Viasat: Viper malware causes KA-SAT satellite network to stall

According to IT security firm SentinelOne, thousands of broadband modems taken out of service in February in a cyberattack on Viasat, the US provider of satellite Internet and its Ka-Sat network, have fallen victim to a parallel Russian armed incursion into Ukraine. Viper Malware. This type of malware, which is designed to render data on an infected device permanently unusable, is said to be linked to the destructive VPNFilter botnet based in Russia.

The large-scale cyberattack, which was long drawn out, paralyzed the terminals of thousands of customers of Eutelsat subsidiary Skylogic in Europe, for which Viasat operates the Ka-Sat network. As a result of the incident, which was primarily intended to cut off customers from satellite Internet in Ukraine, the operation of approximately 5,800 Enercon wind turbines in Germany was also severely restricted as “collateral damage”.

Weak VPN lets attackers in

Viasat announced the details of the outage on Wednesday. The company essentially blamed a poorly configured VPN application that allowed the intruder to access a trusted management segment of the KA-SAT network. Experts previously believed that the disruptions could only be explained by an attack on Viasat’s Central Network Operations Center (NOC). Willful hackers probably managed to install a faulty firmware update on the terminals.

Viasat now explained that the unidentified attacker had traced the internal network. He was able to instruct Skylogic customers’ modems to overwrite their flash memory. At least a factory reset was required to restore the normal function of the devices.

Viasat said the intruders had moved to a specific section within the trusted management network used to control and operate Ka-SAT. This privileged access was abused to “simultaneously execute legitimate, targeted administrative commands on a large number of private modems”.

Malicious firmware update injected

With these “destructive instructions” the important data in memory was overwritten, It says in the statement, Terminals would no longer be able to access the network, but had not become permanently unusable. Still, Viasat says it has now shipped about 30,000 modems to sales partners to bring customers back online.

Viasat left it open as to how the memory was actually overwritten. SentinelOne IT security researchers Juan Andres Guerrero-Sade and Max van Amerongen on Thursday filled the gap. according to you it was a viper malware, which was uploaded to the devices as a faulty firmware update from the compromised Viasat backend. this finding Based on a suspicious looking MIPS-ELF binary Called “ukrop” which was uploaded to VirusTotal on March 15th.

Known Insects

IT security experts nicknamed the Viper “Asideran”. This is quite brutal with a “brute force attack”: if the code is run as root, all non-standard files will be overwritten and deleted first. Later, AcidRain tries to destroy data on existing SD cards, flash drives, connected devices, and other resources. Finally, the malware makes a sync system call to ensure that the changes are applied. The affected device will restart and then become inactive.

vasato now confirmed To the expert portal BleepingComputer that “the analysis in the SentinelLabs report about the Ukrop binary matches the facts in our report”. According to SentinelOne, since early 2022, a total of seven relevant, particularly destructive types of malware are known to target systems in Ukraine: Whisperkill, Whispergate, Hermetic Viper, IsaacViper, Caddywiper and DoubleZero.

The researchers also believe that “with moderate certainty” there are “similarities in development” between AcidRain and the destructive plugin for the botnet malware VPNFilter. In 2018, the FBI and the US Department of Justice attributed this malware to the so-called sandworm cluster, which at times infected the Russian government with nearly 500,000 routers and servers. Overall, Acidaren appears to be a “much more sloppy product” than a more targeted role model.

(two)