Many international security agencies and the manufacturer WatchGuard of the Cyclops Blink botnet warn of the Russian state cyber gang Sandworm, also known as the Voodoo Bear. It has now replaced the botnet VPNFilter and hacks WatchGuard firewalls with Cyclops Blink. They serve cybercriminals, among other things, as command and control (C2) servers, but also as drones in the botnet.
WatchGuard has provided a guide that includes tools that administrators can use to detect and eliminate infections. The manufacturer estimates that up to one percent of all WatchGuard firewalls have been affected. However, unlike the standard configuration, these must have activated unrestricted administration access from the Internet, enabling malware infection. The manufacturer confirms that there are no known cases of data leaks from customers or WatchGuard itself after an infection.
cyber state gang
CISA provides more information. In conjunction with the UK’s National Cyber Security Center (NCSC), the National Security Agency (NSA) and the FBI, they discovered that the Sandworm group (Voodoo Bear) turned VPNFilter into Cyclops Blink malware. Sandworm is linked to the GRU, the Russian military intelligence service. According to CISA, the criminal group is credited with cyber attacks on Ukrainian power supplies in 2015 and Industroyer in 2016 (one-hour power outages in parts of Kiev), NotPetya malware in 2017, and attacks on the Winter Olympics and Games Paralympic 2018 in Korea, and cyberattacks in Georgia 2019.
Sometimes VPNFilter infected about 500,000 routers and NAS, mostly SOHO models. Appliances in Ukraine were affected mainly, but also about 30,000 in Germany. Cyclops Blink, a standard malware framework, has been in use since June 2019. It is found primarily on WatchGuard devices. CISA warns in a security warning that Sandworm may also collect it for routers and other firmware.
The malware is advanced and standard. Basic functions include, for example, transmitting device information to a control server, downloading and executing additional files. Additionally, new modules can be added while the malware is active, allowing the Sandworm to add other required capabilities as needed. After infection, the malware installs itself as a firmware update to survive the reboot.
Communications in botnets are secured by TLS with individual keys and certificates. Sandworm operates drones by connecting to command and control servers via the TOR network.
to work quickly
In addition to WatchGuard, NCSC also provides a malware overview with a list of infection signals (indicators of penetration, IOC). WatchGuard firewall administrators should take quick action after the Russian attack on Ukraine and verify that unrestricted administration from the Internet is enabled and their firewall has been compromised. Administrators must then remove any infection immediately as instructed by WatchGuard.
Lifelong foodaholic. Professional twitter expert. Organizer. Award-winning internet geek. Coffee advocate.