CISA and UK NCSC attribute new malware exploit framework to Russian group Sandworm
The United States Cybersecurity & Infrastructure Security Agency (CISA) has posted a new alert working with its UK counterpart, the National Cyber Security Center (NCSC) to identify new malware called Cyclops Blink. The malware, for now, is limiting its exploits to enterprise firewall network devices manufactured by WatchGuard Technologies.
“The NCSC, CISA and FBI previously assigned the Sandworm actor to the Russian Main Center for Special Technologies (GTsST) of the Russian Main Intelligence Directorate (GRU),” CISA said.
Sandworm, or Russian Bear, was identified as the cause of BlackEnergy’s 2015 disruption of Ukraine’s power grid, along with other malware like Industroyer, NotPetya, and disruptive attacks on the Republic of Georgia and attacks on winter Olympic and Paralympic events. .
Cyclops Blink is described as “a large-scale, modular malware framework” that can replace VPNFilter, which was first exposed in 2018. VPNFilter leveraged network-attached storage (NAS) and router devices aimed at small office/home office (SOHO) facilities.
While CISA says the problem is currently limited to certain WatchGuard firewall network devices used in enterprises, CISA warns that Sandworm also has the ability to scale it elsewhere.
“The actor has so far primarily deployed Cyclops Blink on WatchGuard devices, but it’s likely that Sandworm would be able to compile the malware for other architectures and firmware,” CISA said.
Only a small number of devices concerned, advises the manufacturer
“WatchGuard has worked closely with the FBI, CISA, NSA, and NCSC, and provided tools and guidance to enable detection and removal of Cyclops Blink on WatchGuard devices through an unsecured upgrade process. standard. Device owners should follow each step of these instructions to ensure devices are patched to the latest version and any infections are removed,” CISA said.
WatchGuard believes that approximately 1% of its active firewall appliances may be affected by the problem. The company said only firewall devices configured to allow unrestricted access from the internet are affected; this setting is not the default for its physical firewall appliances, WatchGuard noted.
WatchGuard in a statement also noted that there is no evidence of data exfiltration using this exploit, nor evidence that its own networks were affected or breached.
WatchGuard said it has developed and released a set of Cyclops Blink detection tools and created a mitigation strategy for customers in coordination with authorities.