Security News > 2022 > April > FBI Shut Down Russia-linked "Cyclops Blink" Botnet That Infected Thousands of Devices
The U.S. Department of Justice announced that it neutralized Cyclops Blink, a modular botnet controlled by a threat actor known as Sandworm, which has been attributed to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation.
"The operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command-and-control of the underlying botnet," the DoJ said in a statement Wednesday.
In addition to disrupting its C2 infrastructure, the operation also closed the external management ports that the threat actor used to establish connections with the firewall appliances, effectively severing the connections and preventing the hacking group from using the infected devices to commandeer the botnet.
The March 22 court-authorized disruption of Cyclops Blink comes a little over a month after intelligence agencies in the U.K. and the U.S. described the botnet as a replacement framework for the VPNFilter malware that was exposed and sinkholed in May 2018.
Cyclops Blink, which is believed to have emerged as early as June 2019, primarily targeted WatchGuard firewall appliances and ASUS routers, with the Sandworm group leveraging a previously identified security vulnerability in WatchGuard's Firebox firmware as an initial access vector.
The company has since revised its Cyclops Blink FAQs to spell out that the vulnerability in question is CVE-2022-23176, which could "Allow an unprivileged user with access to Firebox management to authenticate to the system as an administrator" and gain unauthorized remote access.
News URL
https://thehackernews.com/2022/04/fbi-shut-down-russia-linked-cyclops.html
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-02-24 | CVE-2022-23176 | Unspecified vulnerability in Watchguard Fireware WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access. | 8.8 |