Search This Blog

US Agencies Disables Russia-linked "Cyclops Blink" Botnet

The botnet exploited thousands of devices.


The US Department of Justice (DoJ), working alongside the FBI and various other authorities, has successfully neutralized Cyclops Blink, a modular botnet operated by a malicious group known as Sandworm, which has been linked to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). 

In the court-authorized operation, the US agencies copied and removed malware from susceptible internet-linked firewall devices that Sandworm used for command and control (C2) of the underlying botnet. Although the operation did not involve access to the Sandworm malware on the thousands of underlying compromised devices worldwide, the DoJ said the disabling of the C2 mechanism severed those bots from the Sandworm C2 devices' control. 

 Cyclops Blink, which is believed to be the successor to VPNFilter, a botnet largely neglected after it was exposed by security experts in 2018 primarily targeted WatchGuard firewall appliances and ASUS routers, with the Sandworm group exploiting a previously discovered security loophole in WatchGuard's Firebox firmware as an initial access vector. 

"These network devices are often located on the perimeter of a victim's computer network, thereby providing Sandworm with the potential ability to conduct malicious activities against all computers within those networks," the DoJ added. 

WatchGuard Technologies issued a statement confirming it worked with the U.S. Justice Department to disrupt the botnet but did not disclose the number of devices affected - saying only that they represented "less than 1 percent of WatchGuard appliances.” 

The device manufacturer has published detection and remediation tools alongside recommendations for device owners to remove any malware infection and patch their devices to the latest versions of available firmware. 

The company has also updated its Cyclops Blink FAQs to provide details regarding CVE-2022-23176 (CVSS score: 8.8), which could "allow an unprivileged user with access to Firebox management to authenticate to the system as an administrator" and gain unauthorized remote access. Device manufacturer ASUS has also released firmware patches as of April 1, 2022, to mitigate the threat, recommending users to update to the latest version.
Share it:



Russian Botnet

US Agencies