...
...
Technical Analysis and Anatomy of the Attack
The attack became public on Feb. 24, 2022, after thousands of Viasat ground terminals—which house modems that act as a conversion bridge between satellite communications and Internet-based networks—were taken offline by an apparent software supply chain attack delivering a Wiper malware variant to the Viasat modems. It is not yet clear how the hackers breached subsidiary resources associated with Viasat’s networks, but it appears that a malicious software package was uploaded to a server where customers could either retrieve firmware updates for the modems or where automated patches were pushed to customer devices. In either case, the package contained an Executable and Linkable Format (ELF) binary capable of deleting data from a range of storage devices. The malware attempts to perform an in-depth wipe of several file systems, and if the code is running as root–which is considered a privileged top-level system access–the malware dubbed “AcidRain” executes a broader overwrite function that can delete data that it can access.
The technical impact of the attack prevented thousands of Viasat modems from accessing the company’s European KA-SAT network—backboned by the geostationary KA-SAT communications satellite. Customers with impacted modems were abruptly disconnected from the network, with Viasat confirming that a segment of the attack targeted customer premise equipment (CPE) physically located in Ukraine. CPE resources are typically associated with terminal, network, or telecommunications gear that sits at the subscriber’s premises beyond the provider’s wider network.
https://www.justsecurity.org/83021/acidrain-malware-and-viasat-network-downtime-in-ukraine-assessing-the-cyber-war-threat/
↧