New AcidPour Wiper Targeting Linux Devices Spotted in Ukraine - https://www.redpacketsecurity.com/new-acidpour-wiper-targeting-linux-devices-spotted-in-ukraine/

#threatintel #AcidPour #Wiper_malware #Cybersecurity

SentinelLabs discovered a new variant of AcidRain wiper targeting Ukraine, which they call AcidPour. Their analysis confirms the connection between AcidRain and AcidPour, connecting it to clusters previously publicly attributed to Russian military intelligence. The discovery coincides with the enduring disruption of multiple Ukrainian telecommunication networks since 13 March 2024. SentinelLabs provides a technical analysis, describes AcidPour features and lists IOC. 🔗 https://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/

#AcidRain #AcidPour #wiper #malware #threatintel #IOC #Russia #Ukraine #RussiaUkraineWar

Analysis of AcidRain Malware Variant "AcidPour" and Its Impact on Ukraine

Date: 19 March 2022
CVE: Not specified
Sources: https://www.hackread.com/acidrain-linux-malware-variant-acidpour-ukraine/

Issue Summary

AcidRain, a destructive wiper malware, has been identified as a potential threat linked to the cyberattack on Viasat's KA-SAT satellite broadband service. This malware targets modems and routers, specifically designed to erase their storage contents, rendering the devices inoperable. The attack on Viasat disrupted communications across Ukraine and Europe, marking a significant cyber incident amidst the ongoing conflict between Russia and Ukraine.

Technical Key findings

AcidRain works by recursively deleting files and then attempting to destroy data on various storage devices, such as flash memory and SD/MMC cards, by overwriting them with up to 0x40000 bytes of data or using specific IOCTLS for erasure. This approach suggests a brute-force method, possibly indicating the attackers' desire for the tool to remain generic and reusable across different firmware. SentinelOne researchers found developmental and code overlaps with the VPNFilter malware, hinting at a connection to known Russian APT groups.

Vulnerable products

The attack mainly targeted satellite modems connected to the KA-SAT network, affecting thousands of modems across Europe. However, the malware's generic design suggests that it could potentially impact a wide range of routers and IoT devices with similar storage systems.

Impact assessment

The primary impact is the rendering of targeted modems and routers unusable, causing significant disruptions in satellite communications. This not only affects individual users but also has broader implications for organizations relying on satellite networks for their operations, including remote access to infrastructure and communications across Europe.

Patches or workaround

Specific patches or workarounds for AcidRain were not detailed in the sources. However, the fundamental mitigation involves securing network devices against unauthorized access and ensuring firmware is up to date to reduce vulnerabilities that could be exploited by similar malware.

Tags

#AcidRain, #AcidPour, #Ukraine, #ViasatAttack, #VPNFilter, #WiperMalware, #CyberSecurity, #RouterSecurity, #ModemWiper

The #AcidPour malware is a new variant of #AcidRain targeting #Linux x86 systems in #Ukraine, as discovered by #SentinelLabs researchers. Unlike its predecessor designed for #MIPS architecture, AcidPour specifically targets x86 Linux distributions such as #Ubuntu, #Mint, #Fedora, and #Debian. It introduces new capabilities, including references to Unsorted Block Images (#UBI) and #Logical Volume Manager (LVM) virtual block devices, suggesting an expansion in the range of potential targets. AcidPour's distinct codebase and wiping logic, particularly for devices like LVMs, indicate an evolved threat strategy. Despite the evolving nature of malware threats, SentinelLabs has alerted stakeholders in Ukraine, though the full scope and specific targets of AcidPour remain undisclosed. Users and organizations are advised to enhance cybersecurity measures and educate on phishing and malware threats.

Source: New AcidRain Linux Malware Variant “AcidPour” Found Targeting Ukraine