"Misconfigured" VPN used to breach Viasat satellite network, malicious commands wiped modems

Root cause analysis lands...

"Misconfigured" VPN used to breach Viasat satellite network, malicious commands wiped modems

Satellite communications provider Viasat has published its root cause analysis of a malicious attack that knocked out services for tens of thousands of European customers reliant on its KA-SAT network in February -- saying a "misconfigured" VPN appliance was used to gain remote access to the trusted management segment of the KA-SAT network. The attackers then sent destructive commands to modems that overwrote key data in flash memory, rendering them inoperable. (They can be restored with a factory reset.)

As well as commercial customers KA-SAT was providing internet connectivity to Ukrainian military and police units. Some 30,000 terminals across Europe were affected. The Viasat attack caused over 5,800 wind turbines generating some 11GW to lose remote access and monitoring capabilities in Germany.

This incident was "localized to a single consumer-oriented partition of the KA-SAT network that is operated on Viasat’s behalf by a Eutelsat subsidiary, Skylogic" Viasat noted in its report.

Follow The Stack on LinkedIn

Viasat did not specify the nature of the VPN "misconfiguration" but in the wake of the incident the US's CISA and FBI published a joint advisory warning satellite communications providers to tighten up their security and be aware of some common risks like "insecure remote access tools" and protocols, conduct consistent and regular patching and ensure that they monitor existing trust relationships with IT service providers.

Viasat said March 30: "Viasat has conducted an exhaustive analysis of impacted modems and confirmed no anomalies or impacts to any electrical components, no impact or compromise of any modem physical or electronic components, no evidence of any compromise or tampering with Viasat modem software or firmware images and no evidence of any supply-chain interference. The modems can be fully restored via a factory reset.

"To date, Viasat has no evidence that standard modem software or firmware distribution or update processes involved in normal network operations were used or compromised in the attack."

The Viasat, Skylogic and incident response firm Mandiant are "continuing to cooperate with various law enforcement and government agencies around the world" they said.

Unpatched critical ulnerabilities in VPNs have been among the most-exploited in the world by attackers in recent years, including bugs in Fortinet and Pulse Secure offerings. Leaked credentials that give access to otherwise patched VPNs which are not, however, set up with MFA are also a common cause of attacks.

Below are the 12 most exploited vulnerabilities in 2020, for example.

CitrixCVE-2019-19781Arbitrary code executionCVSS: 9.8Exploit
Pulse SecureCVE 2019-11510Arbitrary file readingCVSS: 10Exploit
FortinetCVE 2018-13379Path traversalCVSS: 9.8Exploit
F5- Big IPCVE 2020-5902RCECVSS: 9.8Exploit
MobileIronCVE 2020-15505RCECVSS: 9.8Exploit
MicrosoftCVE-2017-11882RCECVSS: 9.3Exploit
AtlassianCVE-2019-11580RCECVSS: 9.4Exploit
DrupalCVE-2018-7600RCECVSS: 9.8Exploit
TelerikCVE 2019-18935RCECVSS: 9.8Exploit
MicrosoftCVE-2019-0604RCECVSS: 9.8Exploit
MicrosoftCVE-2020-0787Elevation of privilegeCVSS: 7.8Exploit
NetlogonCVE-2020-1472Elevation of privilegeCVSS: 10Exploit

See also: US agencies tells users to deploy ‘independent encryption’ across satellite comms. It’s not that easy.