Russia’s Sandworm Hackers Have Built a Botnet of Firewalls

Credit to Author: Andy Greenberg| Date: Wed, 23 Feb 2022 20:36:40 +0000

To revist this article, visit My Profile, then View saved stories.

To revist this article, visit My Profile, then View saved stories.

Any appearance of a new tool used by Russia's  notorious, disruptive Sandworm hackers will raise the eyebrows of cybersecurity professionals braced for high-impact cyberattacks. When US and UK agencies warn of one such tool spotted in the wild just as Russia prepares a potential mass-scale invasion of Ukraine, it's enough to raise alarms.

On Wednesday, both the UK National Cybersecurity Center and the US's Cybersecurity and Infrastructure Security Agency released advisories warning that they—along with the FBI and NSA–have detected a new form of network device malware being used by Sandworm, a group tied to some of the most destructive cyberattacks in history and believed to be a part of Russia's GRU military intelligence agency

The new malware, which the agencies call Cyclops Blink, has been found in firewall devices sold by networking hardware company Watchguard since at least June 2019. But the NCSC warns that “it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware," that it may have already infected other common network routers used in homes and businesses, and that the malware's “deployment also appears indiscriminate and widespread.”

It remains unclear whether Sandworm has been hacking network devices for purposes of espionage, building out its network of hacked machines to use as communications infrastructure for future operations, or targeting networks for disruptive cyberattacks, says Joe Slowik, a security researcher for Gigamon and a longtime tracker of the Sandworm group. But given that Sandworm's past history of inflicting digital chaos includes destroying entire networks inside Ukrainian companies and government agencies, triggering blackouts by targeting electrical utilities in Ukraine, and releasing the NotPetya malware there that spread globally and cost $10 billion in damage, Slowik says even an ambiguous move by the hackers merits caution—particularly as another Russian invasion of Ukraine looms.

“It definitely seems like Sandworm has continued the path of compromising relatively large networks of these devices for purposes unknown,” Slowik says. “There are a number of options available to them, and given that it's Sandworm, some of those options could be concerning, and bleed into deny, degrade, disrupt, and potentially destroy, though there's no evidence of that yet.”

CISA and the NCSC both describe the Cyclops Blink malware as a successor to an earlier Sandworm tool known as VPNFilter, which infected half a million routers to form a global botnet before it was identified by Cisco and the FBI in 2018 and largely dismantled. There's no sign that Sandworm has taken control of nearly that many devices with Cyclops Blink. But like VPNFilter, the new malware serves as a foothold on network devices and would allow the hackers to download new functionality to infected machines, whether to enlist them as proxies for relaying command-and-control communications or targeting the networks where the devices are installed.

In its own analysis of the malware, Watchguard writes that the hackers were able to infect its devices via a vulnerability it patched in a May 2021 update, which even before then would have only offered an opening when a control interface for the devices was exposed to the internet. The hackers also appear to have used a vulnerability in how Watchguard devices verify the legitimacy of firmware updates, downloading their own firmware to the firewall devices and installing it so that their malware can survive reboots. Watchguard estimates that about 1 percent of its total number of installed firewalls were infected, though it didn't give a total number for how many devices that represented. Watchguard also released tools to detect infections on its firewalls and, if necessary, wipe and reinstall their software.

The NCSC notes on its website that its advisory about Cyclops Blink is “not directly linked to the situation in Ukraine.” But even without an immediate link to the unfolding conflict in the region, signs that Russia's hyper-aggressive GRU hackers have built a new botnet of network devices serve as a timely wake-up call. Last week, White House officials warned that a series of distributed denial of service attacks that hit Ukrainian government, military, and corporate networks were the work of the GRU. A new round of those DDoS attacks on Ukrainian targets started again on Wednesday, along with data wiper malware that security firm ESET says was installed in “hundreds of machines” in the country. And last month a fake ransomware campaign struck Ukrainian networks, with troubling similarities to Sandworm's NotPetya cyberattack in 2017, which posed as ransomware as it shut down hundreds of networks in Ukraine and around the world. As Russia has surrounded Ukraine's borders with troops and declared the independence of two separatist groups within Ukrainian territory, fears have mounted that new, mass-scale cyberattacks will accompany any physical invasion.

That means network administrators—and even home users of Watchguard devices—should look for signs of Cyclops Blink on their devices and deal with any infections immediately, even if it means yanking them off the network, argues Craig Williams, a former Cisco security researcher who worked on the VPNFilter investigation. “Identify compromised devices and unplug them,” he wrote on Twitter Wednesday. “Help stop Russian cyber weapons.”

Even if that infected box in your server closet isn't targeting your network, in other words, it might be enabling digital mayhem targeting someone else's, halfway around the world.

https://www.wired.com/category/security/feed/