Summary
The United Kingdom's (UK) National Cyber Security Centre (NCSC), along with the US CISA, NSA, and FBI, recently released a joint advisory warning that suspected Russian state-sponsored advanced persistent threat (APT) actors – Sandworm (also known as BlackEnergy, Telebots, and Voodoo Bear), affiliated with the Russian Main Intelligence Directorate (GRU) – have been observed actively leveraging a new malware dubbed Cyclops Blink.
Cyclops Blink, which first appeared in 2019 shortly after the disappearance of VPNFilter, appears to be a replacement framework for the VPNFilter malware exposed in 2018. VPNFilter exploited network devices, primarily small office/home office (SOHO) routers and network-attached storage (NAS) devices.
Cyclops Blink, used by Sandworm operators to create a botnet, specifically targets WatchGuard Firebox and other Small Office/Home Office (SOHO) network devices.
The malware uses infected devices' legitimate firmware update channels to maintain access to compromised systems by injecting malicious code and deploying repacked firmware images; infection persists on reboot.
Sandworm, active since the mid-2000s, has historically targeted critical infrastructure in Ukraine, along with various NATO member countries, often just prior to and during heightened geopolitical tensions or conflicts.
Previous campaigns previously attributed to Sandworm include:
- The BlackEnergy disruption of Ukrainian electricity in 2015
- Industroyer in 2016
- NotPetya in 2017
- Attacks against the Winter Olympics and Paralympics in 2018
- A series of disruptive attacks against Georgia in 2019
The joint advisory provides details regarding VPNFilter, Cyclops Blink, as well as Sandworm's associated tactics, techniques, and procedures (TTPs). The advisory also provides a malware analysis report on Cyclops Blink
The advisory states that the deployment of Cyclops Blink appears to be ‘widespread and indiscriminate,’ suggesting that any organization which uses WatchGuard Firebox or other SOHO network devices could be vulnerable.
The advisory states that 'the actor has so far primarily deployed Cyclops Blink to WatchGuard devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.'
Given the heightened tensions – and now military action – in Ukraine, and previous Sandworm targeting, organizations’ devices affected by Cyclops Blink could potentially be used in campaigns against specific targets, or exploited themselves.
Analysis
Potential Impact
The advisory says that ‘all accounts on infected devices should be assumed as being compromised and organizations should immediately remove Internet access to the management interface of affected network devices.’
That said, a Cyclops Blink infection does not mean that an organization is a primary target, but it may be selected to be, or its machines could be used to conduct attacks.
Recommendations
Organizations are advised to follow the mitigation advice in this advisory to defend against this activity and to refer to indicators of compromise (not exhaustive) in the Cyclops Blink malware analysis report to detect possible activity on networks.
UK organizations affected by the activity outlined in should report any suspected compromises to the NCSC at https://report.ncsc.gov.uk/.
Several additional general recommended actions from this advisory are as follows:
- Do not expose management interfaces of network devices to the internet
- Protect your devices and networks by keeping them up to date
- Use multi-factor authentication to reduce the impact of password compromises
- Treat people as your first line of defense
- Set up a security monitoring capability
- Prevent and detect lateral movement in your organization’s networks
WatchGuard has worked closely with the FBI, CISA, and the NCSC, and issued its own guidance.
MITRE ATT&CK mitigations are also available in this advisory.
References
- https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter
- https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf
- https://www.watchguard.com/wgrd-news/blog/important-detection-and-remediation-actions-cyclops-blink-state-sponsored-botnet
- https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf%20
No comments:
Post a Comment