New Malware in Russia-Linked Sandworm's PortfolioCISA, NCSC on 'Cyclops Blink'; Also, Group's Tactics, Techniques and Procedures
Russia-linked threat actor Sandworm aka Voodoo Bear has been found using a new malware, dubbed Cyclops Blink. Law enforcement and intelligence agencies in the U.S. and the U.K. have shared details of the malware, as well as information on the tactics, techniques and procedures and indicators of compromise associated with the threat group.
The advisory from the U.S. and U.K. agencies says Cyclops Blink is a malicious Linux ELF executable, a standard binary format on operating systems for Linux.
The malware, which has been active since June 2019, affects small office/home office - or SOHO - network devices, especially those from network security vendor WatchGuard, the advisory says, citing analysis by the U.K National Cyber Security Center, and the U.S. Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Federal Bureau of Investigation.
The advisory says it is likely that the threat actor is "capable of compiling the malware for other architectures and firmware."
The threat group, which is linked to Russian military agency Main Intelligence Directorate of the General Staff's Main Center for Special Technologies, has likely introduced Cyclops Blink as a replacement for the VPNFilter malware, which was exposed by the FBI in 2018, the advisory says.
The VPNFilter had infected routers made by companies including Linksys, Microtik, Netgear, QNAP and TP-Link in 54 countries, including the U.S, according to a report by technology firm Cisco Talos.
The VPNFilter malware, similar to Cyclops Blink, exploits network devices, primarily SOHO routers, the advisory says. The deployment of both malwares is indiscriminate and widespread, it adds.
"[Cyclops Blink] is sophisticated and modular with basic core functionality to beacon device information back to a server, and it enables files to be downloaded and executed. There is also functionality to add new modules while the malware is running, which allows Sandworm to implement additional capability as required," the advisory says.
The advisory says that the Cyclops Blink samples are loaded into memory as two program segments, based on an analysis of samples of WatchGuard Firebox devices.
The first of these program segments has read/execute permissions and contains the Linux ELF header and executable code for the malware, it says.
"The second has read/write permissions and contains the data, including victim-specific information, used by the malware. To make the sample hashes as useful as possible for comparison purposes, they have been calculated over the executable (first) program segments only. The file sizes correspond to those of the original files," according to the advisory.
The analyzed samples include the same four built-in modules that are executed on startup and provide malware functionalities such as file upload/download, system information discovery and malware version update, it says.
"Further modules can be added via tasking from a C2 server. The malware expects these modules to be Linux ELF executable that can be executed using a Linux API function. The malware contains a hard-coded RSA public key, which is used for C2 communications, as well as a hard-coded RSA private key and X.509 certificate. The hard-coded RSA private key and X.509 certificate do not appear to be actively used within the analyzed samples, so it is possible that these are intended to be used by a separate module," the advisory says.
The new malware also contains an initial list of C2 server IPv4 addresses and hard-coded port numbers to use for C2 communications. And the malware's developers made an effort to identify the weaknesses in the WatchGuard Firebox firmware update process and exploit them to their advantage, according to the advisory.
"It says the developers identified a "specific weakness in this process" - "the ability to recalculate the HMAC value used to verify a firmware update image" - and have taken advantage of it "to maintain the persistence of Cyclops Blink throughout the legitimate firmware update process." This persistence makes remediation harder.
The analysis by the agencies determined that the victim devices are organized into clusters and each deployment of Cyclops Blink has a list of C2 IP addresses and ports that it uses.
"All the known C2 IP addresses to date have been used by compromised WatchGuard firewall devices and communications between Cyclops Blink clients and servers are protected under Transport Layer Security, using individually generated keys and certificates," the advisory says, adding that "Sandworm manages Cyclops Blink by connecting to the C2 layer through the Tor network."
The news of "capable and clever adversary" Sandworm using Cyclops Blink, especially amid the Ukraine crisis, is "concerning," says John Hultquist, vice president at cybersecurity firm Mandiant Threat Intelligence.
"[Sandworm] has surpassed all others we track in terms of the aggressive cyberattacks and information operations they have conducted," Hultquist says. "No other Russian actor has been so brazen and successful in disrupting critical infrastructure in Ukraine and elsewhere."
The group has been held responsible for the BlackEnergy disruption of Ukrainian electricity in 2015, Industroyer in 2016, NotPetya in 2017, attacks against the Winter Olympics and Paralympics in 2018 and a series of disruptive attacks against Georgia in 2019, according to the advisory.
Hultquist says he hopes the timing of this disclosure will better enable defense against Sandworm as relations between Russia and other countries deteriorate and the likelihood of cyberattacks beyond Ukraine continues to grow.
"WatchGuard has worked closely with the FBI, CISA and the NCSC and has provided tooling and guidance to enable detection and removal of Cyclops Blink on WatchGuard devices through a nonstandard upgrade process. Device owners should follow instructions to ensure that devices are patched to the latest version and that any infection is removed," the advisory says.
It says that if your device is identified as being infected with Cyclops Blink, you should "assume that any passwords present on the device have been compromised and replace them" as well as "ensure that the management interface of network devices is not exposed to the internet."
The effort put into obfuscating command and control is impressive, says Jake Williams, a former member of the National Security Agency's elite hacking team and a research analyst. He tells Information Security Media Group: "After the takedown of DNSfilter, it was clear that any command and control relying only on DNS would not be resilient enough. Using Tor would provide resiliency but might also attract attention from savvy device owners."
Williams says that by using multiple layers of C2, Cyclops Blink gets "the best of both worlds." Threat actors can select infected nodes without being likely to be monitored to connect to their C2 servers through Tor, while most infected devices connect to C2 by proxying through these devices to the Tor network. This technique makes the attack harder to disrupt, he says, "leaving NCSC to publish detection documentation for potentially compromised users rather than taking over C2."
Williams says it's likely that the threat actor has built similar tools for platforms other than WatchGuard.
John Goodacre, director of UKRI’s Digital Security by Design, says malware such as Sandworm and Cyclops Blink are examples of the growing cost associated with the exploitation of computer vulnerabilities and the need for products that are secured by design. He says: "Knowingly select products with a root-of-trust that can ensure computers can only install and boot the expected software."