The Main Intelligence Directorate of the Russian Federation's Armed Forces has been blamed by the US Department of Justice (DoJ) for controlling the Cyclops Blink modular botnet, which the DoJ has now neutralized (GRU).
DoJ: "The operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command-and-control (C2) of the underpinning botnet."
The operation disrupted C2 infrastructure and also closed external management ports used by threat actors to establish connections with the firewall appliances, effectively severing the connection and preventing hacking groups from using infected devices to commandeer botnets.
Cyclops Blink was shut down by court order on March 22nd, just over a month after intelligence agencies in the UK and the US described it as a replacement framework for the VPNFilter malware that was exposed and sinkholed in May of last year.
It is widely believed that Cyclops Blink, which was first discovered in June 2019, was primarily targeting WatchGuard firewall appliances and ASUS routers, with the Sandworm group first exploiting a previously discovered security flaw in WatchGuard's Firebox firmware.
It was suggested last month that the botnet may be an attempt to "build an infrastructure for further attacks on high-value targets" by cybersecurity firm Trend Micro.
By infecting computers on the network perimeter, Sandworm has the potential to spread to all computers on that network, according to the Department of Justice (DoJ).
WatchGuard noted that the issues were detected internally and not "actively found in the wild" but did not divulge any further information about the security flaw except to say that it was addressed as part of software updates released in May 2021.
"An unprivileged user with access to Firebox management can authenticate to the system as an administrator" and gain "unauthorized remote access," according to the company's Cyclops Blink FAQs, which have since been updated.
On the other hand, ASUS has released firmware updates to counter the threat starting on April 1, 2022.
Post a Comment
Your suggestions and comments are welcome