"Misconfigured" VPN used to breach Viasat satellite network, malicious commands wiped modems
Root cause analysis lands...
Satellite communications provider Viasat has published its root cause analysis of a malicious attack that knocked out services for tens of thousands of European customers reliant on its KA-SAT network in February -- saying a "misconfigured" VPN appliance was used to gain remote access to the trusted management segment of the KA-SAT network. The attackers then sent destructive commands to modems that overwrote key data in flash memory, rendering them inoperable. (They can be restored with a factory reset.)
As well as commercial customers KA-SAT was providing internet connectivity to Ukrainian military and police units. Some 30,000 terminals across Europe were affected. The Viasat attack caused over 5,800 wind turbines generating some 11GW to lose remote access and monitoring capabilities in Germany.
This incident was "localized to a single consumer-oriented partition of the KA-SAT network that is operated on Viasat’s behalf by a Eutelsat subsidiary, Skylogic" Viasat noted in its report.
Follow The Stack on LinkedIn
Viasat did not specify the nature of the VPN "misconfiguration" but in the wake of the incident the US's CISA and FBI published a joint advisory warning satellite communications providers to tighten up their security and be aware of some common risks like "insecure remote access tools" and protocols, conduct consistent and regular patching and ensure that they monitor existing trust relationships with IT service providers.
Viasat said March 30: "Viasat has conducted an exhaustive analysis of impacted modems and confirmed no anomalies or impacts to any electrical components, no impact or compromise of any modem physical or electronic components, no evidence of any compromise or tampering with Viasat modem software or firmware images and no evidence of any supply-chain interference. The modems can be fully restored via a factory reset.
"To date, Viasat has no evidence that standard modem software or firmware distribution or update processes involved in normal network operations were used or compromised in the attack."
The Viasat, Skylogic and incident response firm Mandiant are "continuing to cooperate with various law enforcement and government agencies around the world" they said.
Unpatched critical ulnerabilities in VPNs have been among the most-exploited in the world by attackers in recent years, including bugs in Fortinet and Pulse Secure offerings. Leaked credentials that give access to otherwise patched VPNs which are not, however, set up with MFA are also a common cause of attacks.
Below are the 12 most exploited vulnerabilities in 2020, for example.
| Citrix | CVE-2019-19781 | Arbitrary code execution | CVSS: 9.8 | Exploit |
| Pulse Secure | CVE 2019-11510 | Arbitrary file reading | CVSS: 10 | Exploit |
| Fortinet | CVE 2018-13379 | Path traversal | CVSS: 9.8 | Exploit |
| F5- Big IP | CVE 2020-5902 | RCE | CVSS: 9.8 | Exploit |
| MobileIron | CVE 2020-15505 | RCE | CVSS: 9.8 | Exploit |
| Microsoft | CVE-2017-11882 | RCE | CVSS: 9.3 | Exploit |
| Atlassian | CVE-2019-11580 | RCE | CVSS: 9.4 | Exploit |
| Drupal | CVE-2018-7600 | RCE | CVSS: 9.8 | Exploit |
| Telerik | CVE 2019-18935 | RCE | CVSS: 9.8 | Exploit |
| Microsoft | CVE-2019-0604 | RCE | CVSS: 9.8 | Exploit |
| Microsoft | CVE-2020-0787 | Elevation of privilege | CVSS: 7.8 | Exploit |
| Netlogon | CVE-2020-1472 | Elevation of privilege | CVSS: 10 | Exploit |
