More often than not, such botnets are used to carry out DDoS attacks but in Cyclops Blink’s case, the motives are less obvious.
#Ubiquiti device discovery tool contains malware software#
Internet routers have been a favorite target for building out botnets for many years, thanks to “infrequency of patching, the lack of security software and the limited visibility of defenders” when it comes to these devices, as Trend Micro put it. “Sandworm was also responsible for…the 20 attacks on the Ukrainian electrical grid, the 2017 NotPetya attack, the 2017 French presidential campaign, the 2018 Olympic Destroyer attack on the Winter Olympic Games and a 2018 operation against the Organization for the Prohibition of Chemical Weapons (OPCW),” researchers noted in a Thursday analysis. Voodoo Bear or TeleBots), according to Trend Micro – the same group that’s been linked to a host of very high-profile state-sponsored attacks, as well as the VPNFilter internet-of-things (IoT) botnet.
Typical countries of infected WatchGuard devices and ASUS routers are the United States, India, Italy, Canada and a long list of other countries, including Russia.” A Sinister Purpose?Ĭyclops Blink is the handiwork of the Russian-speaking Sandworm APT (a.k.a.
“Our investigation shows that there are more than 200 Cyclops Blink victims around the world. “Our research was carried out on the RT-AC68U, but other ASUS routers such as RT-AC56U might be affected as well,” researchers said. Now, to further its goal of widescale infections, ASUS routers are now on the menu, Trend Micro noted, with the latest variant incorporating a fresh module tailored to the vendor’s devices. “For example, some of the live command-and-control servers (C2s) are hosted on WatchGuard devices used by a law firm in Europe, a medium-sized company producing medical equipment for dentists in Southern Europe and a plumber in the United States.”Ĭyclops Blink itself has been around since 2019, initially looking to infect WatchGuard Firebox devices according to a February analysis (PDF) performed by the UK’s National Cyber Security Centre (NCSC). “It should be noted that these victims do not appear to be evidently valuable targets for either economic, military or political espionage,” according to the firm’s analysis. While that’s out of step with typical APT behavior, researchers said that it’s likely the botnet will be used as persistent infrastructure for mounting further attacks on high-value targets, and as such, should be indiscriminately distributed for maximum effect. That’s the word from Trend Micro researchers, who noted that Cyclops Blink casts a wide net in terms of the owners of the devices it chooses to infect, with no specific focus on high-value government or diplomatic entities. The modular botnet known as Cyclops Blink, linked to the same advanced persistent threat (APT) behind the NotPetya wiper attacks, is expanding its device targeting to include ASUS routers.įurther, it’s likely that the botnet’s purpose is far more sinister than the average Mirai-knockoff’s penchant for distributed denial-of-service (DDoS) attacks.
0 kommentar(er)
