Headline
Forescout Report Uncovers New Details in Danish Energy Hack
By Deeba Ahmed The attacks, potentially linked to Russian APT Sandworm, exploited vulnerabilities in Zyxel firewalls. This is a post from HackRead.com Read the original post: Forescout Report Uncovers New Details in Danish Energy Hack
The potential involvement of Sandworm, the wider threat beyond attribution, the vulnerability of Zyxel firewalls and the focus on European energy firms call for improved cybersecurity posture and threat intelligence.
Forescout, a global cybersecurity leader, has provided new evidence about two attacks on the Danish energy sector in May 2023 (PDF). Their report, ‘Clearing the Fog of War,’ highlights the need for better network monitoring and incident response plans and analyzes the potential involvement of an advanced persistent threat (APT) group called Sandworm.
For your information, SektorCERT, Denmark’s critical infrastructure CERT, reported a significant cyber-related attack on 22 Danish energy sector companies between May 11-30, 2023. The attacks, linked to Russian APT Sandworm, exploited vulnerabilities in Zyxel firewalls. Despite SektorCERT’s swift response, some companies were forced into island mode, allowing attackers to access industrial control systems.
Forescout Research-Vedere Labs report shed light on this incident. Reportedly, the first wave of attacks started on May 11, 2023, exploiting CVE-2023-28771, a pre-authentication OS command injection vulnerability in unpatched Zyxel firewalls.
A second wave occurred on May 22, 2023, where attackers downloaded MIPS binaries from 45.89.106147 to Zyxel firewalls in an energy sector organization containing Mirai variants with Moobot flavour indicators. The firewalls participated in DDoS and SSH brute-force attacks against targets in Hong Kong, the U.S., and Canada.
Zyxel firewalls at other SektorCERT member organizations were also observed downloading Mirai variants from staging servers, historically associated with malware distribution, adware, ransomware, and Log4j exploitation attempts.
“After the second incident, further attacks targeted exposed devices within critical infrastructure worldwide in the ensuing months,” the report read.
Researchers couldn’t fully attribute the attacks to Sandworm given the difference between the two waves. The first wave targeted a limited number of targets using a PoC-less n-day while the second wave involved Zyxel firewalls infected by staging servers with a history of mass exploitation and crimeware, explained Elisa Costante, VP of Research at Forescout Research–Vedere Labs.
The study found numerous IP addresses exploiting the Zyxel vulnerability CVE-2023-28771, first reported by TRAPA Security in June 2023 and added to the CISA KEV catalogue in May 2023 with a 9.8 severity rating.
In April 2023, Zyxel announced patches for impacted firewalls, including USG Flex, ATP, ZyWALL/USG, and VPN. However, FortiGuard Labs reported a rise in DDoS botnets exploiting the Zyxel vulnerability, which persisted as late as October 2023 and spread across various devices, including Zyxel firewalls.
In May 2023, Hackread reported how a variant of the Mirai botnet, IZ1H9, successfully hacked Zyxel Firewalls using a patched command injection vulnerability, potentially leading to DDoS attacks. Researchers from Palo Alto Networks’ Unit 42 identified it as the most active Mirai variant.
Europe faces high exploitation attempts, with 80% of publicly identifiable and potentially vulnerable firewalls located there. Six European power companies are at risk of exploitation by malicious actors due to their use of Zyxel firewalls, highlighting the need for prioritizing threat intelligence in the energy sector.
Living off the land (LotL) attacks offer stealth benefits, allowing attackers to abstract away from legacy/proprietary protocols. Energy firms and critical infrastructure organizations must remain alert to attacks on unpatched network infrastructure devices.
Exposed Zyxel firewalls
Expert Opinions
For insight into the new development, we reached out to John Gallagher, Vice President of Viakoo Labs at Viakoo who praised Forescout for “digging deeper into exploits against critical infrastructure, and getting closer to the truth of what is behind these attacks.”
“Getting a more accurate assessment of these attack vectors, and getting to that truth more quickly as Forescout has provided, is crucial in protecting these critical assets. Disrupting cyber adversaries in their efforts is one form of defence; that’s why getting specific as to who is the threat actor is critical to defending ICS infrastructure,” he said.
