Administrators of WatchGuard firewalls are being warned to search for signs of compromise on the devices after the publication of a report of malware distributed by a threat group believed to be run by Russian army intelligence.
The report, issued this week by U.S. and U.K. cyber intelligence agencies, said the group known as Sandworm (also called APT28, or Voodoo Bear by some researchers) has been quietly deploying what has been dubbed Cyclops Blink malware through a botnet of exploited network devices including small office/home office (SOHO) routers and network-attached storage (NAS) devices.
Cyclops Blink is a replacement for similar malware called VPNFilter.
VPNFilter and its botnet were exposed in 2018 by researchers at Cisco Systems’ Talos threat intelligence service. The U.S. Justice Department then announced an effort to disrupt VPNFilter and what it called a global botnet of hundreds of thousands of infected home and office (SOHO) routers and other networked devices.
According to the new U.S./U.K. report, Cyclops Blink has been deployed since at least June 2019, 14 months after VPNFilter was disrupted.
“In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread,” the report adds. “The actor has so far primarily deployed Cyclops Blink to WatchGuard devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.” Only WatchGuard devices that were reconfigured from the manufacturer’s default settings to open remote management interfaces to external access could be infected, the report says.
The report calls the malware sophisticated and modular, with basic core functionality to beacon device information back to a server and enable files to be downloaded and executed. After initial exploitation of a device, Cyclops Blink is generally deployed as part of a fake firmware update.
The report says WatchGuard has created tooling and guidance to enable detection and removal of Cyclops Blink on WatchGuard devices through a non-standard upgrade process. Device owners should follow each step in these instructions to ensure that devices are patched to the latest version and that any infection is removed.
WatchGuard said that, based on its own investigation, work done with Mandiant, and information provided by the FBI, there is no evidence of data exfiltration from WatchGuard or its customers. WatchGuard firewall appliances are not at risk if they were never configured to allow unrestricted management access from the Internet, it adds.
Because Cyclops Blink can be reconfigured to attack many devices, the intelligence agencies issued the following advice it IT administrators, which applies to protecting against any malware:
- do not expose management interfaces of network devices to the internet;
- apply security patches promptly;
- use multi-factor authentication on network devices to reduce the impact of password compromises;
- tell staff how to report suspected phishing emails;
- set up a network security monitoring capability;
- prevent and detect lateral movement in your organization’s network.