The Cyclops Blink botnet has been disrupted

2022-04-07 09:02

"The operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command and control of the underlying botnet. Although the operation did not involve access to the Sandworm malware on the thousands of underlying victim devices worldwide, referred to as 'bots,' the disabling of the C2 mechanism severed those bots from the Sandworm C2 devices' control," the US DOJ stated.

The malware targeted networking devices by WatchGuard and ASUS. "These network devices are often located on the perimeter of a victim's computer network, thereby providing Sandworm with the potential ability to conduct malicious activities against all computers within those networks," the DOJ stated.

According to Attorney General Merrick B. Garland, they were able to disable the GRU's control over those devices before the botnet could be weaponized.

The two agencies consider the malware to be a replacement for the VPNFilter malware, previously used by the Sandworm group to rope various network devices into a botnet.

The Cyclops Blink malware can't be flushed from infected devices by simply rebooting the device, so owners of WatchGuard and ASUS devices are advised to check whether they have been compromised and, if they have, to perform a set of actions to clean up the device and prevent a Cyclops Blink infection at a later date.

"The operation announced today leveraged direct communications with the Sandworm malware on the identified C2 devices and, other than collecting the underlying C2 devices' serial numbers through an automated script and copying the C2 malware, it did not search for or collect other information from the relevant victim networks. Further, the operation did not involve any FBI communications with bot devices," the DOJ stated.

News URL

https://www.helpnetsecurity.com/2022/04/07/cyclops-blink-botnet-disrupted/

#botnet