The US Department of Justice (DoJ) announced that they have disabled Cyclops Blinkone botnet The module is controlled by a threat actor known as the Sandworm, which is believed to belong to the Main Intelligence Service of the General Staff of the Armed Forces of the Russian Federation (GRU).
“Operation copied and deleted malware from vulnerable internet-connected firewall devices that Sandworm used to command and control (C2) of the underlying botnet,” the DoJ said in a statement Wednesday.
In addition to disrupting the C2 infrastructure, this operation also closes the external management ports that the threat agent uses to establish connections with firewall devices, sever communications, and prevent attack groups. use infected devices to effectively control the botnet.
The court-sanctioned Cyclops Blink outage on March 22 comes more than a month after intelligence agencies in the UK and US described the botnet as an alternative framework to the VPNFilter malware that had been released. was exposed and sunk in May 2018.
Cyclops Blink, which is said to have appeared in early June 2019, mainly targeted WatchGuard firewall devices and ASUS routers, with the Sandworm team taking advantage of a pre-identified security vulnerability there in the WatchGuard Fire Mailbox firmware as the initial access vector.
A follow-up analysis by cybersecurity firm Trend Micro last month suggested the botnet is likely an attempt to “build the infrastructure for further attacks on high-value targets. ”
These network devices are typically located within the perimeter of the victim’s computer network, thus providing Sandworm with the ability to perform malicious activities against all computers in those networks.
Details of the vulnerability were never made public other than that the company addressed the issue as part of software updates released in May 2021, with WatchGuard noting to the contrary that the problems were detected internally and they were not “actively found in the wild.”
The company has since revised the Cyclops Blink FAQ to explain that the vulnerability in question is CVE-2022-23176 (CVSS score: 8.8), which could “allow users not to have the privilege of having access to Firebox management that authenticates with the system as administrator” and unauthorized remote access.
For its part, ASUS has been releasing firmware patches since April 1, 2022, to stop the threat, and recommends users to update to the latest version.