Any occurrence of a new tool used by Russia Notorious Sandworm Hackers, Disturbing will surprise cybersecurity experts because high impact cyberattacks. As US and UK agencies warn of such a tool being discovered in the wild just as Russia prepares a potential Large-scale invasion of Ukraineit’s enough to alarm.
On Wednesday, both the UK’s National Cyber Security Center and the US Cyber and Infrastructure Security Agency release give advice warns that they — along with the FBI and NSA — have detected a new form of network device malware being used by Sandworm, a group linked to several The most destructive cyber attacks in history and believed to be part of the Russian military intelligence agency GRU.
The new malware, which the agencies are calling Cyclops Blink, has been found in firewall devices sold by network hardware company Watchguard since at least June 2019. But the NCSC warns that it is “very likely” It is possible that Sandworm would be able to compile malware for other architectures and firmware, “that it could have infected other popular network routers used in homes and businesses. and” malware implementations also appear to be indiscriminate and widespread. “
Joe Slowik, a longtime Gigamon security researcher, said it remains unclear whether Sandworm hacked network devices for espionage purposes, building up networks of hacked machines to use as transmission infrastructures. information for future monitoring activities of the Sandworm group. But with Sandworm’s past history about causing digital chaos including the destruction of entire networks inside Ukrainian companies and government agencies, Trigger blackouts by targeting electric utilities in Ukraineand NotPetya malware release Slowik says that even an inconspicuous move by hackers requires vigilance – especially as another Russian invasion of Ukraine flares up.
“It appears that Sandworm has continued its path to infiltrate relatively large networks of these devices for unknown purposes,” said Slowik. “There are a number of options available to them, and given that it is Sandworm, some of which can cause anxiety and bleed into reject, degrade, disrupt and potentially destroy, although there is no proof of that yet.”
CISA and NCSC both describe the Cyclops Blink malware as the successor of Sandworm tool earlier called VPNFilter, infected half a million routers to form a global botnet before it was identified by Cisco and the FBI in 2018 and has largely been taken down. There is no indication that Sandworm has controlled nearly as many devices with Cyclops Blink. But like VPNFilter, the new malware acts as a foothold on network devices and will allow hackers to download new functionality to infected machines, even if it uses them as proxies for forwarding command-and-control communications or targeting the networks where the device is installed.
In its own analysis of malware, Watchguard wrote that hackers were able to infect their devices through a vulnerability they patched in the May 2021 update. The hackers also appear to have used a flaw in the way Watchguard devices verify the legitimacy of firmware updates, download their own firmware to the firewall device, and install it so their malware can survive reboots. Watchguard estimates that about 1 percent of its total installed firewalls have been infected, although it does not give an overall figure for a representative number of devices. Protection also release tools to detect infections on its firewall and, if necessary, remove and reinstall their software.
