It was around May 2018 that Cisco Talos released a report about the VPNFilter Malware. This malware has exploited several known vendors and it has affected routers and storage devices by using backdoor accounts. Recently, the U.S. and U.K. cybersecurity agencies have exposed that Sandworm or Voodoo Bear, a threat actor, is using a new malware called Cyclops Blink.
This malicious cyber actor was allegedly responsible for the following cyber activities:
BlackEnergy disruption of Ukrainian electricity in 2015
Industroyer in 2016
NotPetya in 2017
Winter Olympics and Paralympics attacks in 2018
Disruptive attacks against Georgia in 2019
It appears that this destructive malware, Cyclops Blink, is a replacement framework for the VPNFilter. According to the National Cyber Security Centre (NCSC) and Cybersecurity and Infrastructure Security Agency (CISA) advisory, this new malware is a large-scale modular malware framework that affects WatchGuard network devices. The NCSC also emphasized that your organization may or may not be the main target, however, your devices can be used to attack the real targets.
The affected organizations and device owners should follow the Watchguard diagnosis and remediation steps to remove the malware. When your device is infected with Cyclops Blink, you should take the following tips:
Replace your old password
Do not expose the management interface of your network devices to the internet