{"id":2174,"date":"2022-03-02T23:56:15","date_gmt":"2022-03-03T06:56:15","guid":{"rendered":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/?p=2174"},"modified":"2022-03-03T00:00:02","modified_gmt":"2022-03-03T07:00:02","slug":"cyclops-blink","status":"publish","type":"post","link":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/2022\/03\/02\/cyclops-blink\/","title":{"rendered":"Cyclops Blink: U.S. and U.K. Authorities warn about Russian Malware"},"content":{"rendered":"\n

Cyclops Blink is a malware developed by the Sandworm Group that sets up a botnet<\/a> by attacking Network Devices. It is the more advanced framework the group, that is affiliated with the Russian Government, deployed in June 2019 after their VPNFilter malware got exposed. Cyclops Blink mostly targeted network devices by WatchGuard (a network security vendor) but Sandworm Group is considered to be capable of adapting the malware for other architectures and firmware.<\/p>\n\n\n\n

\"\"
Cyclops Blink5<\/sup><\/figcaption><\/figure>\n\n\n\n

Who are Sandworm Group?<\/strong><\/p>\n\n\n\n

Sandworm Group<\/a>, also known as Voodoo Bear, is a hacker group that is considered to be working for the Russian Government. The group has been active since at least 2008 and has been known to target Ukrainian companies and government agencies. One of their most famous actions was the BlackEnergy disruption<\/a> in 2015, where they targeted electrical utilities in the Ukraine, thereby destroying entire networks and causing power outages. Furthermore, right before the recent Russian Invasion in Ukraine the group attacked multiple Ukrainian bank and government websites with Distributed Denial of Service (DDoS)<\/a> attacks, leading to approximately 70 websites crashing and the Ukrainian IT infrastructure being compromised.<\/p>\n\n\n\n

History of Cyclops Blink<\/strong><\/p>\n\n\n\n

Before deploying Cyclops Blink, Sandworm Group was using the so called VPNFilter malware that got exposed in 2018 by Cisco. VPNFilter attacked small office\/home office (SOHO) network devices and network attached storage (NAS) and enabled monitoring of the Modbus SCADA protocol, which is often seen with Sandworm Group\u2019s attacks. The malware had no specific target apart from a spike in activity in Ukraine in May 2018 and ever since its exposure the activity has significantly decreased as the hacker group started focusing on the development of the newer framework, Cyclops Blink.<\/p>\n\n\n\n

How is Cyclops Blink distributed?<\/strong><\/p>\n\n\n\n

Cyclops Blink is installed as a fake firmware update and thereby achieves persistence to reboots or legitimate firmware updates, therefore once installed extra steps are necessary to get rid of the malware. The (most commonly targeted) WatchGuard appliances are only vulnerable if they were manually configured to allow unrestricted management from across the internet. This obviously always poses a security risk and is therefore disabled in the default settings. WatchGuard published guidance on their website on how to detect and remove the malware and patched the vulnerability in May 2021, after an estimated 1% of their devices were affected.<\/p>\n\n\n\n

What does it do?<\/strong><\/p>\n\n\n\n

Once installed, Cyclops Blink can enable files to be downloaded and executed using the Linux API (Unix Shell) and in order to remain undetected the program poses as a Linux Kernel Thread Process. The malware can also add new modules while it is running, which allows for some additional capability to be implemented during runtime, as needed. Furthermore, the infiltrated device itself might not be the main target of the attack but can be used to conduct attacks on others.<\/p>\n\n\n\n

\"\"
The client clusters communicate with the C2 Layer, that is contacted by Sandworm Group through the Tor Browser. 4<\/sup><\/figcaption><\/figure>\n\n\n\n

The affected devices are organized into clusters and each device has a list of IPv4 addresses and port numbers for command and co<\/a>ntrol (C<\/a>2)<\/a> communication. The device randomly selects a C2 server from the list and beacons device information to the server, this communication is enabled by a modification of the Linux system firewall. Communication between the clients and servers is protected under Transport Layer Security (TLS)<\/a> with individual keys and certificates, that are encrypted with the AES-256-CBC standard. Then Sandworm Group manages the botnet by connecting to the C2 server layer through the Tor network.<\/p>\n\n\n\n

With the current geopolitical situation in Ukraine, this is an important topic to watch, as the importance of Cyberwar has significantly increased in the past years and similar attacks are likely to happen more often. High awareness is highly recommended!<\/p>\n\n\n\n

References:
[1] https:\/\/blog.malwarebytes.com\/threat-spotlight\/2022\/02\/cyclops-blink-malware-us-and-uk-authorities-issue-alert\/
[2] https:\/\/www.watchguard.com\/wgrd-news\/blog\/important-detection-and-remediation-actions-cyclops-blink-state-sponsored-botnet
[3] https:\/\/www.ncsc.gov.uk\/files\/Cyclops-Blink-Malware-Analysis-Report.pdf
[4] https:\/\/www.cisa.gov\/sites\/default\/files\/publications\/AA22-054A%20New%20Sandworm%20Malware%20Cyclops%20Blink%20Replaces%20VPN%20Filter.pdf<\/p>\n\n\n\n

[5] http:\/\/blog.talosintelligence.com\/2022\/02\/threat-advisory-cyclops-blink.html<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Cyclops Blink is a malware developed by the Sandworm Group that sets up a botnet by attacking Network Devices. It is the more advanced framework the group, that is affiliated with the Russian Government, deployed in June 2019 after their VPNFilter malware got exposed. Cyclops Blink mostly targeted network devices by WatchGuard (a network security … <\/p>\n

Continue reading “Cyclops Blink: U.S. and U.K. Authorities warn about Russian Malware”<\/span><\/a><\/p>\n","protected":false},"author":293,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[15],"tags":[43,44,39,45,40],"class_list":["post-2174","post","type-post","status-publish","format-standard","hentry","category-cpsc-329-602-w22","tag-botnet","tag-malware","tag-russia","tag-sandworm","tag-ukraine","entry"],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Louis Kunstmann","author_link":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/author\/louis-kunstmann\/"},"_links":{"self":[{"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/posts\/2174","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/users\/293"}],"replies":[{"embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/comments?post=2174"}],"version-history":[{"count":4,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/posts\/2174\/revisions"}],"predecessor-version":[{"id":2284,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/posts\/2174\/revisions\/2284"}],"wp:attachment":[{"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/media?parent=2174"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/categories?post=2174"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/tags?post=2174"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}