In February 2022, a Joint Cybersecurity Advisory was issued by key agencies in the United States (CISA, FBI, and the NSA), Australia’s Cybersecurity Center (ACSC), and the United Kingdom’s National Cyber Security Center. This advisory identified a threat actor known as Sandworm (or Voodoo Bear) that is using new and dangerous malware, which is identified as Cyclops Blink.
Per MITRE ATT&CK groups data the Sandworm Team has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies military unit 74455 and has been active since 2009. In October 2020, the United States indicted six GRU Unit 74455 officers associated with Sandworm Team for multiple cyber operations to include the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations. Further, Sandworm is believed to be responsible for the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organization for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019. Some of these attacks were conducted with the support and assistance of GRU Unit 26165, which is also referred to and known as the infamous and nefarious APT28.
Sandworm has a history of malicious and damaging activity to include:
- The BlackEnergy disruption of Ukrainian electricity in 2015
- Industroyer in 2016
- NotPetya in 2017
- Attacks against the Winter Olympics and Paralympics in 2018
- A series of disruptive attacks against Georgia in 2019
Cyclops Blink seems to be a replacement framework for the VPNFilter malware, which was exposed in 2018. This VPNFilter malware exploited network devices, home, or small business routers and network attached storage devices. Cyclops Blink and has been deployed since approximately June 2019, fourteen months after VPNFilter was disrupted. Cyclops Blink, like VPNFilter, seems to be deployed widely.
Sandworm has so far primarily deployed Cyclops Blink to WatchGuard devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware. The Cyclops Blink malware itself is modular. It includes basic core functionality to beacon (see MITRE ATT&CK sub technique: T1132.002) device information back to a server, and then download and execute files. There is also functionality to add new modules while the malware is running, which allows Sandworm to implement additional capability as required.
Cyclops Blink is often deployed as part of a firmware update (MITRE ATT&CK T1542.001). This achieves persistence when the device is rebooted and makes remediation more difficult.
Victim devices are organized into clusters, and each deployment of Cyclops Blink has a list of command and control (C2) IP addresses and ports being used (MITRE ATT&CK T1008). Sandworm manages Cyclops Blink by connecting to the C2 layer through the Tor network.
So how can you mitigate Cyclops Blink?
Cyclops Blink persists on reboot and throughout the legitimate firmware update process, so it must be removed. Special tools have been provided by Watchguard to enable detection and removal of Cyclops Blink on WatchGuard devices through a non-standard upgrade process. Device owners should follow each step in these instructions to ensure that devices are patched to the latest version and that any infection is removed. The tooling and guidance from WatchGuard can be found at: https://detection.watchguard.com/.
If you are infected with Cyclops Blink, assume that any passwords present on the device have been compromised. They need to be replaced immediately.
The advisory lists many indicators of compromise which should be reviewed for ongoing reference. Further, broader guidance to defend against the Cyclops Blink malware are delineated:
- Do not expose management interfaces of network devices to the internet: the management interface is a significant attack surface, so not exposing them reduces the risk.
- Use the latest supported versions, apply security patches promptly, use antivirus and scan regularly to guard against known malware threats.
- Use multifactor authentication to reduce the impact of password compromises.
- Make sure your staff know how to report suspected phishing emails, and ensure they feel confident to do so. Investigate their reports promptly and thoroughly.
- Set up a security monitoring capability, so you are collecting the data that will be needed to analyze network intrusions.
- Prevent and detect lateral movement in your organization’s networks.
DNS is always part of the battlefield
Leveraging a DNS security solution like Infoblox’s BloxOne® Threat Defense to help protect against threats attempting to use DNS as a back channel is highly recommended. It is a fact that most malware and advanced threats must rely on the use or compromise of DNS to execute and complete their attack successfully to avoid detection by standard security tools. BloxOne Threat Defense will close this security gap and enhance the ecosystem for hardened defense against sophisticated threats.
DNS security works at the ground level—that’s why we say it is foundational. DNS security is designed to prevent users’ connection to malicious destinations, and to detect anomalous behaviors in the network such as C&C communications, advanced persistent threat activity, domain generation algorithm (DGA) activity, botnet communications, DNS tunneling, and data exfiltration. In addition, Infoblox DNS security integrates with Security Orchestration Automation and Remediation (SOAR) systems, ITSM solutions, vulnerability scanners and other security ecosystem tools to trigger remediation actions automatically when any malicious activity is detected. This helps speed up an organization’s response to security events and rapid threat containment.
Analyzing DNS logs is a highly effective way to see what resources a client has been accessing historically. DHCP fingerprint and IPAM metadata provide contextual information on compromised devices such as type of device, OS information, network location and current and historical IP address allocations. All this information helps with event correlation and understanding the scope of a breach.
BloxOne Threat Defense also combines advanced analytics based on machine learning, highly accurate and aggregated threat intelligence and automation to detect and prevent a broad range of threats. These threats may include DGA, data exfiltration, look-alike domain use, fast flux and many others.
There is plenty of consensus on the high value of DNS security. A June 2021 Gartner report recommends organizations leverage DNS logs for threat detection and forensic purposes with their Security Information and Event Management platforms.
To learn more about the Cyclops Advisory, please go to https://www.cisa.gov/uscert/ncas/alerts/aa22-054a.
To find out more about how Infoblox can help with DNS security, please reach out to us via https://info.infoblox.com/contact-form/.
| Shields Up | CISA
Every organization in the United States is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety. Over the past year, cyber incidents have impacted many companies, non-profits, and other organizations, large and small, across multiple sectors of the economy. |
