Inside Denmark’s hell week as critical infrastructure orgs faced cyberattacks

Trending 3 months ago

Danish analytical basement faced the better online advance in the country's history in May, according to SektorCERT, Denmark's specialist alignment for the cybersecurity of analytical kit.

Detailing the advance after-effects in a report, it appear that 22 companies were breached in aloof a few canicule with some were affected to access island approach operation, area they had to abstract from the civic or bounded ability network.

In about all cases unpatched vulnerabilities in Zyxel firewalls meant accommodation was possible, and in some the attackers appeared well-resourced, base vulnerabilities that weren't about appear (zero days).

The attacks are anticipation to accept been agitated out by assorted groups, and at atomic one was potentially the abominable Sandworm operation nestled in Russia's Chief Intelligence Office (GRU), said the researchers.

As the Zyxel accessories weren't arresting on accessible scanning casework such as Shodan, SektorCERT believes Danish analytical basement was targeted specifically.

Zyxel firewalls are acclimated abundantly by the organizations adequate by SektorCERT and the vulnerabilities in these, announced in April, which acquiesce alien attackers to accretion complete ascendancy of the firewall after authentication, were abhorrent for best of the attacks.

"For abounding of our associates this was a surprise," SektorCERT said in the report [PDF]. "Many believed that because the firewall was almost new, it charge be affected to accept the latest software, while others afield affected that their bell-ringer was amenable for the updates. 

"Other associates had advisedly autonomous out of the updates as there was a amount from the supplier to install them (the software itself is free). Still others artlessly did not apperceive they had the accessories in catechism in their network. Either because a supplier had installed them after cogent them about it or because they did not accept an overview of the accessories that were affiliated to their network. 

"This benefited the attackers and gave them weeks to backpack out the attacks – alike afterwards SektorCERT via SektorForum had alerted all associates and encouraged them to install the updates."

The aboriginal beachcomber of attacks started on May 11, targeting 16 activity organizations, all aggravating to accomplishment CVE-2023-28771.

Eleven of the 16 orgs were compromised "immediately" – the added bristles are anticipation to accept escaped, potentially due to ailing formatted abstracts packets beatific to the firewalls, acceptation the vulnerability wasn't exploited.

For the compromised 11, SektorCERT believes that this was the aboriginal assay appearance of the attack, and acceptable alone beatific firewall configurations and accreditation aback to the attackers.

As the accessories weren't accessible for scanning on casework like Shodan, SektorCERT said it's not bright how the attackers were able to analyze the accessible firewalls.

It additionally said the allocation in the aboriginal beachcomber was "remarkable" – an advance that appropriate planning and ample numbers of resources.

After 10 canicule of silence, the additional beachcomber of the attacks began – this time one alignment was already compromised but SektorCERT was alone alerted afterwards it started downloading firewall updates over an afraid affiliation (an attacker's operation), rather than at the point of antecedent compromise.

This angry out to be an attack, believed to be agitated out by a altered actor, to use the organization's basement as allotment of the Mirai botnet. The accommodation was acclimated to backpack out DDoS attacks adjoin two targets in the US and Hong Kong afore the alignment went into island approach to remediate the compromise.

It was adjourned that the attackers "possibly" acclimated two Zyxel firewall aught canicule to aperture this organization. At the time, SektorCERT wasn't acquainted of how the accommodation was initially completed. Zyxel publicized the two firewall-related CVEs two canicule later, and SektorCERT said it's accessible these were accepted to the attackers beforehand.

  • Toyota admits to yet addition billow leak
  • Mirai reloads accomplishment armory as botnet embarks on addition amplification drive
  • DDoS-like advance brought bottomward OpenAI this week, not aloof its declared popularity
  • Critical basement accessory is abounding of flaws, but hey, at atomic it's certified

Just hours afterwards the aboriginal Mirai attack, addition was launched, afresh sending the alignment into island approach operation. In this case, the firewall ultimately had to be absolutely replaced in adjustment to absolutely remediate the compromise.

Over the abutting few canicule as SektorCERT was affected to assignment about the alarm in some cases, six added organizations were afresh compromised through their Zyxel firewalls. In one case, the alignment didn't alike apperceive they had a Zyxel firewall until a absolute analysis appear a third-party supplier installed one back ambience up a camera system.

The final beachcomber of attacks began on May 24 back SektorCERT accustomed an active that adumbrated beat assiduous blackmail (APT) cartage at one alignment – the aboriginal of its affectionate anytime apparent in its three years of operation.

The cartage was affiliated to an IP abode that had ahead been acclimated by Sandworm, the Russian GRU cyber assemblage angry to a ambit of attacks but conceivably best abominable of all was NotPetya. However, SektorCERT insisted that allegation could not be fabricated with aplomb due to the all-embracing abridgement of evidence.

Very little came of the Sandworm-linked attacks added than one alignment accident afterimage into three of its alien locations, which had to be manually addressed.

"[The organization's workers] started manually active out to all alien locations to handle the chiral operation," SektorCERT said. "A bearings that was handled both professionally and with a bit of good, Danish amusement – 'It's acceptable acclimate to drive in,' as the operational administrator stated."

Still, there was no cogent actual appulse on the operation of the country's critical infrastructure. SektorCERT accepted its experts' fast responses and those too of the afflicted organizations.

Going forward, it said that added focus should be placed on what it calls systemic vulnerabilities – those that abide in abounding organizations and if exploited, could advance to advanced after-effects for the country.

"Danish, analytical basement is beneath connected cyber advance from adopted actors. Therefore, anybody who runs analytical basement should pay added absorption and ensure that the appropriate measures are taken to be able to prevent, detect, and accord with these attacks." ®