U.S., U.K. Agencies Warn of New Russian Botnet Built from Hacked Firewall Devices

2022-02-24 13:33

Intelligence agencies in the U.K. and the U.S. disclosed details of a new botnet malware called Cyclops Blink that's been attributed to the Russian-backed Sandworm hacking group and deployed in attacks dating back to 2019.

"Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office routers, and network-attached storage devices," the agencies said.

The IoT botnet malware was found to have compromised more than 500,000 routers in at least 54 countries, targeting devices from Linksys, MikroTik, NETGEAR, and TP-Link, ASUS, D-Link, Huawei, Ubiquiti, QNAP, UPVEL, and ZTE. That same month, the U.S. government announced the seizure and takedown of a key internet domain used for the attacks, urging owners of SOHO and NAS appliances that may be infected to reboot their devices to temporarily disrupt the malware.

Cyclops Blink, as the substitute is called, is believed to have been in action since at least June 2019 primarily setting its eyes on WatchGuard firewall devices, although the agencies said that the malware could be repurposed to strike other architectures and firmware.

Even more concerningly, the botnet malware is deployed as a fake update and is capable of surviving reboots and firmware upgrades, with command-and-control communications facilitated over the Tor anonymity network.

"There is also functionality to add new modules while the malware is running, which allows Sandworm to implement additional capability as required."

News URL

https://thehackernews.com/2022/02/us-uk-agencies-warn-of-new-russian.html

#botnet #firewall #hacked #russian