Tag Archive for: Sat.

Cl0P Gang Sat on Exploit for MOVEit Flaw for Nearly 2 Years

/in


Turns out the Cl0p ransomware group sat on a zero-day vulnerability it discovered in Progress Software’s MOVEit Transfer file transfer app for nearly two years before starting to exploit it — which it did with devastating effect earlier this month.

Over that holding period, members of the group periodically launched waves of malicious activity against vulnerable systems to test their access to organizations and to identity the ones to target.

“The analogy I have been using is turning the doorknob, seeing it turn, then walking away knowing I can come back later, open the door, and walk through it,” says Scott Downie, associate managing director at Kroll’s Cyber Risk Business. “It can also be interpreted as them identifying potential targets,” he says.

Experimenting With a MOVEit Exploit for Nearly 2 Years

Researchers at Kroll Threat Intelligence, who investigated the recent attacks, found evidence showing Cl0P actors experimenting with ways to exploit the MOVEit Transfer vulnerability as far back as July 2021. Kroll’s review of Microsoft Internet Information Services (IIS) logs belonging to clients impacted in the attacks unearthed evidence of the threat actors conducting similar activity in April 2022 and twice last month, just days before the attacks.

The telemetry suggests the threat actors were testing access to vulnerable MOVEit Transfer clients and attempting to retrieve information that could help them identity the organizations where it was installed. Much of the malicious reconnaissance and testing activity in the early stages — in July 2021 — appears to have been manual in nature. But starting April 2022, Cl0p actors began using an automated mechanism for probing multiple organizations at the same time and collecting information from them. 

The last of the testing activity — before mass exploitation began — was in May and appeared designed to extract the unique “Org ID” identifier associated with each MOVEit Transfer user. The information could have helped the attackers categorize the organizations they could access, Kroll said. The company’s analysis of the IP addresses associated with the malicious activity showed them to be located in Russia and the…

Source…

The Great Euro Sat Hack Should Be A Warning To Us All

/in


Military officials and civilian security researchers have been warning us for years: cyberattacks are becoming a very real part of modern warfare. Far from being limited to military targets, cyberattacks can take out everything from vital public infrastructure to commercial and industrial operations, too.

In the early hours of February 24, as the Russian invasion force began raining missiles on Ukrainian cities, another attack was in progress in the digital realm. Suddenly, satellite terminals across Europe were going offline, with many suffering permanent damage from the attack.

Details remain hazy, but researchers and military analysts have pieced together a picture of what happened that night. The Great Euro Sat Hack prove to be the latest example of how vulnerable our digital infrastructure can be in wartime.

A Network Is Only As Secure As Its Weakest Point

The KA-SAT satellite operated owned by US company Viasat was launched in 2010. It’s charged with providing broadband satellite internet across Europe, with some limited coverage also extending to parts of the Middle East. Customers of the service include residential users across Europe, and many industrial systems as well.

5,800 wind turbines lost their satellite data connections during the attack, compromising remote monitoring of the hardware. Service was restored through a combination of replacing affected satellite modems and installing supplementary cellular/LTE data links. Credit: ENERCON press site

On February 24, when Russian forces began their full-scale invasion of Ukraine, the KA-SAT system similarly came under attack. Thousands of terminals suddenly went offline in the early hours of the morning. Far from being limited to just Ukraine, users in Greece, Poland, Italy, Hungary, and Germany were all affected.

Notably, 5,800 wind turbines in Germany had their administration systems go dark as the attack raged. When the satellite links went down, monitoring the wind turbines via SCADA systems was no longer possible. Thankfully, grid stability was not affected according to operator ENERCON, as grid operators maintained control over the wind power input to the grid via other methods.

Early reports

Source…