Government agencies have discovered a deadlier new home and office network device killer malware that replaces weaker VPNFilter code.
U.S. and U.K. governments published a joint report Wednesday detailing a new malware strain developed by Russia’s military cyber unit deployed in the wild since 2019 and used to remotely compromise network devices, primarily small office/home office (SOHO) routers, and network-attached storage (NAS) devices.
The special cyber activity report came hours before Russian forces began an invasion of neighboring Ukraine Wednesday evening.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) issued an initial alert about the cyber intrusions on Feb. 16. That report disclosed Russian state-sponsored cybercriminals lurked for the last two years in numerous U.S Cleared Defense Contractors’ (CDC) networks stealing sensitive, unclassified information along with proprietary and export-controlled technology.
The malware dubbed Cyclops Blink appears to be a replacement for the VPNFilter malware exposed in 2018. Its deployment could allow Sandworm to remotely access networks.
The National Cyber Security Centre (NCSC) in the U.K., along with the FBI, CISA, and NSA in the U.S., published the advisory.
The cyber report includes steps outlining how to identify a Cyclops Blink infection and points to mitigation advice to help organizations remove it. The malware affects the Executable and Linkable Format (ELF) of Linux operating systems and exploits a Linux API function to download malicious files, execute attacks, and maintain persistence on victim networks.
Cyber experts at Digital Shadows, a provider of digital risk protection solutions, lacked specific evidence linking the Cyclops Blink malware to the most recent Ukrainian DDoS attacks, according to Rick Holland, that firm’s chief information security officer and vice president of strategy.
“However, compromising routers provide the Russians with a useful DDoS tool to distract and disrupt their adversaries while also providing a level of plausible deniability. Russia has used botnets in the past; in 2018, the FBI took a botnet associated with the VPNFilter malware offline,” he told TechNewsWorld.
Connect the Dots
The joint advisory identifies the cyber unit as a hacker actor called Sandworm, also known as Voodoo Bear. The report described the new malware as having a more advanced framework.
The U.S. and U.K. agencies previously attributed the Sandworm actor to the Russian military’s intelligence agency or GRU’s Main Centre for Special Technologies GTsST.
Russia did not just decide to invade Ukraine this week, observed Holland. Military planners prepared for this campaign years in advance.
“Disinformation, false flags, DDoS attacks, and destructive wiper malware are a part of Russian military doctrine. The battle plans have been drawn up and are now being executed, he said.
Given the history before and after the 2014 Russian invasion of Crimea, it is highly likely the source of the malware attacks came from Russia, observed John Dickson, vice president at cybersecurity advisory services firm Coalfire.
“I would bet a million rubles this is from our friends in Moscow. They are likely trying to soften the target by disrupting Ukrainian command, control, and communications prior to any broader invasion of the Ukraine,” he told TechNewsWorld.
An NCSC malware analysis report on Cyclops Blink is available here. This report covers the analysis of two samples recently acquired by the FBI from WatchGuard Firebox devices known to have been incorporated into the botnet.
The analysis describes Cyclops Blink as a malicious Linux Executable and Linkable Format compiled for the 32-bit PowerPC (big-endian) architecture.
NCSC, FBI, CISA, NSA, and industry analysis link it with a large-scale botnet targeting Small Office/Home Office (SOHO) network devices. This botnet has been active since at least June 2019, affecting WatchGuard Firebox and possibly other SOHO network devices.
The samples load into memory as two program segments. The first of these segments has read/execute permissions and contains the Linux ELF header and executable code for the malware. The second has read/write permissions and contains the data, including victim-specific information, used by the malware.
Risk of Potential Fallout
The looming questions are how resilient is Russia to the West’s new economic and other sanctions the U.S. reportedly will announce on Thursday and how far does Russian retaliation spread beyond the borders of Ukraine, offered Digital Shadows’ Holland.
“Based on Russian Foreign Affairs Ministry statements issued yesterday (Feb. 23) around a strong and painful response, critical U.S. and Western infrastructure could be targeted soon, including energy and finance,” he warned.
Coalfire’s Dickson recommended four security checks in light of the cyber warnings:
- Brainstorm potential disruption scenarios, e.g., international travel or GPS disruption and craft response plans.
- Conduct a quick tabletop exercise tailored to a regional conflict scenario. Pull in key corporate leaders to identify gaps and identify additional risks.
- Identify and protect key staff who may be impacted by disruption associated with a widening of conflict in the Ukrainian area.
- Secure externals security resources (more humans) when your workflows increase exponentially.
Cyclops Blink Conclusions
The report concludes that Cyclops Blink’s modular design approach is professionally developed. Analysis of malware samples indicates that they probably developed from a common code base, and that the developers took pains to ensure that the command-and-control communications are difficult to detect and track.
The developers clearly reverse-engineered the WatchGuard Firebox firmware update and identified a specific weakness in its process, namely the ability to recalculate the hash-based message authentication code (or HMAC) value used to verify a firmware update image. They took advantage of this weakness to maintain the persistence of Cyclops Blink throughout the legitimate firmware update process.
Cyclops Blink has read/write access to the device filesystem. This enables legitimate files to be replaced with modified versions (e.g., install_upgrade). Even if the specific weakness were fixed, the developers would be capable of deploying new capabilities to maintain the persistence of Cyclops Blink.
These factors, combined with the professional development approach, lead to the NCSC conclusion that Cyclops Blink is a highly sophisticated piece of malware.
The samples of Cyclops Blink were compiled for the 32-bit PowerPC (big-endian) architecture. However, WatchGuard devices cover a wide range of architectures. So it is highly likely that these are also targeted by the malware.
The weakness in the firmware update process is also highly likely to be present in other WatchGuard devices. It is therefore recommended that users follow the WatchGuard mitigation advice for all relevant devices.