Hackers for one of Russia’s most elite and brazen spy agencies have infected home and small-office network devices around the world with a previously unseen malware that turns the devices into attack platforms that can steal confidential data and target other networks.
Cyclops Blink, as the advanced malware has been dubbed, has infected about 1 percent of network firewall devices made by network device manufacturer WatchGuard, the company said on Wednesday. The malware is able to abuse a legitimate firmware update mechanism found in infected devices in a way that gives it persistence, meaning the malware survives reboots.
Like VPNFilter, but stealthier
Cyclops Blink has been circulating for almost three years and replaces VPNFilter, the malware that in 2018 researchers found infecting about 500,000 home and small office routers. VPNFilter contained a veritable Swiss Army knife that allowed hackers to steal or manipulate traffic and to monitor some SCADA protocols used by industrial control systems. The US Department of Justice linked the hacks to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation, typically abbreviated as the GRU.
With VPNFilter exposed, Sandworm hackers built a new malware for infecting network devices. Like its predecessor, Cyclops Blink has all the trappings of professionally developed firmware, but it also has new tricks that make it stealthier and harder to remove.
“The malware itself is sophisticated and modular with basic core functionality to beacon device information back to a server and enable files to be downloaded and executed,” officials with the UK’s National Cyber Security Center wrote in an advisory. “There is also functionality to add new modules while the malware is running, which allows Sandworm to implement additional capability as required.”
Holding the WatchGuard hostage
So far, the advisory stated, Sandworm has “primarily” used the malware to infect network devices from WatchGuard, but the hackers are likely able to compile it to run on other platforms as well. The malware gains persistence on WatchGuard devices by abusing the legitimate process the devices use to receive firmware updates.
The malware starts by copying firmware images stored on the device and modifying them to include malicious functionality. Cyclops Blink then manipulates an HMAC value used to cryptographically prove the image is legitimate so devices will run it. The process looks like this:
The malware contains a hard-coded RSA public key, which is used for C2 communications, as well as a hard-coded RSA private key and X.509 certificate. But they don’t appear to be actively used within the samples analyzed by the UK officials, making it possible that they’re intended to be used by a separate module.
Cyclops Blink uses the OpenSSL cryptography library to encrypt communications underneath encryption provided by TLS.
Wednesday’s advisory stated:
Each time the malware beacons it randomly selects a destination from the current list of C2 server IPv4 addresses and hard-coded list of C2 ports. Beacons consist of queued messages containing data from running modules. Each message is individually encrypted using AES-256-CBC. The OpenSSL_EVP_SealInit function is used to randomly generate the encryption key and IV for each message, and then encrypt them using the hard-coded RSA public key. The OpenSSL_RSA_public_decrypt function is used to decrypt tasking, received in response to beacons, using the hard-coded RSA public key.
Other new measures for stealth include use of the Tor privacy network to conceal the IP addresses used by the malware. UK officials wrote:
Victim devices are organised into clusters and each deployment of Cyclops Blink has a list of command and control (C2) IP addresses and ports that it uses (T1008). All the known C2 IP addresses to date have been used by compromised WatchGuard firewall devices. Communications between Cyclops Blink clients and servers are protected under Transport Layer Security (TLS) (T1071.001), using individually generated keys and certificates. Sandworm manages Cyclops Blink by connecting to the C2 layer through the Tor network: