US and UK cybersecurity and law enforcement agencies published a joint security advisory about a new malware, dubbed Cyclops Blink, that has been linked to the Russian-backed Sandworm APT group
Sandworm has been active nearly two decades, operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies . The author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017, causing billions worth of damage.
Cyclops Blink is believed to be a replacement for the VPNFilter botnet, targets WatchGuard Firebox and other Small Office/Home Office (SOHO) network devices.
Cyclops Blink is sophisticated malware with a modular structure. It supports functionality to add new modules at run-time allowing Sandworm operators to implement additional capability as required.
The malware leverages the firmware update process to achieve persistence. The malware manages clusters of victims, and each deployment of Cyclops Blink has a list of command and control (C2) IP addresses and ports that it uses.
Cyclops Blink persists on reboot and throughout the legitimate firmware update process. Affected organizations should therefore take steps to remove the malware, WatchGuard has worked closely with the FBI, CISA and the NCSC, and has provided tooling and guidance to enable detection and removal of Cyclops Blink on WatchGuard devices through a non-standard upgrade process.
Indicators of Compromise