One Article Review
| Source |  Reversemode |
|---|---|
| Identifiant | 8654606 |
| Date de publication | 2022-04-05 20:09:00 (vue: 2025-03-07 20:12:10) |
| Titre | Incident du Viasat: de la spéculation aux détails techniques. VIASAT incident: from speculation to technical details. |
| Texte | 34 days after the incident, yesterday Viasat published a statement providing some technical details about the attack that affected tens of thousands of its SATCOM terminals. Also yesterday, I eventually had access to two Surfbeam2 modems: one was targeted during the attack and the other was in a working condition. Thank you so much to the person who disinterestedly donated the attacked modem. I\'ve been closely covering this issue since the beginning, providing a plausible theory based on the information that was available at that time, and my experience in this field. Actually, it seems that this theory was pretty close to what really happened. Fortunately, now we can move from just pure speculation into something more tangible, so I dumped the flash memory for both modems (Spansion S29GL256P90TFCR2) and the differences were pretty clear. In the following picture you can see \'attacked1.bin\', which belongs to the targeted modem and \'fw_fixed.bin\', coming from the modem in working conditions. A destructive pattern, that corrupted the flash memory rendering the SATCOM modems inoperable, can be observed on the left, confirming what Viasat stated yesterday. After verifying the destructive attack, I\'m now statically analyzing the firmware extracted from the \'clean\' modem. Firmware version is 3.7.3.10.9, which seems to date back to late 2017.Besides talking about a \'management network\' and \'legitimate management commands\', Viasat did not provide any specific details about this. In my previous blog post I introduced the |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | cwmpdefault * 2 34 after another coincidentally hopefully i so swvalidate this * * as *:8700/tcp /usr/bin/app /usr/bin/bbagent 0day 2017 2021 9:00 a plausible able about abused access according acidrain acknowledged across acs actions activated actors actually additional affected after again against all also although analysis analyze analyzing answered any api app appliance appliances appliances application approach arbitrary are around as as201935 aspect assuming attack attacked attacked1 attacker attackers attacking attacks available axact client axiros back based been before beginning being belongs besides between bin binaries binaries: binary bits blog both but cagliari campaigns and can capabilities carried case certain cgl chain challenge clarify clean clear client clients close closely code collected com coming command commands communicates complete completely complexity components compromise conclusionthere condition conditions configuration confirm confirming consider considered convenient corporate corrupted countries couple covering crc credentials cryptographically custom cwmpclient data date days deeper definition depends deploy deployed derived described desktop destructive details device did differences different different attack directly discard discovered disinterestedly distancing distributors does doesn donated down downloaded dumped during dwnid either elaborate elaborated else emergency enabled enables enforced engineering enough entering especially euphemism europe eutelsat even eventually everything exactly execute executed experience explanation explicitly exploited expose exposed extracted facilitate factual fails far feature features/issues:1 fiasco field find firmware fixed flash followed following following fortigate fortinet fortunately from function functionality further fw02 general generate glimpse gmt+1 good got ground group groups guess had half hand happened has have highlight his hours how however image img implemented implementing implicitly implying incident incident: inclined indicating information infrastructure initial initially injection injectionsadditionally inoperable insider install instance instead integration intended interesting internet introduced introduces involve involved ipc issue issues its itself journalists just kind kinds knocked knocking knowledge known land lasting late laterally layer leaks leaks targeting left legitimate let lifeline lifelineclient limit listening longer look mac main makes malicious malware management match matches may maybe memory mentioning mentions mib mim mimif misconfigured model modem modems modems are modems: more move moved much multicast multicastthis multiple nature need network new newest noc not now object observed obviously one ongoing only operation operations operator operators option options: originated other otherwise out over overall partners pattern payload people perform performed period persistent person persons picture plausible point pointing pose position possible post posture potential present pretty previous previously privileged probably products propagated propagation protocol protocol: protocoli provide providers provides providing publicly published pure questions queues reach reaching really reasoning recommended recon recover related relies rendering required requiring research resellers resolved result revealed reveals reverse risk route run running s29gl256p90tfcr2 same satcom satellite scenario security see seem seems segment sentinelone server service services several short should shows signature similarities simple since skylogic snmp snmp an some someone something spansion specific speculation stated statement statically station stations stolen suggested surfbeam2 swvalidate talked talking tangible targeted technical techniques teleport tens terminal terminals terms thank that this the them then theory these things:1 think thousands time tr069 |
| Tags | Malware Vulnerability Threat Technical |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.