Hackers from one of Russia’s most elite and brazen spy agencies have infected home and small business network devices around the world with never-before-seen malware that turns devices into capable attack platforms steal confidential data and target other networks.
Cyclops Blink, as the advanced malware has been dubbed, has infected approximately 1% of network firewall devices manufactured by network device maker WatchGuard, the company noted Wednesday. The malware is able to abuse a legitimate firmware update mechanism found in infected devices in a way that gives it persistence, meaning the malware survives reboots.
Like VPNFilter, but stealthier
Cyclops Blink has been around for nearly three years and replaces VPNFilter, the malware that in 2018 researchers found was infecting around 500,000 home and small business routers. VPNFilter contained a veritable Swiss army knife that allowed hackers to steal or manipulate traffic and monitor certain SCADA protocols used by industrial control systems. The US Department of Justice linked the hacks to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation, commonly abbreviated as GRU.
With VPNFilter exposed, Sandworm hackers have created new malware to infect network devices. Like its predecessor, Cyclops Blink has all the trappings of professionally developed firmware, but it also has new tricks that make it stealthier and harder to remove.
“The malware itself is sophisticated and modular with basic functionality to tag device information to a server and allow files to be downloaded and executed,” National Cyber officials wrote. UK Security Center in a statement. advisory. “There is also a feature to add new modules while the malware is running, allowing Sandworm to implement additional functionality if needed.”
Hold the WatchGuard Hostage
So far, according to the advisory, Sandworm has “primarily” used the malware to infect WatchGuard network devices, but hackers are likely able to compile it to run on other platforms as well. -forms. The malware gains persistence on WatchGuard devices by abusing the legitimate process used by devices to receive firmware updates.
The malware starts by copying the firmware images stored on the device and modifies them to include malicious features. Cyclops Blink then manipulates an HMAC value used to cryptographically prove that the image is legitimate in order for devices to run it. The process looks like this:
The malware contains a hard-coded RSA public key, which is used for C2 communications, as well as a hard-coded RSA private key and an X.509 certificate. But they do not appear to be actively used in the samples analyzed by UK officials, making it possible that they are intended for use by a separate module.
Cyclops Blink uses the OpenSSL cryptography library to encrypt communications under the cipher provided by TLS.
Wednesday’s notice stated:
Each time the malware tags, it randomly selects a destination from the current list of C2 server IPv4 addresses and the hard-coded list of C2 ports. Beacons consist of queued messages containing data from running modules. Each message is individually encrypted using AES-256-CBC. The OpenSSL_EVP_SealInit function is used to randomly generate the encryption key and IV for each message and then encrypt them using the hardcoded RSA public key. The OpenSSL_RSA_public_decrypt function is used to decrypt tasks, received in response to beacons, using the hardcoded RSA public key.
Other new stealth measures include using the Tor privacy network to conceal the IP addresses used by the malware. British officials wrote:
Victim devices are organized into clusters and each Cyclops Blink deployment has a list of IP addresses and command and control (C2) ports it uses (T1008). All C2 IP addresses known to date have been used by compromised WatchGuard firewall devices. Communications between Cyclops Blink clients and servers are protected by Transport Layer Security (TLS) (T1071.001), using individually generated keys and certificates. Sandworm manages Cyclops Blink by connecting to the C2 layer via the Tor network: