US and UK Warn of VPNFilter Successor “Cyclops Blink”

UK government security experts are warning of a sophisticated Russian malware campaign that has lain hidden for over two years.

Dubbed “Cyclops Blink” by the National Cyber Security Centre (NCSC), it is the likely successor to the infamous VPNFilter malware, traced to the Sandworm group.

This actor is thought to be part of the Russian GRU’s Main Centre for Special Technologies (GTsST) and has been linked to the destructive BlackEnergy campaign that targeted Ukrainian power plants in 2015, as well as the infamous NotPetya campaign of 2017, Industroyer, and disruptive attacks against Georgia and the 2018 Winter Olympics.

After VPNFilter was exposed in 2018, the group set about creating a new version, said the NCSC.

It’s designed to infect network devices – mainly small office/home office (SOHO) routers, and network attached storage (NAS) devices – and steal data and/or use them as a launchpad for further attacks.

“The malware itself is sophisticated and modular with basic core functionality to beacon device information back to a server and enable files to be downloaded and executed. There is also functionality to add new modules while the malware is running, which allows Sandworm to implement additional capability as required,” the report revealed.

“Post exploitation, Cyclops Blink is generally deployed as part of a firmware ‘update.’ This achieves persistence when the device is rebooted and makes remediation harder.”

The NCSC claimed deployment of the malware had so far been “indiscriminate and widespread,” with WatchGuard devices mainly targeted, although this could certainly change in the future.

Organizations that find evidence of infection may not be intended as the primary target but merely a staging post from which to launch attacks on others, the agency added.

It urged organizations to deploy multi-factor authentication (MFA), grow user awareness of phishing, enhance patch management, improve detection of intrusions and lateral movement and ensure network device management interfaces aren’t connected to the internet.

The advisory was published in concert with the US Cybersecurity and Infrastructure Security Agency (CISA), the NSA and the FBI.

Digital Shadows CISO, Rick Holland, argued that compromised devices may have been used to launch recent DDoS attacks on the Ukraine.

“Russia didn't just decide to invade Ukraine this week; military planners have prepared for this campaign years in advance,” he added. “Disinformation, false flags, DDoS attacks, and destructive wiper malware are a part of Russian military doctrine. The battle plans have been drawn up and are now being executed.”

What’s Hot on Infosecurity Magazine?