“Forescout’s analysis points to the spillover from nation-state-directed cyber exploits to mass exploitation campaigns, which is an alarming trend. As “mass market” threat actors become more skilled at working within the unique languages and protocols of ICS systems it dramatically increases the risk of non-affiliated threat actors providing “as a service” ICS exploitation,” John added.
“In addition, this means organizations who depend on IoT/OT/ISC systems will be direct targets at some point to the same threats being launched against national critical infrastructure.”
Jose Seara, CEO and founder at DeNexus emphasizes the need for companies to “strengthen their cybersecurity posture” by understanding their cyber risks, identifying them, and quantifying them in monetary terms.
“Critical infrastructure and industrial sites have been increasingly targeted by threat actors and they all need to strengthen their cybersecurity posture. It is imperative for these companies to better understand their cyber risks, identify them and quantify them in monetary terms to drive data-driven decisions on cybersecurity investments,” said Jose.
“Additionally, new SEC regulations on cybersecurity reporting in the U.S. and the NIS2 in Europe are mandating the reporting cyber risk management, expanding the associated consequences of attacks beyond standard security concerns and putting organizations who do not comply at risk of potential legal and financial implications,” he added.
****RELATED ARTICLES****
- Mirai botnet exploiting Azure OMIGOD vulnerabilities
- DDoS Attacks Hit Denmark Central Bank and 7 Private Banks
- Attacker builds malware variant with leaked Mirai source code
- Denmark’s largest train operator hit by service crippling DDoS attack
- Mirai-based NoaBot Botnet Targeting Linux Systems with Cryptominer
Related news
The cyber attacks targeting the energy sector in Denmark last year may not have had the involvement of the Russia-linked Sandworm hacking group, new findings from Forescout show. The intrusions, which targeted around 22 Danish energy organizations in May 2023, occurred in two distinct waves, one which exploited a security flaw in Zyxel firewall (CVE-2023-28771) and a
The out-of-bounds write vulnerability in the Windows-based SecuExtender SSL VPN Client software version 4.0.4.0 could allow an authenticated local user to gain a privilege escalation by sending a crafted CREATE message.
Russian threat actors have been possibly linked to what's been described as the "largest cyber attack against Danish critical infrastructure," in which 22 companies associated with the operation of the country's energy sector were targeted in May 2023. "22 simultaneous, successful cyberattacks against Danish critical infrastructure are not commonplace," Denmark's SektorCERT said [PDF]. "The
Several distributed denial-of-service (DDoS) botnets have been observed exploiting a critical flaw in Zyxel devices that came to light in April 2023 to gain remote control of vulnerable systems. "Through the capture of exploit traffic, the attacker's IP address was identified, and it was determined that the attacks were occurring in multiple regions, including Central America, North America,
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday placed two recently disclosed flaws in Zyxel firewalls to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerabilities, tracked as CVE-2023-33009 and CVE-2023-33010, are buffer overflow vulnerabilities that could enable an unauthenticated attacker to cause a
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched critical security flaw in Zyxel gear to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Tracked as CVE-2023-28771 (CVSS score: 9.8), the issue relates to a command injection flaw impacting different firewall models that could enable an unauthenticated attacker
By Deeba Ahmed A variant of the Mirai botnet is targeting Zyxel Firewalls after exploiting a newly patched operating system command injection vulnerability. This is a post from HackRead.com Read the original post: Mirai Malware Hits Zyxel Devices After Command Injection Bug
Zyxel has released software updates to address two critical security flaws affecting select firewall and VPN products that could be abused by remote attackers to achieve code execution. Both the flaws – CVE-2023-33009 and CVE-2023-33010 – are buffer overflow vulnerabilities and are rated 9.8 out of 10 on the CVSS scoring system. A brief description of the two issues is below - CVE-2023-33009 -
Networking equipment maker Zyxel has released patches for a critical security flaw in its firewall devices that could be exploited to achieve remote code execution on affected systems. The issue, tracked as CVE-2023-28771, is rated 9.8 on the CVSS scoring system. Researchers from TRAPA Security have been credited with reporting the flaw. "Improper error message handling in some firewall versions
Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.