Russian Cyclops Blink malware targets network devices

/in


US and UK cybersecurity agencies have published a joint Cybersecurity Advisory (CSA) detailing a new malware strain being used by a notorious Russia-backed hacking group to target home and office networking devices.

The malware, known as Cyclops Blink, is linked to the Sandworm hacking gang, which is thought to be run by Unit 74455 of the Russian Main Intelligence Directorate, a military intelligence agency of the Russian Armed Forces.

The official said they believe the Sandworm group (also known as Voodoo Bear, BlackEnergy, and TeleBots) developed the new malware to replace a prior botnet that was formed using the earlier VPNFilter malware and was sinkholed by the FBI in May 2018.

The UK National Cyber Security Centre (NCSC) said the deployment of Cyclops Blink could enable Sandworm to remotely access networks.

The new malware is thought to have been active since June 2019. So far, Sandworm has mostly used it on WatchGuard devices.

WatchGuard Technologies is a network security firm that develops technologies to defend computer networks from outside threats.

The joint advisory described Cyclops Blink as ‘professionally developed’ malware that uses a modular structure to enable attackers to distribute second-stage payloads to infected devices. It is capable of downloading and executing files on the devices, while its modular nature allows implementing additional capabilities as required.

Cyclops Blink persists after a reboot and throughout legal firmware changes, the agencies warned.

In its own advisory released on Wednesday, WatchGuard said that Cyclops Blink may have affected a limited number of WatchGuard firewall appliances. The firm said that the attackers likely leveraged a weakness in previous Firebox firmware as an entry point – the vulnerability that was patched in May 2021.

WatchGuard claims to have developed a remediation for Cyclops Blink and says it is working closely with the US FBI, CISA, DOJ and the UK’s NCSC on the issue.

‘Firewall appliances are not at risk if they were never configured to allow unrestricted management access from the internet,’ it said.

‘Restricted management access is the default setting for all WatchGuard’s physical firewall…

Source…