Source: hoch2wo via Alamy Stock Photo
A "crimewave" of mass exploitation of Zyxel firewall devices has been washing over critical infrastructure in Europe — and Sandworm, the Russian state-sponsored advanced persistent threat (APT) that specializes in such attacks, is behind only part of it.
According to an analysis from Forescout Research, Vedere Labs this week, one of two previously reported attacks against the Danish energy sector in May was mistakenly attributed to Sandworm.
Mass Exploitation of CVE-2023-27881 in Zyxel Firewalls
At the time, Danish critical infrastructure security nonprofit SektorCERT noted that attackers were leveraging multiple, critical vulnerabilities in Zyxel gear, including two zero-days, to isolate targets from the national grid, and that command-and-control (C2) servers known to be associated with Sandworm were involved, across two different campaigns.
Further analysis however shows that "the second wave of attacks took advantage of unpatched firewalls using a newly 'popular' CVE-2023-27881, and additional [C2] addresses that went unreported," according to the firm. "Forescout evidence suggests the second wave was part of a separate mass exploitation campaign."
Forescout researchers noted that the perpetrators are targeting firewalls indiscriminately and only changing staging servers periodically — a very different M.O. from that of the infamous APT.
"Distinguishing between a state-sponsored campaign aimed at disrupting critical infrastructure and a crimewave of mass exploitation campaigns, while also accounting for potential overlaps between the two, is more manageable in hindsight than in the heat of the moment," notes Elisa Costante, vice president of research at Forescout Research. "This report underscores the significance of contextualizing observed events with comprehensive threat and vulnerability intelligence to improve operational technology (OT) network monitoring and enhance incident response plans."
After the Danish attacks, further cyberactivity targeted exposed devices within critical infrastructure worldwide for months, with Forescout researchers detecting numerous IP addresses attempting to exploit the Zyxel bug across various devices as recently as October. And attacks could continue still: At least six different power companies in European countries utilize Zyxel firewalls and may remain susceptible to potential exploitation by malicious actors, according to Forescout.
Critical Infrastructure: Not Just a State-Sponsored Target
The fact that garden-variety opportunistic cyberattackers are getting into the ICS game should worry cyber defenders, according to John Gallagher, vice president of Viakoo Labs at Viakoo.
"Forescout's analysis points to the spillover from nation-state directed cyber exploits to mass exploitation campaigns, which is an alarming trend," he says. "As 'mass market' threat actors become more skilled at working within the unique languages and protocols of ICS systems, it dramatically increases the risk of nonaffiliated threat actors providing 'as-a-service' ICS exploitation."
That trend will ironically be exacerbated by the modernization of the technology used by utilities and other critical infrastructure environments, notes Craig Jones, vice president of security operations at Ontinue.
"As infrastructure becomes increasingly connected and reliant on digital systems, the potential attack surface for cybercriminals rises," Jones explains. "We can expect to see more sophisticated attacks that exploit specific vulnerabilities in these systems moving forward. Furthermore, the ever-growing value of data may lead to more targeted ransomware attacks that aim to extract or encrypt particularly valuable or sensitive information."