An infection by Cyclops Blink could lead to a full network device compromise, allowing a malicious threat actor to abuse the device to complete other malicious objectives at a later stage.
On the 23rd of February 2022, the NCSC-UK, US-CISA, FBI and NSA jointly issued a warning regarding a new piece of malware called Cyclops Blink serving as the replacement for the VPNFilter malware which was first exposed in 2018. Due to the similarity in the capabilities of the malware and the associated tactics, techniques and procedures (TTPs) observed, Cyclops Blink has been attributed to the APT group known as Sandworm or Voodoo Bear.
According to the warning, Cyclone Blink has been widely and indiscriminately deployed like VPNFilter, but primarily on WatchGuard devices. It is however likely that Sandworm would be capable of re-compiling the malware for other architectures to target other network devices.
WatchGuard has in collaboration with the aforementioned organisations released detection and remediation guidance in case WatchGuard devices are infected with Cyclops Blink.
Owners of a WatchGuard device should also have received an e-mail from WatchGuard regarding Cyclops Blink.
In case you use networking equipment from a different vendor, the following general mitigation actions should be followed:
- Reduce exposure of network management ports/interfaces from the internet.
- Implement multi-factor authentication where possible. Use complex and unique passwords. Password re-use should be avoided as much as possible.
- Monitor your network devices, and activate additional security services on these devices (eg. IDS/IPS, botnet protection, anti-malware services, etc..) if possible.
- Keep the network devices up to date.
- If a network device is found to be compromised, a full factory reset, including a firmware reset of the device is recommended.
Additional indicators of compromise can be found in the malware analysis report by NCSC-UK below.