The Sandworm group, which is affiliated with the Russian GRU, is deploying a new piece of malware known as Cyclops Blink that has the ability to survive device reboots and updates and has been used to target WatchGuard Firebox appliances.
The new malware looks to be a replacement for the VPNFilter malware that Sandworm had been using for several years before researchers at Cisco Talos exposed it in 2018. VPNFilter was a destructive multistage malware variant that mostly targeted routers, but also had capabilities to infect endpoint devices. The malware had the ability to steal credentials and other sensitive information, and after Cisco Talos detailed its operation, the Department of Justice tied VPNFilter directly to the Sandworm group. Sandworm has been attributed to the GRU, Russia’s military intelligence unit, and is responsible for some of the more destructive campaigns in recent years, including the BlackEnergy malware attacks on Ukraine.
More recently, Sandworm has been using the newer Cyclops Blink malware to target network devices, including WatchGuard Firebox appliances. On Wednesday, the NSA, FBI, CISA, and the UK’s National Cyber Security Center released a detailed analysis of Cyclops Blink, which the agencies say has been in use since at least 2019. The malware is deployed as a malicious firmware update and is compiled as a Linux ELF executable.
“Both analysed samples included the same four built-in modules that are executed on startup and provide basic malware functionality including: file upload/download, system information discovery and malware version update. Further modules can be added via tasking from a C2 server. The malware expects these modules to be Linux ELF executables that can be executed using the Linux API function execlp,” the advisory says.
“The malware contains a hard-coded RSA public key, which is used for C2 communications, as well as a hard-coded RSA private key and X.509 certificate. The hard-coded RSA private key and X.509 certificate do not appear to be actively used within the analysed samples, so it is possible that these are intended to be used by a separate module.”
Cyclops Blink has a feature that enables the attackers to add new modules to it as needed, and compromised devices are added to a botnet that communicates with the command-and-control servers over Tor.
“It is of note that Cyclops Blink has read/write access to the device filesystem, enabling legitimate files to be replaced with modified versions."
“All the known C2 IP addresses to date have been used by compromised WatchGuard firewall devices. Communications between Cyclops Blink clients and servers are protected under Transport Layer Security (TLS), using individually generated keys and certificates. Sandworm manages Cyclops Blink by connecting to the C2 layer through the Tor network,” the advisory says.
Historically, Sandworm has targeted organizations in Ukraine, Georgia, and other Eastern European countries, and many of their campaigns have been destructive. Along with the BlackEnergy attack in 2015 that disrupted the power supply in Ukraine, Sandworm also has been blamed for the NotPetya attack in 2017 in Ukraine and the Industroyer attack on Ukraine’s power grid in 2016. The tense situation between Russia and Ukraine at the moment has raised concerns about potential cyber attacks by Russian actors against both Ukraine and western allies, but the new multi-agency advisory is not specifically tied to that scenario.
“The developers have clearly reverse engineered the WatchGuard Firebox firmware update process and have identified a specific weakness in this process, namely the ability to recalculate the HMAC value used to verify a firmware update image. They have taken advantage of this weakness to enable them to maintain the persistence of Cyclops Blink throughout the legitimate firmware update process,” the malware analysis says.
“It is of note that Cyclops Blink has read/write access to the device filesystem, enabling legitimate files to be replaced with modified versions (e.g. install_upgrade). Even if the specific weakness highlighted above were fixed, it is expected that the developers would be capable of deploying new capability to maintain the persistence of Cyclops Blink. These factors, combined with the professional development approach, lead to the NCSC conclusion that Cyclops Blink is a highly sophisticated piece of malware.”