Viasat spills on the Russian attack, warns of continued risks

A misconfigured VPN appliance is to blame

It turns out the only thing Russian forces needed to knock thousands of Ukrainian satellite broadband customers offline was a misconfigured VPN.

Viasat, whose Ukrainian satellite broadband service was knocked offline the day Russia invaded Ukraine, said its analysis of the attack revealed a poorly configured VPN appliance was used by the attacker to access the trusted management section of the KA-SAT satellite network. 

The attacker gained access to the segment of the network used to manage and operate it, and then pushed legitimate, yet malicious, commands to residential modems in Ukraine and several other European countries. 

"These destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable," Viasat said today. 

The KA-SAT satellite, which provides broadband access to customers in several countries, was not directly affected by the attack, which was confined to a single consumer-oriented partition of its network.

Viasat also said that it had no evidence end-user data was accessed or compromised, no evidence that customer equipment was accessed (aside from the command that was run) and no signs that the satellite or its ground infrastructure were affected. 

It's not over yet

Viasat said that any modems not bricked by the attack received firmware updates that should mitigate future onslaughts. That's timely given what an unnamed Viasat representative told Reuters: The attacks are still happening. 

While Viasat has resisted the attacks so far, the official said the attackers continue to adapt to their mitigations and defenses. The investigation is ongoing, and Viasat said elsewhere it was leaving out some specifics, but it believes the attacks were designed to interrupt service. If the assailants are continuing to push, they're still attempting to disrupt satellite broadband in Ukraine. 

Owners of functioning Tooway brand SurfBeam2 and SurfBeam 2+ modems from Eutelsat should be sure they patch now.

Modems are physically fine, but still broken

Viasat's analysis of modems that were affected by the attack found no evidence of hardware damage, software or firmware tampering or supply-chain interference. That's not much comfort for many customers still unable to get online, but it does mean that affected modems, once returned to Viasat, can be reset and reused.

Thirty-thousand modems have already been sent to distributors (Viasat is a service wholesaler that works with local ISPs), and Viasat said it will continue to send them out to any distributor that requests them "so they can support expedited service restoration and impact mitigation for affected end customers." ®

Broader topics

Other stories you might like

  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading

Biting the hand that feeds IT © 1998–2022