A “crimewave” of mass exploitation of Zyxel firewall gadgets has been washing over essential infrastructure in Europe — and Sandworm, the Russian state-sponsored superior persistent menace (APT) that focuses on such assaults, is behind solely a part of it.
In response to an evaluation from Forescout Analysis, Vedere Labs this week, one among two beforehand reported assaults in opposition to the Danish power sector in Could was mistakenly attributed to Sandworm.
Mass Exploitation of CVE-2023-27881 in Zyxel Firewalls
On the time, Danish essential infrastructure safety nonprofit SektorCERT famous that attackers had been leveraging a number of, essential vulnerabilities in Zyxel gear, together with two zero-days, to isolate targets from the nationwide grid, and that command-and-control (C2) servers identified to be related to Sandworm had been concerned, throughout two completely different campaigns.
Additional evaluation nonetheless exhibits that “the second wave of assaults took benefit of unpatched firewalls utilizing a newly ‘widespread’ CVE-2023-27881, and extra [C2] addresses that went unreported,” in keeping with the agency. “Forescout proof suggests the second wave was a part of a separate mass exploitation marketing campaign.”
Forescout researchers famous that the perpetrators are concentrating on firewalls indiscriminately and solely altering staging servers periodically — a really completely different M.O. from that of the notorious APT.
“Distinguishing between a state-sponsored marketing campaign geared toward disrupting essential infrastructure and a crimewave of mass exploitation campaigns, whereas additionally accounting for potential overlaps between the 2, is extra manageable in hindsight than within the warmth of the second,” notes Elisa Costante, vp of analysis at Forescout Analysis. “This report underscores the importance of contextualizing noticed occasions with complete menace and vulnerability intelligence to enhance operational expertise (OT) community monitoring and improve incident response plans.”
After the Danish assaults, additional cyberactivity focused uncovered gadgets inside essential infrastructure worldwide for months, with Forescout researchers detecting quite a few IP addresses trying to use the Zyxel bug throughout numerous gadgets as just lately as October. And assaults might proceed nonetheless: At the least six completely different energy corporations in European international locations make the most of Zyxel firewalls and should stay vulnerable to potential exploitation by malicious actors, in keeping with Forescout.
Important Infrastructure: Not Only a State-Sponsored Goal
The truth that garden-variety opportunistic cyberattackers are moving into the ICS recreation ought to fear cyber defenders, in keeping with John Gallagher, vp of Viakoo Labs at Viakoo.
“Forescout’s evaluation factors to the spillover from nation-state directed cyber exploits to mass exploitation campaigns, which is an alarming development,” he says. “As ‘mass market’ menace actors change into extra expert at working throughout the distinctive languages and protocols of ICS techniques, it dramatically will increase the chance of nonaffiliated menace actors offering ‘as-a-service’ ICS exploitation.”
That development will satirically be exacerbated by the modernization of the expertise utilized by utilities and different essential infrastructure environments, notes Craig Jones, vp of safety operations at Ontinue.
“As infrastructure turns into more and more linked and reliant on digital techniques, the potential assault floor for cybercriminals rises,” Jones explains. “We will count on to see extra refined assaults that exploit particular vulnerabilities in these techniques shifting ahead. Moreover, the ever-growing worth of knowledge might result in extra focused ransomware assaults that goal to extract or encrypt significantly useful or delicate data.”
