September 22, 2022

US and UK expose new Russian malware targeting network devices

  • NCSC, FBI, CISA and NSA release report on new Cyclops Blink malware.
  • US and UK agencies said the malware was developed by Sandworm, a cyber unit of Russia’s GRU military intelligence service.
  • Officials said the malware has been targeting WatchGuard Firebox firewalls since at least June 2019.

The US and UK governments today released a joint report detailing a new strain of malware developed by Russia’s military cyber unit that had been deployed in the wild since 2019 and used to compromise home and business network devices.

Agencies like the UK’s National Cyber ​​Security Center (NCSC), the US Federal Bureau of Investigations (FBI), the US Cybersecurity Infrastructure and Security Agency (CISA), and the National Security Agency ( NSA) of the United States contributed to the joint reportwith a technical analysis of the new malware, which they named Cyclops Blink [PDF].

Officials said they first saw the malware deployed in the wild in June 2019 and was detected primarily targeting WatchGuard Firebox Firewallsbut they do not exclude the possibility of also infecting other types of network equipment.

UK and US officials said the malware was developed by a malicious actor known as sandwormpreviously linked to a cyber unit of the GRU, the Russian military intelligence division.

Officials described Cyclops Blink as “professionally developed” and said the malware uses a modular structure that allows its operators to deploy second-stage payloads to infected devices.

Details on how the malware is deployed on infected systems and the capabilities of its second-stage modules are not included in the report, but in its own security consulting Regarding this, WatchGuard said they believe the attackers used a vulnerability in older Firebox firmware as an entry point, a vulnerability the company patched in May 2021.

VPN filter replacement?

US and UK officials said they believe the Sandworm group had developed Cyclops Blink to replace the previous botnet created using the old VPNFilter malware, the botnet that the The FBI gobbled up end of May 2018.

At the time, US officials and security firms said Russian state-sponsored hackers were preparing to use the VPNFilter botnet to launch DDoS attacks in hopes of disrupting the computer infrastructure of the final. of the 2018 UEFA Champions League, which was to take place this year in Kyiv, Ukraine.

The timing of the joint Cyclops Blink report today is no accident and comes as Russia is days away from sending troops to Ukraine, an operation that many security experts say will will be accompanied by cyberattacks aimed at disrupting Ukraine’s IT infrastructure.

While it’s unclear whether Cyclops Blink should play a role in these possible attacks, US and UK officials felt this was an opportune time to expose the Cyclops Blink botnet, as a way to limit its usefulness to the Russian military intelligence.

The report contains technical details that cybersecurity companies can use to create detection rules for Cyclops Blink activity.

Since malware also burrows deep into a device’s firmware, a simple device restart or factory reset will not remove it from infected firewalls. For this, WatchGuard has published tools to detect malware on its devices and steps on how to clean up compromised systems.

According to Nate WarfieldChief Technology Officer of the cybersecurity company Prevailion, there is over 25,000 WatchGuard Firebox firewalls currently connected to the Internet. WatchGuard estimated the number of infected systems at around 1%, which would bring the size of the botnet to around 250 devices.

However, only a dozen of these 25,000 systems are located in Ukraine, which means that they cannot be used by Sandworm operators to swing into the internal networks of many Ukrainian companies, but that does not mean that the others Cyclops Blink devices cannot be used for other types of operations, such as DDoS attacks.

Coincidentally, the joint report came out just as several Ukrainian government sites were under DDoS attack, but there is no evidence that Cyclops Blink played a role in these attacks or that it could even carry out such operations.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant inside scoop on new vulnerabilities, cyberattacks and law enforcement actions against hackers.

Source link