Feds take down Kremlin-backed Cyclops Blink botnet

Control systems scrubbed, hijacked network devices need to be patched and cleaned

The US Justice Department today revealed details of a court-authorized take-down of command-and-control systems the Sandworm cyber-crime ring used to direct network devices infected by its Cyclops Blink malware.

The move follows a joint security alert in February from US and UK law enforcement that warned of WatchGuard firewalls and ASUS routers being compromised to run Cyclops Blink. This botnet malware – technical breakdown here [PDF] – allows the equipment to be remote controlled to carry out attacks on behalf of its masterminds.

Previously, Uncle Sam said the Sandworm crew worked for the Russian Federation's GRU espionage nerve-center, which handles foreign intel operations. 

"This court-authorized removal of malware deployed by the Russian GRU demonstrates the department's commitment to disrupt nation-state hacking using all of the legal tools at our disposal," said Assistant Attorney General Matthew Olsen of the Justice Department's National Security Division.

"By working closely with WatchGuard and other government agencies in this country and the UK to analyze the malware and to develop detection and remediation tools, we are together showing the strength that public-private partnership brings to our country's cybersecurity. The department remains committed to confronting and disrupting nation-state hacking, in whatever form it takes."

During the March 22 court-authorized operation, the Feds removed malicious code from "thousands" of firewall appliances that Sandworm compromised to act as command-and-control systems (C2) for the Cyclops Blink botnet. This cut off communications between the cyber-crew and their bots on infected equipment.

The operation did not, however, access the remote-control Cyclops Blink malware on thousands of individual devices worldwide. The Feds took a note of the C2 devices' serial numbers using an automated script, and a copy of the malicious code. Agents "did not search for or collect other information from the relevant victim networks," according to the Justice Department. 

The operation also did not involve any FBI communications with bot devices, the Feds added.

On February 23, the UK National Cyber Security Center and several US agencies, including CISA, the FBI and the NSA, released an advisory identifying Cyclops Blink, which the organizations said looked to be Sandworm's replacement for VPNFilter. 

As readers likely remember, VPNFilter was the 2018 software nasty that targeted routers and storage devices. And Sandworm is the crew that carried out several high-profile attacks including the 2015 and 2016 cyber-assaults on Ukraine's electrical grid, NotPetya in 2017, and the French presidential campaign email leak that same year.

In the joint February alert, the agencies noted that Cyclops Blink targeted WatchGuard and ASUS hardware. Because these devices usually sit on the perimeter of a victim's network, they give Sandworm the ability to conduct all manner of malicious activity, such as espionage or deploying more destructive malware, against computers within those networks.

An additional alert by Trend Micro suggested ​​Cyclops Blink was an attempt to turn these compromised devices into C2 servers for future attacks.

The same day as the governments' security advisory, WatchGuard released detection and remediation tools for its devices and recommended customer deploy the tools immediately to remove any remote-control malware. Shortly after, ASUS released its own guidance. According to the Justice Department, by mid-March, a majority of the compromised appliances were still infected with Cyclops Blink.

These WatchGuard and ASUS devices that acted as bots need to be patched and cleaned out of malicious code.

"The department strongly encourages network defenders and device owners to review the February 23 advisory and WatchGuard and ASUS releases," the Feds advised. ®

Other stories you might like

  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • 'Prolific' NetWalker extortionist pleads guilty to ransomware charges
    Canadian stole $21.5m from dozens of companies worldwide

    A former Canadian government employee has pleaded guilty in a US court to several charges related to his involvement with the NetWalker ransomware gang.

    On Tuesday, 34-year-old Sebastien Vachon-Desjardins admitted he conspired to commit computer and wire fraud, intentionally damaged a protected computer, and transmitted a demand in relation to damaging a protected computer. 

    He will also forfeit $21.5 million and 21 laptops, mobile phones, gaming consoles, and other devices, according to his plea agreement [PDF], which described Vachon-Desjardins as "one of the most prolific NetWalker Ransomware affiliates" responsible for extorting said millions of dollars from dozens of companies worldwide.

    Continue reading

Biting the hand that feeds IT © 1998–2022