Cyclops Blink Malware

Multiple cybersecurity agencies from the US and UK released a new joint security advisory detailing their findings of a malware threat tracked as the Cyclops Blink. According to the report, the malware is believed to be associated with a Russian-backed cyberespionage group known as Sandworm. The same group of hackers also has been tracked as Voodoo Bear, BlackEnergy, and TeleBots, and is estimated to have been active for close to 20 years. 

The Cyclops Blink appears to be the successor of the previous Sandworm malware known as VPNFilter, which was exposed to the public back in 2018. The new threatening tool is designed to create a botnet of compromised WatchGuard Firebox and similar network devices. The threat is being disseminated indiscriminately and in a widespread fashion.

Threatening Functions

Once established on targeted devices, the Cyclops Blink provides backdoor access to the compromised networks for the Sandworm hackers. The invasive features of the threat are spread through specifically designed modules. Some of the most notable harmful functions of the malware include the ability to fetch additional files, exfiltrated chosen files, collect and transmit device information and get updates from the operations of the Command-and-Control (C2) server.

The techniques used by the Cyclops Blink to embed itself into the infected devices allow it to exploit legitimate firmware update channels. As a result, the threat can persist on the system through reboots and even throughout the official firmware update process.

WatchGuard published its own advisory where it states that approximately 1% of its active firewall devices may be impacted by the threat. All accounts on the breached systems should be presumed to be compromised, and the affected organizations should implement the necessary steps to disconnect the management interface of the network devices from the Internet.