Modem-Wiping Malware Caused Viasat Satellite Broadband Outage In Europe

Tens of thousands of Viasat satellite broadband modems that were disabled in a cyber-attack some weeks ago were wiped by malware with possible links to Russia's destructive VPNFilter, according to SentinelOne. The Register reports: On February 24, as Russian troops invaded Ukraine, Viasat terminals in Europe and Ukraine were suddenly and unexpectedly knocked offline and rendered inoperable. This caused, among other things, thousands of wind turbines in Germany to lose satellite internet connectivity needed for remote monitoring and control. Earlier this week, Viasat provided some details about the outage: it blamed a poorly configured VPN appliance, which allowed a miscreant to access a trusted management segment of Viasat's KA-SAT satellite network. The broadband provider said this intruder then explored its internal network until they were able to instruct subscribers' modems to overwrite their flash storage, requiring a factory reset to restore the equipment. We were told: "The attacker moved laterally through this trusted management network to a specific network segment used to manage and operate the network, and then used this network access to execute legitimate, targeted management commands on a large number of residential modems simultaneously. Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable." How exactly these modems had their memory overwritten wasn't said. According to the research arm of SentinelOne, though, it may have been wiper malware deployed to the devices as a malicious firmware update from Viasat's compromised backend. This conclusion was based on a suspicious-looking MIPS ELF binary named "ukrop" that was uploaded to VirusTotal on March 15. "Only the incident responders in the Viasat case could say definitively whether this was in fact the malware used in this particular incident," SentinelOne's Juan Andres Guerrero-Saade and Max van Amerongen wrote on Thursday.

Read more of this story at Slashdot.