Danish critical infrastructure faced the biggest online attack in the country's history in May, according to SektorCERT, Denmark's specialist organization for the cybersecurity of critical kit. Detailing the attack waves in a report, it revealed that 22 companies were breached in just a few days. Some were forced to enter island mode operation, where they had to disconnect from the internet and cut any other other non-essential network connections [ref PDF]. In almost all cases unpatched vulnerabilities in Zyxel firewalls meant compromise was possible, and in some the attackers appeared well-resourced, exploiting vulnerabilities that weren't publicly announced. The attacks are thought to have been carried out by multiple groups, and at least one was potentially the infamous Sandworm operation nestled in Russia's Chief Intelligence Office, said the researchers. Zyxel firewalls are used extensively by the organizations protected by SektorCERT and the vulnerabilities in these, announced in April, which allow remote attackers to gain complete control of the firewall without authentication, were blamed for most of the attacks. "This benefited the attackers and gave them weeks to carry out the attacks - even after SektorCERT via SektorForum had alerted all members and encouraged them to install the updates." The first wave of attacks started on May 11, targeting 16 energy organizations, all trying to exploit CVE-2023-28771. For the compromised 11, SektorCERT believes that this was the original reconnaissance phase of the attack, and likely only sent firewall configurations and credentials back to the attackers. As the devices weren't available for scanning on services like Shodan, SektorCERT said it's not clear how the attackers were able to identify the vulnerable firewalls. It also said the coordination in the first wave was "Remarkable" - an attack that required planning and large numbers of resources. After 10 days of silence, the second wave of the attacks began - this time one organization was already compromised but SektorCERT was only alerted after it started downloading firewall updates over an insecure connection, rather than at the point of initial compromise. This turned out to be an attack, believed to be carried out by a different actor, to use the organization's infrastructure as part of the Mirai botnet. The compromise was used to carry out DDoS attacks against two targets in the US and Hong Kong before the organization went into island mode to remediate the compromise. Zyxel publicized the two firewall-related CVEs two days later, and SektorCERT said it's possible these were known to the attackers beforehand. Toyota admits to yet another cloud leak Mirai reloads exploit arsenal as botnet embarks on another expansion drive DDoS-like attack brought down OpenAI this week, not just its purported popularity Critical infrastructure gear is full of flaws, but hey, at least it's certified. Just hours after the first Mirai attack, another was launched, again sending the organization into island mode operation. The final wave of attacks began on May 24 when SektorCERT received an alert that indicated advanced persistent threat traffic at one organization - the first of its kind ever seen in its three years of operation. The traffic was linked to an IP address that had previously been used by Sandworm, the Russian GRU cyber unit tied to a range of attacks but perhaps most infamous of all was NotPetya. Very little came of the Sandworm-linked attacks other than one organization losing visibility into three of its remote locations, which had to be manually addressed. "Danish, critical infrastructure is under constant cyber attack from foreign actors. Therefore, everyone who runs critical infrastructure should pay extra attention and ensure that the right measures are taken to be able to prevent, detect, and deal with these attacks." .
This Cyber News was published on www.theregister.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000