On February 23, 2022, CISA launched an alert stating that the UK National Cyber Security Centre (NCSC), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have detected the use of a novel malicious strain known as Cyclops Blink. As a replacement of the notorious VPNFilter, the new nefarious sample is also developed by an infamous Sandworm APT group to attack network devices.
To check for the malicious behavior associated with Cyclops Blink, including the file names and the path, you can download a dedicated Sigma rule by our prolific Threat Bounty developer Onur Atali:
This detection has translations for the following SIEM, EDR and XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Chronicle Security, Microsoft Defender for Endpoint, Securonix, Apache Kafka ksqlDB, Carbon Black, Qualys.
The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Execution, Defense Evasion, Privilege Escalation tactics with Command and Scripting Interpreter (T1059), Process Injection (T1055), and Deobfuscate/Decode Files or Information (T1140) as the primary techniques.
Cyclops Blink is a modular malicious framework developed to remotely compromise targeted networks. The novel malware appeared 14 months after VPNFilter botnet disruption, suspected to be a replacement for this nefarious threat by Sandworm APT. The NCSC, CISA, and the FBI have earlier linked the Sandworm APT and its malicious digital operations with the Russian GRU, including the destructive NotPetya campaign in 2017 and the BlackEnergy attacks against the Ukrainian electric grid in 2015 and 2016.
Similar to VPNFilter, the Cyclops Blink is used to infiltrate a broad number of targets of interest to Russia. Although mainly WatchGuard network devices are under attack right now, the NCSC and CISA believe that Sandworm APT can easily recompile the new framework to endanger multiple types of infrastructure.
Cyclops Blink is a malicious Linux ELF executable, compiled for the 32-bit PowerPC architecture. The expert Cyclops Blink analysis from federal U.S. and national-level intelligence agencies including FBI, CISA, NSA, and UK NCSC has linked this malware with a large-scale botnet primarily affecting small office/home office (SOHO) routers and network devices. Cyclops Blink possesses a modular structure with basic functionality and the ability to add new modules while operating, which enables adversaries to enhance the offensive capabilities. The built-in additional modules that run at launch are in charge of downloading and uploading files, collecting device data, and updating the malware itself.
The malicious sample is typically leveraged in the post-exploitation phase during the alleged firmware upgrade. Particularly, Cyclops Blink utilizes legit firmware update channels to be able to obtain access to the infected networks via code injection and repacked firmware images deployment. The threat can persist the device reboot, which makes its mitigation a sophisticated task.
The inquiry by FBI, CISA, NSA, and UK NCSC states that Cyclops Blink impacts only WatchGuard network devices. Presumably, the malware developers reverse-engineered the WatchGuard Firebox firmware update mechanism to check for possible flaws and exploit them. Currently, WatchGuard estimates that approximately 1% of active firewall appliances are affected.
To proactively defend against the most recent attacks and make threat detection easier, faster, and more efficient with the industry’s best practices and shared expertise, sign up for free at SOC Prime’s Detection as Code platform. The platform also enables SOC professionals to share detection content of their creation, participate in top-tier initiatives, and monetize the input.