Researchers at SentinelOne discovered a new piece of destructive wiper malware targeting modems and routers that may be connected to the February Viasat hack that affected thousands of the company’s customers in Ukraine and Europe.
Viasat released an incident report this week in which it said that the goal of the attackers was to interrupt service. The perpetrators exploited a misconfiguration in a VPN appliance to gain remote access to the trusted management segment of the KA-SAT network. They then used the network access to execute commands on a large number of residential modems that overwrote key data in flash memory on the modems, cutting off access to the network.
Now, SentinelOne researchers have shared a report detailing a new wiper malware they dubbed “AcidRain” that may have been used in the Viasat attack.
“We postulate an alternative hypothesis: The threat actor used the KA-SAT management mechanism in a supply-chain attack to push a wiper designed for modems and routers. A wiper for this kind of device would overwrite key data in the modem’s flash memory, rendering it inoperable and in need of reflashing or replacing,” the researchers wrote.
The malware was discovered on March 15, when the researchers noticed a suspicious 32-bit MIPS ELF binary named ‘ukrop’ (which could be an abbreviation of “Ukraine Operation,”) uploaded to VirusTotal from Italy.
“AcidRain’s functionality is relatively straightforward and takes a bruteforce attempt that possibly signifies that the attackers were either unfamiliar with the particulars of the target firmware or wanted the tool to remain generic and reusable. The binary performs an in-depth wipe of the filesystem and various known storage device files. If the code is running as root, AcidRain performs an initial recursive overwrite and delete of non-standard files in the filesystem,” according to the report.
During the analysis, the researchers noticed some code overlaps between AcidRain and another wiper malware, VPNFilter, targeting SOHO routers and QNAP storage devices. The VPNFilter malware attacks were attributed by the US security agencies to two Russia-linked state-sponsored hacker groups - APT28 and Sandworm.
“As we consider what’s possibly the most important cyber attack in the ongoing Russian invasion of Ukraine, there are many open questions. Despite Viasat’s statement claiming that there was no supply-chain attack or use of malicious code on the affected routers, we posit the more plausible hypothesis that the attackers deployed AcidRain (and perhaps other binaries and scripts) to these devices in order to conduct their operation,” the researchers said.
A Viasat spokesperson told tech news site BleepingComputer that “the analysis in the SentinelLabs report regarding the ukrop binary is consistent with the facts in our report - specifically, SentinelLabs identifies the destructive executable that was run on the modems using a legitimate management command as Viasat previously described.” The company said it will provide more information once the investigation is completed.
Cybersecurity Help statement on the critical situation in Ukraine
On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!