Russia’s most cutthroat hackers infect network devices with new botnet malware | Ars Technica
Russia’s most cutthroat hackers infect network devices with new botnet malware
The Russian government's Sandworm group uses previously unseen Cyclops Blink.
DAN GOODIN - 2/23/2022, 7:33 PM
Stylized illustration of ones and zeroes on a computer screen.
Enlarge
Getty Images
106
WITH 61 POSTERS PARTICIPATING, INCLUDING STORY AUTHOR
SHARE ON FACEBOOK
SHARE ON TWITTER
Hackers for one of Russia’s most elite and brazen spy agencies have infected home and small-office network devices around the world with a previously unseen malware that turns the devices into attack platforms that can steal confidential data and target other networks.
Cyclops Blink, as the advanced malware has been dubbed, has infected about 1 percent of network firewall devices made by network device manufacturer WatchGuard, the company said on Wednesday. The malware is able to abuse a legitimate firmware update mechanism found in infected devices in a way that gives it persistence, meaning the malware survives reboots.
Like VPNFilter, but stealthier
FURTHER READING
VPNFilter malware infecting 500,000 devices is worse than we thought
Cyclops Blink has been circulating for almost three years and replaces VPNFilter, the malware that in 2018 researchers found infecting about 500,000 home and small office routers. VPNFilter contained a veritable Swiss Army knife that allowed hackers to steal or manipulate traffic and to monitor some SCADA protocols used by industrial control systems. The US Department of Justice linked the hacks to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation, typically abbreviated as the GRU.
With VPNFilter exposed, Sandworm hackers built a new malware for infecting network devices. Like its predecessor, Cyclops Blink has all the trappings of professionally developed firmware, but it also has new tricks that make it stealthier and harder to remove.
“The malware itself is sophisticated and modular with basic core functionality to beacon device information back to a server and enable files to be downloaded and executed,” officials with the UK’s National Cyber Security Center wrote in an advisory. “There is also functionality to add new modules while the malware is running, which allows Sandworm to implement additional capability as required.”
Holding the WatchGuard hostage
So far, the advisory stated, Sandworm has “primarily” used the malware to infect network devices from WatchGuard, but the hackers are likely able to compile it to run on other platforms as well. The malware gains persistence on WatchGuard devices by abusing the legitimate process the devices use to receive firmware updates.
Advertisement
The malware starts by copying firmware images stored on the device and modifying them to include malicious functionality. Cyclops Blink then manipulates an HMAC value used to cryptographically prove the image is legitimate so devices will run it. The process looks like this:
Enlarge
NCSC
The malware contains a hard-coded RSA public key, which is used for C2 communications, as well as a hard-coded RSA private key and X.509 certificate. But they don’t appear to be actively used within the samples analyzed by the UK officials, making it possible that they’re intended to be used by a separate module.
Cyclops Blink uses the OpenSSL cryptography library to encrypt communications underneath encryption provided by TLS.
Wednesday’s advisory stated:
Each time the malware beacons it randomly selects a destination from the current list of C2 server IPv4 addresses and hard-coded list of C2 ports. Beacons consist of queued messages containing data from running modules. Each message is individually encrypted using AES-256-CBC. The OpenSSL_EVP_SealInit function is used to randomly generate the encryption key and IV for each message, and then encrypt them using the hard-coded RSA public key. The OpenSSL_RSA_public_decrypt function is used to decrypt tasking, received in response to beacons, using the hard-coded RSA public key.
Other new measures for stealth include use of the Tor privacy network to conceal the IP addresses used by the malware. UK officials wrote:
Victim devices are organised into clusters and each deployment of Cyclops Blink has a list of command and control (C2) IP addresses and ports that it uses (T1008). All the known C2 IP addresses to date have been used by compromised WatchGuard firewall devices. Communications between Cyclops Blink clients and servers are protected under Transport Layer Security (TLS) (T1071.001), using individually generated keys and certificates. Sandworm manages Cyclops Blink by connecting to the C2 layer through the Tor network:
ARS VIDEO
Blade Runner Game Director Louis Castle: Extended Interview
Enlarge
NCSC
WatchGuard said it retained security firm Mandiant to investigate the infections and has also been working with law enforcement.
