The US, UK Agencies Warn of Russian Hacker’s Botnet of Firewalls

Russian Hackers

‘Cyclops Blink’ has been attributed to the Russian hacker’s group deployed for attacks

The UK and the US Intelligence agencies disclosed details of a new botnet malware called ‘Cyclops Blink’ that has been attributed to the Russian hacker’s group, deployed for attacks. Botnet means a collection of an infected and controlled system for malicious purposes. That infected device zombie and hundreds or thousands of collections of zombie computers.

Cyclops Blink is a large-scale modular malware framework that for now affects only WatchGuard network devices. It appears to be a replacement framework for the VPNFilter malware. Joint National Cyber ​​Security Centre, Cybersecurity and Infrastructure Security Agency advisory attributes a dangerous malware, dubbed Cyclops Blink, to Russia’s Sandworm APT, likely a GRU unit, with WatchGuard users at particular risk.

Raising Alarms about Cyclops Blink

National Cyber ​​Security Centre, the Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the Federal Bureau of Investigation formed a joint government advisory to compete for a botnet of firewalls.

Sandworm is assigned to a highly advanced adversary operating out of Russia. The hacking group has displayed a particular focus on targeting entities in Ukraine and is alleged to be behind the Ukrainian energy sector attacks that caused widespread power outages. An analysis identified residual infections remaining on thousands of networks years after VPNFilter, even as the Sandworm actor simultaneously opted to retool the malware in response to public disclosures. It remains unclear whether Sandworm has been hacking network devices for purposes of espionage, building out its network of hacked machines to use as communications infrastructure for future operations, or targeting networks for disruptive cyberattacks.

Cyclops Blink is believed to have been in action, primarily setting its eyes on WatchGuard firewall devices, although the agencies said that the malware could be repurposed to strike other architectures and firmware. CISA and the NCSC both describe the Cyclops Blink malware as a successor to an earlier Sandworm tool known as VPNFilter. Cyclops Blink has been used widely against targets of interest to Russia, so far just against WatchGuard devices

WatchGuard, in an independent bulletin, called it a state-sponsored botnet that leveraged a previously identified security vulnerability in the Firebox firmware as the initial access vector. Watchguard writes that the hackers were able to infect its devices via a vulnerability, which even before then would have only offered an opening when a control interface for the devices was exposed to the internet. The hackers also appear to have used a vulnerability in how Watchguard devices verify the legitimacy of firmware updates, downloading their firmware to the firewall devices and installing it so that their malware can survive reboots

Based on current estimates, A WatchGuard spokesperson said Cyclops Blink may have affected approximately 1% of active WatchGuard firewall appliances and no other WatchGuard products are affected. the company said. “Only those appliances that had been configured to have management open to the Internet are vulnerable to Cyclops Blink. There is no evidence of data filtered from WatchGuard or its customers. WatchGuard network has not been affected or breached.

John Hultquist, who assisted in the Cyclops Blink investigation, said Sandworm was a very concerning group given its previous track record of malicious activity. No other Russian actor has been so brazen and successful in disrupting critical infrastructure in Ukraine and elsewhere. The findings come as Russia formally launched a full-scale military operation to invade Ukraine, just as its IT infrastructure was crippled by a string of data wiper and distributed denial-of-service attacks. this disclosure will better enable us to defend against this threat actor as relations between Russia and others deteriorate and the likelihood of cyberattacks beyond Ukraine continues to grow.

Share This Article

Do the sharing thingy

About Author

More info about author


Leave a Reply

Your email address will not be published.

Back to top