Flash Notice: [New Malware] - CISA Warns of Renewed Russian Threat as New Activity is Seen in Ukraine

February 24, 2022

Overview

Cyclops Blink - A new sandworm malware named Cyclops Blink, used by threat actor Sandworm (also known as Voodoo Bear) has been identified by the United Kingdom's (UK) National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI).

Sandworm was previously linked to the Russian General Staff Main Intelligence Directorate’s Russian (GRU’s) Main Center for Special Technologies – Russia’s military intelligence division. Sandworm was responsible for several devastating cyber-attacks including: NotPetya in 2017, the BlackEnergy disruption of Ukrainian electricity in 2015, Industroyer in 2016, attacks against the Winter Olympics and Paralympics in 2018, and a series of disruptive attacks against Georgia in 2019.

According to CISA, the Sandworm malware was first exposed in 2018 and Cyclops Blink appears to be a replacement framework for the VPNFilter malware that was exposed at that time. The VPNFilter malware exploited network devices, mostly in small office/home office (SOHO) routers, as well as network-attached storage (NAS) devices. In 2018, Cisco Talos reported that the VPNFilter was deployed in stages, with most functionality being in the third-stage modules.

Today, researchers reported that Cyclops Blink has been deployed in the wild since 2019 and is targeting network devices - deploying malware that uses a modular structure, allowing operators to deploy second-stage payloads to infected devices. The report does not mention how the malware is deployed or the details regarding the second-stage module capabilities.

CISA describes the malware as sophisticated, and deployment appears to be indiscriminate and widespread. So far, Cyclops Blink has been deployed to WatchGuard devices. CISA notes that only WatchGuard devices that were reconfigured from the manufacturer's default settings to open remote management interfaces to external access could be infected.

HermeticWiper - A few hours ago, ESET and Broadcom’s Symantec discovered a new data wiper (HermeticWiper) being deployed on Ukraine’s computer networks. The wiper is similar to WhisperGate and ESET believes the attack may have been in the works for almost two months.

ESET reports that the wiper binary is signed using a code signing certificate. Additionally, HermeticWiper abuses legitimate drivers from EaseUS Partition Master software to corrupt data before finally rebooting the computer. When ESET analyzed one of the victims, they observed that the wiper was dropped via the default (domain policy) GPO – indicating the threat actors took control of the Active Directory server.

The Ukrainian government has not confirmed or denied the current cyber attacks, therefore, this story is still developing.

Tension between Russia and Ukraine is at an all-time high, and while there are no credible threats to the U.S. at the moment, there is still a possibility that the U.S. could be affected in some way. CISA has issued a “Shields Up” public service announcement to help keep your organization prepared.

How Avertium is Protecting Our Customers:

If your organization has ties to Ukraine, you should consider how to isolate and monitor those connections to protect your organization from potential collateral damage.

We offer EDR endpoint protection through SentinelOne, Sophos, and Microsoft Defender.

SentinelOne prevents threats and extends protection from the endpoint to beyond. Find threats and eliminate blind spots with autonomous, real-time, index-free threat ingestion and analysis that supports structured, unstructured, and semi-structured data.
Minimizing the impact of a successful ransomware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior.
To identify the source of your breach and the scope that it reached; you’ll want to include Avertium’s DFIR services in your protection plan. We offer DFIR (Digital Forensics and Incident Response) to mitigate damage from a successful breach.

Avertium's recommendations

According to CISA, Cyclops Blink persists on reboot and throughout the legitimate firmware update process. This means that restarting a device or resetting a device to factory settings, won’t remove the malware without a complete re-imaging of the infected device. To mitigate, CISA and WatchGuard recommend the following:

CISA, NSA, FBI, and the NCSC have worked closely with WatchGuard to provide the appropriate tools and guidance to enable detection and remove Cyclops Blink on WatchGuard devices. Guidance from WatchGuard can be found here. If you have a WatchGuard device, it is highly recommended that you visit the link.
If your device is identified as infected with Cyclops Blink, you should assume that any passwords present on the device have been compromised and replace them (see NCSC password guidance for organizations).
You should ensure that the management interface of network devices is not exposed to the internet.

Because HermeticWiper is similar to WhisperGate, CISA’s recommendations still apply:

Regularly Review Your Cyber Hygiene

- Validate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication.
- Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA.
- Confirm that the organization’s IT personnel have disabled all ports and protocols that are not essential for business purposes.
- If the organization is using cloud services, ensure that IT personnel have reviewed and implemented strong controls outlined in CISA's guidance.

Quickly Detect a Potential Intrusion

- Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior.
- Enable logging in order to better investigate issues or events.
- Confirm that the organization's entire network is protected by antivirus/antimalware software and that signatures in these tools are updated.
- If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.

Prepare to Respond if an Intrusion Occurs

- Designate a crisis-response team with main points of contact for a suspected cybersecurity incident and roles/ responsibilities within the organization, including technology, communications, legal, and business continuity.
- Assure availability of key personnel; identify means to provide surge support for responding to an incident.
- Conduct a tabletop exercise to ensure that all participants understand their roles during an incident.

Maximize Your Organization’s Resilience to a Destructive Cyber Incident

- Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyberattack; ensure that backups are isolated from network connections.
- If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.