In a joint statement from the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the UK National Cyber Security Center (NCSC) reported that the hacking group known as Sandworm is employing a dangerous new malware variant.
Identified as Cyclops Blink, the creation of this new malicious development has been attributed to Russia’s Main Center for Special Technologies. This group has been linked to multiple incidents previously, including threats on an international level such as:
- Ukrainian power system outages in 2015.
- Development of the NotPetya ransomware in 2017.
- Cyberattacks against the Olympic and Paralympic Winter Games in 2018.
- Cyberattacks against the Georgian government in 2019.
The agencies described Cyclops Blink as a replacement framework for VPNFilter malware, detected in 2018 and designed for exploiting network devices such as routers and network-attached storage (NAS) drives.
Cyclops Blink operators appear to act indiscriminately against WatchGuard firewall devices with default configurations, although it is highly likely that the malware can be attached to other architectures and firmware.
The malware has basic core functionality to send information from the compromised device to a server controlled by the hackers, as well as allowing files to be downloaded and executed. Additional functionality allows new modules to be added as the malware executes, causing Sandworm to add new features to an attack as needed.
Cyclops Blink is loaded into memory as two program segments, one with reading/execute permissions and one with reading/write permissions. The former contains the Linux ELF header and executable code, while the latter contains the data used by the malware.
In later stages, hackers deploy the payload as part of a supposed firmware update, obtaining persistence despite a reboot in the system making remediation difficult. Victim devices are organized into groups and each Cyclops Blink implementation has a list of IP addresses of ports and C&C servers used. All IP addresses known to date have been used by compromised WatchGuard firewalls.
Communications between Cyclops Blink clients and servers are protected by Transport Layer Security, using individually generated keys and certificates. Sandworm manages Cyclops Blink by connecting to its C&C servers through the Tor network.
The threat is still active and an attack could prove disastrous for affected organizations, so the agencies recommend system administrators check their full report to be aware of the best ways to mitigate this security risk.
This alert has compiled information regarding the MITRE ATT&CK framework, this is a globally accessible knowledge base on adversary tactics and techniques based on real-world observations.
- Do not expose network device management interfaces (router, switch, firewall, etc.) to the Internet.
- Protect your devices and networks by keeping them up to date using the latest supported versions, apply security patches issued by different manufacturers, make use of anti-malware and schedule regular scans to protect against new and known malware threats.
- Make use of multi-factor authentication to mitigate the impact of passwords that may be compromised.
- Conduct awareness days exposing the different risks and threats to your company’s human resources with emphasis on how to report suspected phishing emails or emails containing suspicious attachments.
- Prevent and detect lateral movement in your organization’s networks.
Use cases *:
- Platform management and/or access.
- Tracking of activities of a possible Zero-Day Attack. Recognition and/or Vulnerabilities.
- Suspicious traffic from dangerous destination IPs.
- Access control by geolocation.
*To have these detections, the client must have contracted SOC services.
For more information you can consult the following sources associated with the news: