number observe occurred office office/home offline one online only operate operated operation organizations oriented out outage outages overwrote part partitions pawn performing permanently phases physically plugin premise provider provides published range refer released remain remote rendering report reported research residential resulting routers russian sat satcom satellite saying sectors security sednit see segment seizing sent sentinelone series service serviced services several shares significant similarities simultaneously since small sofacy soho specifically stage started statement status storage storm subsequently surfbeam surfbeam2 suspected targeted targets then these threat through traffic trusted tsar turbines two ukraine ultimately unable unusable update used vendor viasat vpn vpnfilter warning what which who why wide wind wiper within |
| Tags | Malware Threat |
| Stories | VPNFilter VPNFilter APT 28 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.