The United States Department of Justice has just announced the dismantling of Cyclops Blink, a botnet that has given FBI cybersleuths a lot of trouble. It is actually the successor to VPNFiltera malware attributed to the Sandworm group, which had infected more than 500,000 servers and NAS in 2018.
According to the US government, Sandworm is an offshoot of the Russian military intelligence service GRU. With the help of the private sector, the FBI had succeeded in detecting and neutralizing VPNFilter, which probably caused its replacement by Cyclops Blink.
This new generation, for once, is much more sophisticated. It primarily attacks WatchGuard firewalls and Asus Wi-Fi routers to deploy a two-stage botnet.
First there is a first set of infected equipment. They are directly controlled by Sandworm hackers, and act as Command and Control (C&C) servers for a second set of infected devices, in this case the “bots”.
Law enforcement remains fairly discreet about the extent of this botnet. The Department of Justice talks about “thousands” of bots spread all over the world.
On reading the search warrant, the C&C servers would be a few dozen, but certain passages have been blacked out. As of February 23, the suppliers issued an alert and patches, but without much success.
the malware relies on the process of updating the firmware to stay persistent. Performing an automatic restart or update is not enough: you have to install the patch manually. After one month, only 39% of infected equipment has been sanitized.
Also see video:
The US government therefore took the bull by the horns. FBI agents analyzed a copy of the malware and managed to find a way to take control of it remotely.
With the court’s approval, they therefore connected to known infected C&C equipment, removed Cyclops Blink and locked access ports to prevent the Russian hackers from returning. A rather radical and intrusive solution, insofar as the forces of order break into private equipment.
It is however specified that no data is collected by the agents, except the serial number. As far as possible, the owners were also informed of this action, before and after the operation. The bots, on the other hand, were not affected and are therefore still infected. But it’s a lesser evil, because the C&C layer no longer exists.
Source : US Department of Justice