Contents:
In the field of computer security, a wiper is a kind of malware that is designed to erase (wipe) the hard drive of the computer that it infects, therefore intentionally erasing data and applications on the infected machine.
What Happened?
A newly found data wiper virus that wipes routers and modems was used in the hack on the KA-SAT satellite internet service on February 24 to delete SATCOM modems, impacting thousands of people in Ukraine and tens of thousands more throughout Europe, according to the FBI.
The virus, which researchers at SentinelOne have called AcidRain, is intended to brute-force device file names and delete any file it can locate in order to make it easier to re-use in future assaults, according to the researchers.
According to SentinelOne, this might indicate that the attackers are unfamiliar with the filesystem and firmware of the targeted devices, or that they are attempting to create a reusable tool.
AcidRain was discovered on March 15 after being uploaded to the VirusTotal malware analysis platform from an IP address in Italy as a 32-bit MIPS ELF binary with the filename “ukrop.” AcidRain is a variant of the AcidRain family of viruses.
AcidRain’s functionality is relatively straightforward and takes a bruteforce attempt that possibly signifies that the attackers were either unfamiliar with the particulars of the target firmware or wanted the tool to remain generic and reusable. The binary performs an in-depth wipe of the filesystem and various known storage device files. If the code is running as root, AcidRain performs an initial recursive overwrite and delete of non-standard files in the filesystem.
Once it has been installed, it will explore the complete filesystem of the compromised router or modem. Also included are the wiping of flash memory, SD/MMC cards, and any virtual block devices that may be recognized using all possible device IDs.
To erase data on infected devices, the wiper overwrites file contents with up to 0x40000 bytes of data or employs MEMGETINFO, MEMUNLOCK, MEMERASE, and MEMWRITEOOB input/output control (IOCTL) system functions.
After AcidRain’s data wiping activities are done, the virus reboots the device, leaving it inoperable.
A Viasat spokesperson sent the following statement to BleepingComputer in regards to the situation.
The facts provided in the Viasat Incident Report yesterday are accurate. The analysis in the SentinelLabs report regarding the ukrop binary is consistent with the facts in our report – specifically, SentinelLabs identifies the destructive executable that was run on the modems using a legitimate management command as Viasat previously described.
As noted in our report: “the attacker moved laterally through this trusted management network to a specific network segment used to manage and operate the network, and then used this network access to execute legitimate, targeted management commands on a large number of residential modems simultaneously.”
Additionally, we don’t view this as a supply chain attack or vulnerability. As we noted, “Viasat has no evidence that standard modem software or firmware distribution or update processes involved in normal network operations were used or compromised in the attack.” Further, “there is no evidence that any end-user data was accessed or compromised.”
Due to the ongoing investigation and to ensure the security of our systems from ongoing attack, we cannot publicly share all forensic details of the event. Through this process, we have been, and continue to cooperate with various law enforcement and government agencies around the world, who’ve had access to details of the event.
We expect we can provide additional forensic details when this investigation is complete.