“WatchGuard has concluded, based on our own investigation, an investigation conducted jointly with Mandiant, and information provided by the FBI, that there is no evidence of data exfiltration from WatchGuard or its customers, and firewall appliances are not at risk if they were never configured to allow unrestricted management access from the Internet,” company officials wrote. The document also includes a list of indicators WatchGuard customers can use to detect infections and steps they can take to disinfect their equipment.
In a FAQ, WatchGuard said the initial vector used to infect devices was an already patched but otherwise nonidentified vulnerability that resulted when admins changed default settings and allowed unrestricted management access. The FAQ stated:
Following a thorough investigation, WatchGuard believes that the threat actor used a previously identified and patched vulnerability that was accessible only when firewall appliance management policies were configured to allow unrestricted management access from the Internet. This vulnerability was fully addressed by security fixes that started rolling out in software updates in May 2021. WatchGuard’s own investigation, as well as an assessment conducted by Mandiant, did not find evidence the threat actor exploited a different vulnerability.
The vulnerability was fixed in the following versions of Fireware, the OS that runs the WatchGuard firewall appliances: v12.7 Update 1, v12.7.2 Update 1 or later, v12.5.7 Update 3 or later, and v12.1.3 Update 5 or later. The company FAQ warned that, if management policies were configured to allow unrestricted management access from external IP addresses before installing these releases, the hardware remains vulnerable to infection.
Advertisement
Sandworm is among the world’s most advanced—not to mention cutthroat—outfits that has been behind almost two decades of ambitious and destructive cyberattacks. Examples include:
Hacks in 2015 and 2016 that triggered power outages in Ukraine
The unleashing of NotPetya, a datawiping worm that spread around the world in a matter of hours and cost governments and businesses tens of billions of dollars in damages
A malware attack in early 2018 that shut down key parts of the Winter Olympics
WIRED journalist Andy Greenberg in 2019 published Sandworm, a book that chronicles the hacks and the geopolitical tensions they exploit. Wednesday’s advisory said that Cyclops Blink has the potential to infect a large number of devices.
“In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread,” UK officials wrote. “The actor has so far primarily deployed Cyclops Blink to WatchGuard devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.”
The Russian government's Sandworm group uses previously unseen Cyclops Blink.
DAN GOODIN - 2/23/2022, 7:33 PM
Stylized illustration of ones and zeroes on a computer screen.
Enlarge
Getty Images
106
WITH 61 POSTERS PARTICIPATING, INCLUDING STORY AUTHOR
SHARE ON FACEBOOK
SHARE ON TWITTER
Hackers for one of Russia’s most elite and brazen spy agencies have infected home and small-office network devices around the world with a previously unseen malware that turns the devices into attack platforms that can steal confidential data and target other networks.
Cyclops Blink, as the advanced malware has been dubbed, has infected about 1 percent of network firewall devices made by network device manufacturer WatchGuard, the company said on Wednesday. The malware is able to abuse a legitimate firmware update mechanism found in infected devices in a way that gives it persistence, meaning the malware survives reboots.
Like VPNFilter, but stealthier
FURTHER READING
VPNFilter malware infecting 500,000 devices is worse than we thought
Cyclops Blink has been circulating for almost three years and replaces VPNFilter, the malware that in 2018 researchers found infecting about 500,000 home and small office routers. VPNFilter contained a veritable Swiss Army knife that allowed hackers to steal or manipulate traffic and to monitor some SCADA protocols used by industrial control systems. The US Department of Justice linked the hacks to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation, typically abbreviated as the GRU.
With VPNFilter exposed, Sandworm hackers built a new malware for infecting network devices. Like its predecessor, Cyclops Blink has all the trappings of professionally developed firmware, but it also has new tricks that make it stealthier and harder to remove.
“The malware itself is sophisticated and modular with basic core functionality to beacon device information back to a server and enable files to be downloaded and executed,” officials with the UK’s National Cyber Security Center wrote in an advisory. “There is also functionality to add new modules while the malware is running, which allows Sandworm to implement additional capability as required.”
Holding the WatchGuard hostage
So far, the advisory stated, Sandworm has “primarily” used the malware to infect network devices from WatchGuard, but the hackers are likely able to compile it to run on other platforms as well. The malware gains persistence on WatchGuard devices by abusing the legitimate process the devices use to receive firmware updates.
