Cyclops Blink - A new sandworm malware named Cyclops Blink, used by threat actor Sandworm (also known as Voodoo Bear) has been identified by the United Kingdom's (UK) National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI).
Sandworm was previously linked to the Russian General Staff Main Intelligence Directorate’s Russian (GRU’s) Main Center for Special Technologies – Russia’s military intelligence division. Sandworm was responsible for several devastating cyber-attacks including: NotPetya in 2017, the BlackEnergy disruption of Ukrainian electricity in 2015, Industroyer in 2016, attacks against the Winter Olympics and Paralympics in 2018, and a series of disruptive attacks against Georgia in 2019.
According to CISA, the Sandworm malware was first exposed in 2018 and Cyclops Blink appears to be a replacement framework for the VPNFilter malware that was exposed at that time. The VPNFilter malware exploited network devices, mostly in small office/home office (SOHO) routers, as well as network-attached storage (NAS) devices. In 2018, Cisco Talos reported that the VPNFilter was deployed in stages, with most functionality being in the third-stage modules.
Today, researchers reported that Cyclops Blink has been deployed in the wild since 2019 and is targeting network devices - deploying malware that uses a modular structure, allowing operators to deploy second-stage payloads to infected devices. The report does not mention how the malware is deployed or the details regarding the second-stage module capabilities.
CISA describes the malware as sophisticated, and deployment appears to be indiscriminate and widespread. So far, Cyclops Blink has been deployed to WatchGuard devices. CISA notes that only WatchGuard devices that were reconfigured from the manufacturer's default settings to open remote management interfaces to external access could be infected.
HermeticWiper - A few hours ago, ESET and Broadcom’s Symantec discovered a new data wiper (HermeticWiper) being deployed on Ukraine’s computer networks. The wiper is similar to WhisperGate and ESET believes the attack may have been in the works for almost two months.
ESET reports that the wiper binary is signed using a code signing certificate. Additionally, HermeticWiper abuses legitimate drivers from EaseUS Partition Master software to corrupt data before finally rebooting the computer. When ESET analyzed one of the victims, they observed that the wiper was dropped via the default (domain policy) GPO – indicating the threat actors took control of the Active Directory server.
The Ukrainian government has not confirmed or denied the current cyber attacks, therefore, this story is still developing.
Tension between Russia and Ukraine is at an all-time high, and while there are no credible threats to the U.S. at the moment, there is still a possibility that the U.S. could be affected in some way. CISA has issued a “Shields Up” public service announcement to help keep your organization prepared.
If your organization has ties to Ukraine, you should consider how to isolate and monitor those connections to protect your organization from potential collateral damage.
According to CISA, Cyclops Blink persists on reboot and throughout the legitimate firmware update process. This means that restarting a device or resetting a device to factory settings, won’t remove the malware without a complete re-imaging of the infected device. To mitigate, CISA and WatchGuard recommend the following: