HOME

TheInfoList



Click Here for Items Related To - Cyclops Blink
OR:
Cyclops Blink on:   [Wikipedia]   [Google]   [Amazon]

Cyclops Blink is
malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, de ...
that targets routers and firewall devices from WatchGuard and ASUS and adds them to a
botnet A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its co ...
for
command and control Command and control (abbr. C2) is a "set of organizational and technical attributes and processes ... hatemploys human, physical, and information resources to solve problems and accomplish missions" to achieve the goals of an organization or e ...
(C&C). Infection is through an exploit with the code CVE-2022-23176, which allows a privilege escalation to obtain management ability on the device. After a device has been infected, it acts as a command and control server, and its software design allows for further modules to be installed and be resilient to
firmware In computing, firmware is a specific class of computer software that provides the low-level control for a device's specific hardware. Firmware, such as the BIOS of a personal computer, may contain basic functions of a device, and may provide ...
upgrades. Cyclops Blink was first reported on in February of 2022 after security advisories published by the United Kingdom's National Cybersecurity Centre (NCSC) and the United States'
Cybersecurity and Infrastructure Security Agency The Cybersecurity and Infrastructure Security Agency (CISA) is an agency of the United States Department of Homeland Security (DHS) that is responsible for strengthening cybersecurity and infrastructure protection across all levels of government ...
(CISA) detailed its presence in the wild. According to those agencies, the malware originates from the hacker group Sandworm, a team within the
GRU The Main Directorate of the General Staff of the Armed Forces of the Russian Federation, rus, Гла́вное управле́ние Генера́льного шта́ба Вооружённых сил Росси́йской Федера́ци ...
, a military intelligence unit of the
Russian Federation Russia (, , ), or the Russian Federation, is a transcontinental country spanning Eastern Europe and Northern Asia North Asia or Northern Asia, also referred to as Siberia, is the northern region of Asia, which is defined in geographic ...
. The malware has drawn comparison to the earlier VPNFilter based on the shared origin and its similar operation of attacking network devices. According to the cyber security firm Trend Micro Inc., the malware has been around since at least June 2019. Thousands of routers were cleaned. Although Sandworm has attacked Ukrainian assets in the past, the malware has not targeted Ukrainian networking equipment and is thought to be unrelated to the
Russo-Ukrainian War The Russo-Ukrainian War; uk, російсько-українська війна, rosiisko-ukrainska viina. has been ongoing between Russia (alongside Russian separatists in Ukraine) and Ukraine since February 2014. Following Ukraine's Rev ...
.


References


External links


NCSC malware analysis report

Detection and remediation actions by Watchguard
GRU Hacking in the 2020s Cyberwarfare Botnets {{computer-security-stub