Cybersecurity Blog

Cybersecurity & Infrastructure Security Agency (CISA) Malware Alert (AA22 054A)

Authored by Nicolas Claude – Cybersecurity

 “Sandworm”, a Russian state-backed hacker group within the GRU (Russian military intelligence organization) has released new malware called ‘Cyclops Blink’. The malware targets network devices such as WatchGuard firewalls, and is indiscriminate and pervasive. ‘Cyclops Blink’ can lead to a complete network compromise, by allowing attackers to gain access to the external perimeter firewall.

According to intelligence agencies in the US and UK such as CISA (Cybersecurity & Infrastructure Security Agency) and NCSC (National Cyber Security Centre), this new variant of malware has replaced the ‘VPNFilter’ malware with a more sophisticated framework. The hacker group is previously known for their attack on Ukraine in 2017 using ‘NotPetya’ malware. The new malware ‘Cyclops Blink’ is a malicious Linux ELF executable, which primarily targets firewall devices made by the manufacturer WatchGuard. Industry analysis has shown it is associated with a large-scale botnet according to the NSA and FBI. ‘Cyclops Blink’ is commonly deployed during the legitimate firmware update process (CISA, 2022); this can make it more difficult to perform remediation. It has a modular framework consisting of a core component as well as additional modules that can download/upload files, Command and control (C2), update the malware and make sure it is executed at startup  (NCSC, 2022). A report of the malware analysis, IoC (indicators of compromise), and potential mitigations can be found at ncsc.gov.uk Malware Analysis. More information about the malware can be found at CISA Cyclops Blink (Alert AA22 054A).

CLA’s IT and Cybersecurity team can help with remediation efforts, aid in the understanding of your organizations overall attack surface and help you to understand if the controls that are in place are properly mitigating risk from that attack surface. We have experienced professionals that can help prevent an attack or respond to an attack if one has occurred.

In light of current potential threats, the Department of Homeland Security has issued a Shields Up guidance for all organizations—regardless of size—to adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets.

References

CISA. (2022, Feb 23). New Sandworm Malware Cyclops Blink Replaces VPNFilter. Retrieved from CISA Cybersecurity & Infrastructure Security Agency: https://www.cisa.gov/uscert/ncas/alerts/aa22-054a

NCSC. (2022, Feb 23). Malware Analysis Report. Retrieved from National Cyber Security Centre: https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf

Tags: , , , , , Information Security, IT Controls, Network Security, Technology Infrastructure | Comments Off on Cybersecurity & Infrastructure Security Agency (CISA) Malware Alert (AA22 054A)

  • 704-816-8470

Javier is a principal within the Cybersecurity Services Group at CLA. Prior to joining CLA, Javier spent ten years supporting the Department of Defense as well as a financial services company in the fields of insider threat, incident response, analytics, and systems engineering.

Comments are closed.

Subscribe to Blog   

Protecting your data from cyber threats starts with confidentiality, integrity, and availability. CLA’s cybersecurity team understands the threats you face — and how to help keep your organization safe. Check back often to learn about risks, trends, IT security attack and defense, and mitigation and response techniques.