Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Cyclops Blink

Cyclops Blink is a modular malware that has been used in widespread campaigns by Sandworm Team since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus. Cyclops Blink is assessed to be a replacement for VPNFilter, a similar platform targeting network devices.(Citation: NCSC Cyclops Blink February 2022)(Citation: NCSC CISA Cyclops Blink Advisory February 2022)(Citation: Trend Micro Cyclops Blink March 2022)
ID: S0687
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 03 Mar 2022
Last Modified: 15 Aug 2024

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Cyclops Blink can download files via HTTP and HTTPS.(Citation: NCSC Cyclops Blink February 2022)(Citation: Trend Micro Cyclops Blink March 2022)

Enterprise T1037 .004 Boot or Logon Initialization Scripts: RC Scripts

Cyclops Blink has the ability to execute on device startup, using a modified RC script named S51armled.(Citation: NCSC Cyclops Blink February 2022)

Enterprise T1132 .002 Data Encoding: Non-Standard Encoding

Cyclops Blink can use a custom binary scheme to encode messages with specific commands and parameters to be executed.(Citation: NCSC Cyclops Blink February 2022)

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Cyclops Blink can encrypt C2 messages with AES-256-CBC sent underneath TLS. OpenSSL library functions are also used to encrypt each message using a randomly generated key and IV, which are then encrypted using a hard-coded RSA public key.(Citation: NCSC Cyclops Blink February 2022)

Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

Cyclops Blink can modify the Linux iptables firewall to enable C2 communication on network devices via a stored list of port numbers.(Citation: NCSC Cyclops Blink February 2022)(Citation: Trend Micro Cyclops Blink March 2022)

Enterprise T1070 .006 Indicator Removal: Timestomp

Cyclops Blink has the ability to use the Linux API function `utime` to change the timestamps of modified firmware update images.(Citation: NCSC Cyclops Blink February 2022)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Cyclops Blink can rename its running process to [kworker:0/1] to masquerade as a Linux kernel thread. Cyclops Blink has also named RC scripts used for persistence after WatchGuard artifacts.(Citation: NCSC Cyclops Blink February 2022)

Enterprise T1542 .002 Pre-OS Boot: Component Firmware

Cyclops Blink has maintained persistence by patching legitimate device firmware when it is downloaded, including that of WatchGuard devices.(Citation: NCSC Cyclops Blink February 2022)

Enterprise T1090 .003 Proxy: Multi-hop Proxy

Cyclops Blink has used Tor nodes for C2 traffic.(Citation: NCSC CISA Cyclops Blink Advisory February 2022)

Groups That Use This Software

ID Name References
G0034 Sandworm Team

(Citation: NCSC CISA Cyclops Blink Advisory February 2022) (Citation: Trend Micro Cyclops Blink March 2022)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.