Analysis of AcidRain Malware Variant "AcidPour" and Its Impact on Ukraine

Date: 19 March 2022
CVE: Not specified
Sources: https://www.hackread.com/acidrain-linux-malware-variant-acidpour-ukraine/

Issue Summary

AcidRain, a destructive wiper malware, has been identified as a potential threat linked to the cyberattack on Viasat's KA-SAT satellite broadband service. This malware targets modems and routers, specifically designed to erase their storage contents, rendering the devices inoperable. The attack on Viasat disrupted communications across Ukraine and Europe, marking a significant cyber incident amidst the ongoing conflict between Russia and Ukraine.

Technical Key findings

AcidRain works by recursively deleting files and then attempting to destroy data on various storage devices, such as flash memory and SD/MMC cards, by overwriting them with up to 0x40000 bytes of data or using specific IOCTLS for erasure. This approach suggests a brute-force method, possibly indicating the attackers' desire for the tool to remain generic and reusable across different firmware. SentinelOne researchers found developmental and code overlaps with the VPNFilter malware, hinting at a connection to known Russian APT groups.

Vulnerable products

The attack mainly targeted satellite modems connected to the KA-SAT network, affecting thousands of modems across Europe. However, the malware's generic design suggests that it could potentially impact a wide range of routers and IoT devices with similar storage systems.

Impact assessment

The primary impact is the rendering of targeted modems and routers unusable, causing significant disruptions in satellite communications. This not only affects individual users but also has broader implications for organizations relying on satellite networks for their operations, including remote access to infrastructure and communications across Europe.

Patches or workaround

Specific patches or workarounds for AcidRain were not detailed in the sources. However, the fundamental mitigation involves securing network devices against unauthorized access and ensuring firmware is up to date to reduce vulnerabilities that could be exploited by similar malware.

Tags

#AcidRain, #AcidPour, #Ukraine, #ViasatAttack, #VPNFilter, #WiperMalware, #CyberSecurity, #RouterSecurity, #ModemWiper