The malicious file hash values and IP addresses have been blocked in client's environments managed by Ascend Technologies. We are continuing to monitor the situation in Russia and Ukraine and will create additional advisories for emerging cyberthreats as they develop.
If any suspicious activity is detected, we will reach out to the appropriate contacts and inform them of the detected activity.
Posted Mar 01, 2022 - 11:25 CST
Monitoring
Emerging Russian State Threat “Sandworm” launches new malware attack - Cyclops Blink
Source: UK National Cyber Security Centre
The UK National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) in the US have identified that the actor known as Sandworm or Voodoo Bear is using a new malware, referred to here as Cyclops Blink. The NCSC, CISA, FBI and NSA have previously attributed the Sandworm actor to the Russian GRU’s Main Centre for Special Technologies GTsST.
Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office (SOHO) routers, and network attached storage (NAS) devices.
VPNFilter was deployed in stages, with most functionality in the third-stage modules. These modules enabled traffic manipulation, destruction of the infected host device, and likely enabled downstream devices to be exploited. They also allowed monitoring of Modbus SCADA protocols, which appears to be an ongoing requirement for Sandworm, as also seen in their previous attacks against ICS networks.
The actor has so far primarily deployed Cyclops Blink to WatchGuard devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.
The NCSC has provided a list of Indicators of Compromise (IoC). Ascend Technologies has pushed the detection ability of the known IOCs across our EDR, SIEM, and anti-malware platforms. These IOCs include IPs and hash values which will give us the ability to detect and alert. We have also insured Geofencing is enabled on all of our managed firewalls to prevent malicious connections from Ukraine and Russia.
Ascend Technologies is continuing to monitor the recent developments in the Russia and Ukraine conflict from a Cyber Threat perspective. We will continue to update you regarding emerging cybersecurity threats as they develop.