Cyclops Blink
{{Short description|Botnet-enabling malware targeting network hardware}}
Cyclops Blink is malicious Linux ELF executable, compiled for the 32-bit PowerPC (big endian) architecture. It targeted routers and firewall devices from WatchGuard and ASUS and adds them to a botnet for command and control (C&C). The malware is reported to be originated from the hacker group Sandworm.{{Cite journal |date= |title=Cyclops Blink |url=https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf |journal=National Cyber Security Centre}}
Infection is through an exploit with the code CVE-2022-23176, which allows a privilege escalation to obtain management ability on the device.{{cite web |title=Security Portal - Threat |url=https://securityportal.watchguard.com/threats/detail?ruleId=1230677&sigVers=18 |website=securityportal.watchguard.com}} After a device has been infected, it acts as a command and control server, and its software design allows for further modules to be installed and be resilient to firmware upgrades.
History
The malware has been around since at least June 2019.
Cyclops Blink was first reported on in February of 2022 after security advisories published by the United Kingdom's National Cybersecurity Centre (NCSC) and the United States' Cybersecurity and Infrastructure Security Agency (CISA) detailed its presence in the wild.
Thousands of routers were cleaned.{{cite web |last1=Conger |first1=Kate |last2=Sanger |first2=David E. |title=U.S. Says It Secretly Removed Malware Worldwide, Pre-empting Russian Cyberattacks |url=https://www.nytimes.com/2022/04/06/us/politics/us-russia-malware-cyberattacks.html |website=The New York Times |archive-url= https://web.archive.org/web/20220407201949/https://www.nytimes.com/2022/04/06/us/politics/us-russia-malware-cyberattacks.html |archive-date=7 April 2022 |date=6 April 2022 |url-status=live}} Although Sandworm has attacked Ukrainian assets in the past, the malware has not targeted Ukrainian networking equipment and is thought to be unrelated to the Russo-Ukrainian War.{{cite magazine |last1=Greenberg |first1=Andy |title=Russia's Sandworm Hackers Have Built a Botnet of Firewalls |url=https://www.wired.com/story/sandworm-cyclops-blink-hacking-tool/ |magazine=Wired |access-date=21 March 2022}}{{cite web |last1=Hacquebord |first1=Feike |last2=Hilt |first2=Stephen |last3=Merces |first3=Fernando |title=Cyclops Blink Sets Sights on Asus Routers |date=17 March 2022 |url=https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html |publisher=Trend Micro Inc. |access-date=21 March 2022}}{{cite web |title=New Sandworm Malware Cyclops Blink Replaces VPNFilter |date=23 February 2022 |url=https://www.cisa.gov/uscert/ncas/alerts/aa22-054a |publisher=Cybersecurity and Infrastructure Security Agency |access-date=21 March 2022}}{{Cite web |last=Osborne |first=Charlie |title=Russian Cyclops Blink botnet launches assault against Asus routers |url=https://www.zdnet.com/article/cyclops-blink-botnet-launches-assault-against-asus-routers/ |access-date=2022-03-21 |website=ZDNet |language=en}}{{Cite web |last=Arntz |first=Pieter |date=2022-02-24 |title=Cyclops Blink malware: US and UK authorities issue alert |url=https://blog.malwarebytes.com/threat-spotlight/2022/02/cyclops-blink-malware-us-and-uk-authorities-issue-alert/ |access-date=2022-03-21 |website=Malwarebytes Labs |language=en-US}}
References
{{Reflist}}
External links
- [https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf NCSC malware analysis report]
- [https://www.watchguard.com/wgrd-news/blog/important-detection-and-remediation-actions-cyclops-blink-state-sponsored-botnet Detection and remediation actions by Watchguard]
{{Hacking in the 2020s}}