May 28, 2023

US and UK cybersecurity and law enforcement agencies published a joint security advisory about a new malware, dubbed Cyclops Blink, that has been linked to the Russian-backed Sandworm APT group

Sandworm has been active nearly two decades, operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies . The author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017, causing billions worth of damage.

Advertisements

Cyclops Blink is believed to be a replacement for the VPNFilter botnet,  targets WatchGuard Firebox and other Small Office/Home Office (SOHO) network devices.

Cyclops Blink is sophisticated malware with a modular structure. It supports functionality to add new modules at run-time allowing Sandworm operators to implement additional capability as required.

The malware leverages the firmware update process to achieve persistence. The malware manages clusters of victims, and each deployment of Cyclops Blink has a list of command and control (C2) IP addresses and ports that it uses.

Cyclops Blink persists on reboot and throughout the legitimate firmware update process. Affected organizations should therefore take steps to remove the malware, WatchGuard has worked closely with the FBI, CISA and the NCSC, and has provided tooling and guidance to enable detection and removal of Cyclops Blink on WatchGuard devices through a non-standard upgrade process.

Advertisements

Indicators of Compromise

  • 100.43.220[.]234
  • 96.80.68[.]193
  • 188.152.254[.]170
  • 208.81.37[.]50
  • 70.62.153[.]174
  • 2.230.110[.]137
  • 90.63.245[.]175
  • 212.103.208[.]182
  • 50.255.126[.]65
  • 78.134.89[.]167
  • 81.4.177[.]118
  • 24.199.247[.]222
  • 37.99.163[.]162
  • 37.71.147[.]186
  • 105.159.248[.]137
  • 80.155.38[.]210
  • 217.57.80[.]18
  • 151.0.169[.]250
  • 212.202.147[.]10
  • 212.234.179[.]113
  • 185.82.169[.]99
  • 93.51.177[.]66
  • 80.15.113[.]188
  • 80.153.75[.]103
  • 109.192.30[.]125
  • 3adf9a59743bc5d8399f67cab5eb2daf28b9b863
  • c59bc17659daca1b1ce65b6af077f86a648ad8a8
  • 7d61c0dd0cd901221a9dff9df09bb90810754f10
  • 438cd40caca70cafe5ca436b36ef7d3a6321e858
Tags:

1 thought on “Cyclops Blink Malware Linked to Russia

  1. Pingback: Cyclops Seen targeting ASUS - TheCyberThrone

Leave a Reply

Related Post

CrowdStrike strategy dominates MDR Market

CrowdStrike strategy dominates MDR Market

May 28, 2023
Zyxel Patches Critical Buffer Overflow Vulnerability

Zyxel Patches Critical Buffer Overflow Vulnerability

May 27, 2023

You may have missed

CrowdStrike strategy dominates MDR Market

CrowdStrike strategy dominates MDR Market

May 28, 2023
TheCyberThrone Security Week In Review–May 27, 2023

TheCyberThrone Security Week In Review–May 27, 2023

May 28, 2023
Zyxel Patches Critical Buffer Overflow Vulnerability

Zyxel Patches Critical Buffer Overflow Vulnerability

May 27, 2023
Apria Data Breach affects 2 million customers

Apria Data Breach affects 2 million customers

May 27, 2023
CosmicEnergy Malware Shutting Electric grid

CosmicEnergy Malware Shutting Electric grid

May 27, 2023
Operation Magalenha from Brazil

Operation Magalenha from Brazil

May 27, 2023
%d bloggers like this: