Cyclops Blink malware affects WatchGuard network devices, CISA warns

CISA and UK’s NCSC attribute the new malware exploit framework to Russia’s Sandworm group

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has posted a new alert in conjunction with its U.K. counterpart, the National Cyber Security Center (NCSC) to identify a new malware called Cyclops Blink. The malware, for now, limits its exploits to firewall network devices for businesses made by WatchGuard Technologies.

“The NCSC, CISA, and the FBI have previously attributed the Sandworm actor to the Russian General Staff Main Intelligence Directorate’s Russian (GRU’s) Main Centre for Special Technologies (GTsST),” said CISA.

Sandworm, or Russian Bear, has been pinpointed as the cause for the BlackEnergy disruption of Ukraine’s power grid in 2015, along with other malware like Industroyer, NotPetya, and disruptive attacks against the republic of Georgia and attacks against Winter Olympics and Paralympics events as well.

Cyclops Blink is described as “a large-scale modular malware framework” that may be a replacement for VPNFilter, which was first exposed in 2018. VPNFilter exploited Network Attached Storage (NAS) and router devices aimed at small office/home office (SOHO) installations. 

While CISA advises that the problem is limited for now to some WatchGuard firewall network devices used in businesses, CISA warns that Sandworm has the ability to scale this elsewhere too.

“The actor has so far primarily deployed Cyclops Blink to WatchGuard devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware,” said CISA.

Only a small number of devices affected, advises the manufacturer

“WatchGuard has worked closely with the FBI, CISA, NSA and the NCSC, and has provided tooling and guidance to enable detection and removal of Cyclops Blink on WatchGuard devices through a non-standard upgrade process. Device owners should follow each step in these instructions to ensure that devices are patched to the latest version and that any infection is removed,” said CISA.

WatchGuard estimates that about 1% of its active firewall appliances may be affected by the issue. The company said only firewall appliances configured to allow unrestricted access from the internet are affected; that setting is not the default for its physical firewall appliances, WatchGuard noted.

WatchGuard in a statement also noted that there is no evidence either of data exfiltration using this exploit, nor is there evidence of its own networks having been affected or breached.

WatchGuard said it has developed and released a set of Cyclops Blink detection tools and has created a mitigation strategy for customers in coordination with authorities.

Comments are closed.