Advertisement
The malware starts by copying firmware images stored on the device and modifying them to include malicious functionality. Cyclops Blink then manipulates an HMAC value used to cryptographically prove the image is legitimate so devices will run it. The process looks like this:
Enlarge
NCSC
The malware contains a hard-coded RSA public key, which is used for C2 communications, as well as a hard-coded RSA private key and X.509 certificate. But they don’t appear to be actively used within the samples analyzed by the UK officials, making it possible that they’re intended to be used by a separate module.
Cyclops Blink uses the OpenSSL cryptography library to encrypt communications underneath encryption provided by TLS.
Wednesday’s advisory stated:
Each time the malware beacons it randomly selects a destination from the current list of C2 server IPv4 addresses and hard-coded list of C2 ports. Beacons consist of queued messages containing data from running modules. Each message is individually encrypted using AES-256-CBC. The OpenSSL_EVP_SealInit function is used to randomly generate the encryption key and IV for each message, and then encrypt them using the hard-coded RSA public key. The OpenSSL_RSA_public_decrypt function is used to decrypt tasking, received in response to beacons, using the hard-coded RSA public key.
Other new measures for stealth include use of the Tor privacy network to conceal the IP addresses used by the malware. UK officials wrote:
Victim devices are organised into clusters and each deployment of Cyclops Blink has a list of command and control (C2) IP addresses and ports that it uses (T1008). All the known C2 IP addresses to date have been used by compromised WatchGuard firewall devices. Communications between Cyclops Blink clients and servers are protected under Transport Layer Security (TLS) (T1071.001), using individually generated keys and certificates. Sandworm manages Cyclops Blink by connecting to the C2 layer through the Tor network:
ARS VIDEO
Blade Runner Game Director Louis Castle: Extended Interview
Enlarge
NCSC
WatchGuard said it retained security firm Mandiant to investigate the infections and has also been working with law enforcement.
“WatchGuard has concluded, based on our own investigation, an investigation conducted jointly with Mandiant, and information provided by the FBI, that there is no evidence of data exfiltration from WatchGuard or its customers, and firewall appliances are not at risk if they were never configured to allow unrestricted management access from the Internet,” company officials wrote. The document also includes a list of indicators WatchGuard customers can use to detect infections and steps they can take to disinfect their equipment.
In a FAQ, WatchGuard said the initial vector used to infect devices was an already patched but otherwise nonidentified vulnerability that resulted when admins changed default settings and allowed unrestricted management access. The FAQ stated:
Following a thorough investigation, WatchGuard believes that the threat actor used a previously identified and patched vulnerability that was accessible only when firewall appliance management policies were configured to allow unrestricted management access from the Internet. This vulnerability was fully addressed by security fixes that started rolling out in software updates in May 2021. WatchGuard’s own investigation, as well as an assessment conducted by Mandiant, did not find evidence the threat actor exploited a different vulnerability.
The vulnerability was fixed in the following versions of Fireware, the OS that runs the WatchGuard firewall appliances: v12.7 Update 1, v12.7.2 Update 1 or later, v12.5.7 Update 3 or later, and v12.1.3 Update 5 or later. The company FAQ warned that, if management policies were configured to allow unrestricted management access from external IP addresses before installing these releases, the hardware remains vulnerable to infection.
Advertisement
Sandworm is among the world’s most advanced—not to mention cutthroat—outfits that has been behind almost two decades of ambitious and destructive cyberattacks. Examples include:
Hacks in 2015 and 2016 that triggered power outages in Ukraine
The unleashing of NotPetya, a datawiping worm that spread around the world in a matter of hours and cost governments and businesses tens of billions of dollars in damages
A malware attack in early 2018 that shut down key parts of the Winter Olympics
WIRED journalist Andy Greenberg in 2019 published Sandworm, a book that chronicles the hacks and the geopolitical tensions they exploit. Wednesday’s advisory said that Cyclops Blink has the potential to infect a large number of devices.
“In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread,” UK officials wrote. “The actor has so far primarily deployed Cyclops Blink to WatchGuard devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.”