Mystery solved in destructive attack that knocked out >10k Viasat modems

Enlarge / A Viasat Internet dish in the yard of a house in Madison, Virginia.

Viasat – the provider of high-speed satellite broadband whose modems were shut down in Ukraine and other parts of Europe earlier in March – confirmed a theory from third-party researchers that new wiper malware with possible links to the Russian government was responsible for the attack.

In a the report was published on thursday, researchers at SentinelOne said they discovered the new modem dryer and named it AcidRain. The researchers said that AcidRain shared several technical similarities with parts of VPNFilter, a piece of malware that infected more than 500,000 modems for homes and small offices in the United States. Several US government agencies – first the FBI and later organizations including the National Security Agency– all attributed the modem malware to Russian state threats.

Enter ukrop

SentinelOne researchers Juan Andres Guerrero-Saade and Max van Amerongen claimed that AcidRain was used in a cyber attack that sabotaged thousands of modems used by Viasat customers. Among the clues they found was the name “ukrop” for one of AcidRain’s source binaries.

While SentinelOne said it could not be sure that its theory was correct, Viasat representatives quickly said that the theory was. Viasat also said that the finding was consistent with one brief overview the company published on Wednesday.

Viasat wrote:

The analysis in the SentinelLabs report on binary weeds is consistent with the facts in our report – specifically, SentinelLabs identifies the destructive executable file that was run on the modem using a legitimate management command as previously described by Viasat. As noted in our report: “The attacker laterally moved through this trusted management network to a specific network segment used to manage and operate the network, and then used this network access to execute legitimate, targeted management commands on a large number of residential modems simultaneously.”

AcidRain is the seventh distinctive piece of wiper malware associated with Russia’s ongoing invasion of Ukraine. Guerrero-Saade and van Amerongen said that AcidRain is an executable file for MIPS, the modem hardware architecture used by Viasat customers. Malware was uploaded to VirusTotal from Italy and was named “ukrop.”

“Despite what the Ukraine invasion has taught us, wiper software is relatively rare,” the researchers wrote. “More so, malware targeting routers, modems or IoT devices is drying up.”

The researchers soon found “non-trivial” but ultimately “confusing” developmental similarities between AcidRain and a “dstr”, the name of a VPNFilter wiper module. The similarities included a code similarity of 55 percent measured with a tool known as TLSHidentical tables for section header strings and “storing the previous syscall number to a global location before a new syscall.”

“At present, we can not assess whether this is a shared compiler optimization or a strange developer quirk,” the researchers said.

A mystery solved, more remain

Viasat’s statement indicates that the speculation was spot-on.

Viasat’s overview from Wednesday said that the hackers behind the destructive attack gained unauthorized access to a trust management segment of the company’s KA-SAT network by using a misconfigured VPN. The hackers then extended their reach to other segments that allowed them to “run legitimate, targeted management commands on a large number of residential modems simultaneously. These destructive commands overwrote key data in the modem’s flash memory, making the modems unable to access the network, but not permanently unusable. “

How the threatening actors gained access to VPN is still unclear.

Also on Thursday, independent security researcher Ruben Santamarta published an analysis which revealed several vulnerabilities in some of the firmware running on the SATCOM terminals that were disrupted during the attack. One was a failure to cryptographically validate new firmware before it was installed. Another is “multiple command injection vulnerabilities that can be trivially exploited by a maliciously crafted ACS.”

ACS seems to refer to a mechanism called automatic configuration servers that exists in one protocols used by the modem.

“I’m not saying that these issues were actually abused by the attackers, but it really does not look good,” Santamarta wrote. “Hopefully, these vulnerabilities are no longer present in the latest Viasat firmware, otherwise it would be a problem.”

It is obvious that a lot of mystery still surrounds the deactivation of Viasat modems. But the confirmation that AcidRain was responsible for the payload is an important breakthrough.

“I am pleased that Viasat agreed with our findings on AcidRain,” Guerrero-Saade wrote in a private statement. “I hope they will be able to share more of their findings. There is much more to find out in this case.”

Leave a Comment