UK and US cybersecurity agencies have linked the Cyclops Blink malware to Russia’s Sandworm APT.
Cybersecurity and law enforcement agencies in the US and UK have issued a joint security advisory against a new malware called Cyclops Blink linked to the Russian-backed Sandworm APT group.
Sandworm (also known as BlackEnergy and TeleBots) has been active since 2000 and operates under the control of Unit 74455 of the Main Center for Special Technologies (GTsST), GRU, Russia.
The group is also the author of the NotPetya ransomware that attacked hundreds of companies around the world in June 2017, causing billions of dollars of damage.
Cyclops Blink was first exposed in 2018 and is believed to replace the VPNFilter botnet, which at the time consisted of more than 500,000 compromised routers and network-attached storage (NAS) devices.
The Cyclops Blink malware has been active since at least June 2019 and targets WatchGuard Fireboxes and other small office/home office (SOHO) network devices. According to WatchGuardCyclops Blink may have affected about 1% of all active WatchGuard firewall appliances.
“The sandworm attacker replaced the exposed VPNFilter malware with a new advanced framework.” read advice Published by the UK National Cyber Security Center “Hackers so far have primarily deployed Cyclops Blink on WatchGuard devices, but it is possible that the sandworm can compile malware for other architectures and firmware. “
Cyclops Blink is a sophisticated malware with a modular structure. It supports the ability to add new modules at runtime, allowing Sandworm operators to implement additional functions as needed.
Malware leverages the firmware update process to ensure persistence. The malware manages a cluster of victims and each distribution of Cyclops Blink has a list of command and control (C2) IP addresses and ports it uses.
“Cyclops Blink persists across reboots and throughout the legitimate firmware update process. Affected organizations should therefore take steps to eliminate malware,” the advisory concluded. “WatchGuard has worked closely with the FBI, CISA and NCSC, Tools and Guides A non-standard upgrade process allows WatchGuard devices to detect and remove Cyclops Blink.”
Indicators of Compromise (IoC) Cyclops Blink Malware Analysis Report.
In February, French security agency ANSSI warned of a series of attacks targeting Centreon monitoring software used by several French organizations and attributed it to the Sandworm APT group with links to Russia.
Follow me on Twitter: @securityaffairs And Facebook
(security work – hacking, CISA)
share