Tag Archive for: shut

Russian hackers increasing efforts after cyberattack shut down Ukraine internet

/in


Russia carried out a cyberattack during the beginning of its invasion of Ukraine, cutting off from the internet thousands of modems throughout Europe, officials from the U.S., Great Britain, Canada, Estonia and the European Union announced Tuesday.

SpaceX founder Elon Musk, whose Starlink satellites have helped ensure Ukrainians’ access to the internet amid Russia’s invasion, warned that Kremlin forces are “ramping up their efforts.” So far, “Starlink has resisted Russian cyberwar jamming & hacking attempts,” he added.

Russian hackers attacked Viasat’s KA-SAT network in late February as Russian forces marched into Ukraine, the Western governments reported.

U.S. Secretary of State Antony Blinken said Russia launched the cyberattack to “disrupt Ukrainian command and control during the invasion, and those actions had spillover impacts into other European countries.” 

British Foreign Secretary Liz Truss called the cyberattack “deliberate and malicious.” Russia was primarily targeting the Ukrainian military, but had disrupted wind farms and internet users in Central Europe, as well, Truss added, citing Britain’s National Cyber Security Centre.

The Council of the European Union said the digital hack caused “indiscriminate communication outages” in Ukraine and other EU member nations.

Elon Musk
Elon Musk has been helpful providing Ukraine internet access during Russia’s invasion.
AP/ Ringo H.W. Chiu

“This unacceptable cyberattack is yet another example of Russia’s continued pattern of irresponsible behavior in cyberspace, which also formed an integral part of its illegal and unjustified invasion of Ukraine,” the council said in a statement.

The cyberattack caused immediate outages for satellite internet users across Europe and affected modems had to be manually replaced.

“After those modems were knocked offline it wasn’t like you unplug them and plug them back in and reboot and they come back,” U.S. National Security Agency Director of Cybersecurity Rob Joyce told Reuters. “They were down and down hard; they had to go back to the factory to be swapped out.”

Ukraine
The cyber hack caused “indiscriminate communication…

Source…

Viasat Hack Tied to Data-Wiping Malware Designed to Shut Down Modems

/in


Last month’s massive Viasat satellite internet outage has been connected to malware capable of wiping data from modems and routers. 

Cybersecurity firm SentinelOne says it spotted a malware sample that was likely used during the Feb. 24 Viasat hack, which disrupted internet service. The malware, dubbed AcidRain, is a Unix executable program designed to target devices built with the MIPS architecture.

SentinelOne noticed the malware after a sample of AcidRain was uploaded to malware-detection service VirusTotal on March 15. The same sample came from Italy, where SkyLogic, the Viasat operator managing the affected network, is also based. In addition, the malware sample was labeled with the name “ukrop,” a possible reference to Ukraine Operation. 

The computer code executed by Acid Rain.


(SentinelOne)

SentinelOne also examined AcidRain and found it can perform “an in-depth wipe of the filesystem and various known storage device files” on an infected modem. The malware will then trigger a reboot, leaving the device inoperable. 

The security firm issued the report a day after Viasat provided more details about the Feb. 24 outage, which occurred right as Russia began to invade Ukraine. The disruption caused thousands of users in Ukraine and tens of thousands more across Europe to temporarily lose internet access.

Viasat’s investigation found the hackers behind the incident exploited a misconfigured VPN device to gain remote access to the satellite internet infrastructure, and then used “legitimate, targeted management commands” across a large number of modems to knock them offline. 

However, Viasat’s investigation made no mention of any data-wiping malware. Instead, the company’s report pointed to “destructive commands” overwriting key data in flash memory on the affected modems, rendering them useless. 

Still, Viasat isn’t denying SentinelOne’s findings about AcidRain. In a statement, the satellite internet provider said: “The analysis in the SentinelLabs report regarding the ukrop binary is consistent with the facts in our report—specifically, SentinelLabs identifies the destructive executable that was run on the modems using a legitimate management command as Viasat previously…

Source…

U.S. Hacker Says He Alone Shut Down North Korea’s Internet

/in


(TNS) — He’s dictating the terms.

A U.S. hacker working solo claims he’s the person behind multiple Internet outages across North Korea in the past month.

The man, identified only by the handle “P4X,” said he was targeted by a North Korean government hacking scheme last year and was upset enough to fight back, tech magazine Wired reported.


North Korea experts noted the various countrywide Internet down periods in January. Some suspected the outages were connected to the country’s recent missile launches, perhaps a “please stop” signal from the U.S.

But P4X’s screen recordings proved he was behind the attacks, according to Wired. The man claimed that because of the tiny dictatorship’s outdated Internet technology and small cyber infrastructure, it wasn’t really that hard.

“For me, this is like the size of a small-to-medium [cybersecurity beaching test],” he told Wired. “It’s pretty interesting how easy it was to actually have some effect in there.”

Access to the Internet is severely limited in North Korea, and observers believe only a few dozen websites are hosted inside the isolated nation, Wired reported. But P4X was still able to take them all down in his revenge campaign.

In January 2021, Google’s threat analytics group posted an announcement about hacks targeting private sector security researchers, which came from “a government-backed entity based in North Korea.”

After a quick personal investigation, P4X realized he was one of the security researchers that Kim Jong-un’s regime was apparently interested in, according to Wired. So he fought back.

“It felt like the right thing to do here,” he told the magazine. “I want them to understand that if you come at us, it means some of your infrastructure is going down for a while.”

P4X said his goal was to simply annoy the North Korean government, counting that as success given that he was working alone from his office.

“I definitely wanted to affect the people as little as possible and the government as much as possible,” he told Wired, comparing the effort to “tearing down government banners or defacing buildings.”

The…

Source…

AT&T Looks to Shut Down Botnet that Attacked 5,700 Network Appliances

/in


AT&T is working to stop a botnet that has infected at least 5,700 network edge servers inside its networks and appears designed to steal sensitive information and launch distributed denial-of-service (DDoS) attacks.

Researchers at Netlab, the network security unit of Chinese tech giant Qihoo 360, wrote in a report this week that the rapidly updated botnet was attacking voice-over-IP (VoIP) servers from Edgewater Networks that are housed within AT&T’s network and are designed to route traffic from enterprise customers to upstream mobile providers (in this case, AT&T).

The botnet was able to exploit an older vulnerability in unpatched EdgeMarc Enterprise Session Border Controllers (ESBCs) that is tracked as CVE-2017-6079. Once inside the appliances, the botnet installed a modular malware strain that the Netlab researchers dubbed EwDoor.

The researchers initially detected the botnet on Oct. 27, observing it attacking the ESBCs through the four-year-old vulnerability. They wrote that the botnet uses a “relatively unique” mount file system command in its payload.

A Short Window of Visibility

The initial version of EwDoor used a multiple command-and-control (C&C or C2) redundancy mechanism, but after having problems with the main C&C network, the botnet operators reconfigured the communication model and the researchers lost track of the botnet. However, during the short time they had sight of it, they confirmed that the targets were the Edgewater devices within the AT&T network and that all 5,700 appliances were located in the United States.

“So far, the EwDoor in our view has undergone 3 versions of updates, and its main functions can be summarized into 2 main categories of DDoS attacks and Backdoor,” they wrote. “Based on the attacked devices are telephone communication related, we presume that its main purpose is DDoS attacks, and gathering of sensitive information, such as call logs.”

The three updates occurred during November.

Also read: Top Vulnerability Management Tools for 2021

Exploiting the Edgewater Devices

According to the Netlab researchers, the botnet exploits a hidden page in the Edgewater appliances that includes user-defined commands. The bad actors can…

Source…