Modem-Wiping Malware Caused Viasat Satellite Broadband Outage In Europe

Tens of thousands of Viasat satellite broadband modems that were disabled in a cyber-attack some weeks ago were wiped by malware with possible links to Russia's destructive VPNFilter, according to SentinelOne. The Register reports: On February 24, as Russian troops invaded Ukraine, Viasat terminals in Europe and Ukraine were suddenly and unexpectedly knocked offline and rendered inoperable. This caused, among other things, thousands of wind turbines in Germany to lose satellite internet connectivity needed for remote monitoring and control. Earlier this week, Viasat provided some details about the outage: it blamed a poorly configured VPN appliance, which allowed a miscreant to access a trusted management segment of Viasat's KA-SAT satellite network.

The broadband provider said this intruder then explored its internal network until they were able to instruct subscribers' modems to overwrite their flash storage, requiring a factory reset to restore the equipment. We were told: "The attacker moved laterally through this trusted management network to a specific network segment used to manage and operate the network, and then used this network access to execute legitimate, targeted management commands on a large number of residential modems simultaneously. Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable."

How exactly these modems had their memory overwritten wasn't said. According to the research arm of SentinelOne, though, it may have been wiper malware deployed to the devices as a malicious firmware update from Viasat's compromised backend. This conclusion was based on a suspicious-looking MIPS ELF binary named "ukrop" that was uploaded to VirusTotal on March 15. "Only the incident responders in the Viasat case could say definitively whether this was in fact the malware used in this particular incident," SentinelOne's Juan Andres Guerrero-Saade and Max van Amerongen wrote on Thursday.

Re:

[kot-begemot-uk]

No. Slur for Ukrainian used in Russian net lingo. Also means "dill".

Not surprising - the infowarfare during the first week or so was quite hot. Some pretty good stuff on both sides too, but most of it not nation state level. Lots of volunteers from momma's basement on both sides. Once the script kiddiots on both sides expanded their ammunition it went down to nearly zero.

Modem crap insecure firmware is a known problem

[Canberra1]

Dozens of CVE's for 1000's of branded modems. Millions more will never get a fix - as EOL or unsupported. It is high time physical jumpers make a reappearance to stop surreptitious firmware blanking or worse. Punters using COTS gear get what they deserve, rather than a bespoke, secure edition, missing the vendor push update software. Now go update that risk assessment, and fire the idiot who did the last one.

Re:Modem crap insecure firmware is a known problem

[Bert64]

This wasn't a bug in the modems, the modems worked as designed.
These modems are managed by viasat - its fairly common for providers to manage customer modems rather than the customer managing their own. The attack came from viasat's trusted management network.

Re:

[arglebargle_xiv]

Yup, even if you've got the most secure modem firmware in the world, as long as there's TR-069 it's pwnable.

Re:

[Canberra1]

PR Shrill ! or ignorant in security design. 1) The end user should be prompted - 'Do you wish to accept a firmware upgrade Yes/No with a default 24 hour delay, that the user can set. Change log is here: 2) Push updates from ANY network should never be trusted. People make finger fumbles all the time. 3) 'Trusted' should never be added to spruik commercial automated garbage . Examples abound: RSA, OPM, Kaseya, and a big one with the word shadow in it. Even security companies get targeted. Even MS rolls out b

Re:

[Canberra1]

And the public should be allowed to see Viasat's disaster recovery plan for this. One day bios's and TPM chips are going to be compromised with hardware APT's. And there will be whiners who said we did not plan for that. If you are mission critical, plan for the worst, and keep capability inhouse. If the cloud fails, you can bet big clients will have priority over smaller clients. Oh, and a thing called dual redundancy, if you really are competent.

They talk like they are a 3rd party

[oldgraybeard]

"blamed a poorly configured VPN appliance, which allowed a miscreant to access a trusted management segment of Viasat's KA-SAT satellite network. " and not involved at all? Didn't they mis configure their own equipment?

Wind turbines lose connectivity?

[Viol8]

"thousands of wind turbines in Germany to lose satellite internet connectivity "

FFS, they're already linked to the shore by power cables, why the hell isn't a data connection piggy backed on top instead of relying on satellite? Seems to me Germany is stumbling from one fuckup to another at the moment.

Re:Wind turbines lose connectivity?

[arglebargle_xiv]

It's not Germany, it's everyone, and I have no idea why despite having been peripherally involved in some of the satellite comms software they use (hint: It's a mess). Like cryogenically-dipped silver cables for audio, using satellite comms for wind farms is one of those things that everyone agrees is a Good Thing but no-one ever explains why. My guess was that since it used to be done with VHF radio, moving from that to satellite comms was seen as a huge improvement while missing the wood for the trees.

Re:Wind turbines lose connectivity?

[chr1973]

I'm pretty sure the primary data connection through fiber added to the power cable, and that the satellite link is just for redundancy. When I worked on a project in a related field, we looked at power cables with data connections. The question we were debating was if it was worth it for the cable itself to a second data link for redundancy. We were unsure we'd get enough performance from the radio link for some tests.

Hmm, actually I know for a fact that when I looked at wind turbines from a danish manufacturer, they assumed a ring topology between the wind turbines, with the fiber in the power cables.

The perils of remote management

[BeerCat]

Around 25 years ago, the building I worked in was networked to 2 others - one nearby, and the other a few hundred miles away (where the system developers were). Within the main building were some fancy network bridge cards, connecting different network segments. Every now and then, these cards would suddenly be reset to factory settings. Which puzzled everyone, including the card manufacturer.

It turns out that the developers would be trying out new configurations on the bridge card down at their end. At the end of the testing, they would issue a factory reset command. Except the command was sent across the network, and was picked up by all the live cards as well as the test one.

Apparently, the cards being able to respond to a general reset command was considered a feature, not a bug. It looks as though these modems suffered in the same way

Viasat blamed a poorly configured VPN appliance

[takionya]

"Viasat .. blamed a poorly configured VPN appliance, which allowed a miscreant to access a trusted management segment of Viasat's KA-SAT satellite network."

Would access to this "poorly configured VPN appliance" be through a poorly configured web interface?

re:

[MarkUltraBlack]

In connection with the events that have taken place recently and are still taking place, many sources and news resources are blocked, and this really worries me. I don't want to be left in the dark by only receiving information from the pro-government media, so I found a good vpn here https://en.vpnwelt.com/ [vpnwelt.com] . I installed vpn and paid for a subscription to have access to all sources of information.