[MART] - Daily Diary #487 - FBI Operation Targets Cyclops Blink

CTAS-MAT ctas-mat at appgate.com
Thu Apr 7 18:41:23 UTC 2022 

Hello,
I hope everyone is doing well!

Below is the entry for today.

04/07/2022 - Diary entry #487

First reported in February 2022, Cyclops Blink is a Botnet that targets routers. It's believed to be developed by the Russian APT Group "Sandworm" (a.k.a Voodoo Bear).

This modular malware is written in C. When executed, it brute-forces WatchGuard and ASUS routers, writing the malicious payload in the device's flash memory. Although the real purpose is still unknown, Cyclops Blink allows the C2 server to send additional modules, so the botnet could be used in espionage, DDoS attacks, lateral movement, and many other malicious purposes.

This week FBI, in a court-approved operation, partnered with WatchGuard to disrupt Cyclops Blink's infected device network. During the operation, all the internet-connected domestic C2 devices were accessed and had been disinfected, and had the opened ports closed.

On April 1st this year, ASUS released a firmware update with security measures to block Cyclops Blink, along with a guide with recommended security measures. WatchGuard also published a list with recommendations to be protected and avoid reinfection.

We highly recommend anyone running ASUS or WatchGuard routers to update their firmware to be protected against similar malware or new Cyclops Blink campaigns. Even with the recent actions, variants of the attacks might still be possible, and as we have seen with Emotet, it's improbable that the botnet is completely disrupted and will not resurface soon.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220407/f3ae998c/attachment.htm>

More information about the MART mailing list