Several international security agencies and manufacturer watchguards are warning of the Cyclops Blink botnet from the Russian state cyber gang Sandworm, also known as Voodoo Bear. It has now replaced the VPNfilter botnet and infiltrates the WatchGuard firewall with Cyclops Blink. These serve cybercriminals, among other things, as command and control servers (C2), but also as drones in botnets.
WatchGuard has a guide with tools Provided to allow administrators to detect and eliminate infections. Manufacturers estimate that up to one percent of all WatchGuard firewalls are affected. However, unlike the standard configuration, these must enable unrestricted administration access from the Internet, which enables malware infection. The manufacturer emphasizes that there are no known cases in which data from customers or WatchGuard has been leaked after infection.
state cyber gang
The US security agency CISA provides more information. Together with the UK’s National Cyber Security Center (NCSC), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI), they found that the sandworm (voodoo bear) group converted VPNFilter to the Cyclops Blink malware. Sandworm is associated with the GRU, the Russian military intelligence service. According to CISA, the criminal group is credited with cyber attacks on Ukraine’s electricity supply in 2015 and Industroyer in 2016 (one-hour power outages in parts of Kiev), NotPetya malware in 2017, attacks on the 2018 Winter Olympics and Paralympics . in Korea, and cyber attacks in Georgia in 2019.
At various times, VPNFilter infected about 500,000 routers and NAS, mostly SOHO models. Equipment was mainly affected in Ukraine, but in Germany there were also about 30,000. Cyclops Blink, a modular malware framework, has been in use since June 2019. It is mainly found on WatchGuard devices. But Sandworm may also compile them for other routers and firmware, she warns. CISA in Security Consulting,
The malware is advanced and modular. Key functions include, for example, transmitting device information to a control server and downloading and executing additional files. In addition, new modules can be added when malware is activated, allowing Sandworm to add other needed capabilities as needed. After infection, the malware installs itself in the form of a firmware update to survive a restart.
Communication in botnets is secured by TLS with separate keys and certificates. Sandworm manages the drone by contacting command and control servers through the TOR network.
to act quickly
In addition to WatchGuard, which also delivers An Overview of NCSC Malware With a list of signs of a nuisance (indicators of agreement, IOC). WatchGuard firewall administrators should take prompt action in the aftermath of the Russian attack on Ukraine and verify that unrestricted management of the Internet has been enabled and that their own firewall has been infiltrated. Administrators should immediately remove any infections according to instructions from watchguard Removal.
Freelance twitter maven. Infuriatingly humble coffee aficionado. Amateur gamer. Typical beer fan. Avid music scholar. Alcohol nerd.