Cyclops Blink
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Cyclops Blink can download files via HTTP and HTTPS.(Citation: NCSC Cyclops Blink February 2022)(Citation: Trend Micro Cyclops Blink March 2022) |
Enterprise | T1037 | .004 | Boot or Logon Initialization Scripts: RC Scripts |
Cyclops Blink has the ability to execute on device startup, using a modified RC script named S51armled.(Citation: NCSC Cyclops Blink February 2022) |
Enterprise | T1132 | .002 | Data Encoding: Non-Standard Encoding |
Cyclops Blink can use a custom binary scheme to encode messages with specific commands and parameters to be executed.(Citation: NCSC Cyclops Blink February 2022) |
Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
Cyclops Blink can encrypt C2 messages with AES-256-CBC sent underneath TLS. OpenSSL library functions are also used to encrypt each message using a randomly generated key and IV, which are then encrypted using a hard-coded RSA public key.(Citation: NCSC Cyclops Blink February 2022) |
Enterprise | T1562 | .004 | Impair Defenses: Disable or Modify System Firewall |
Cyclops Blink can modify the Linux iptables firewall to enable C2 communication on network devices via a stored list of port numbers.(Citation: NCSC Cyclops Blink February 2022)(Citation: Trend Micro Cyclops Blink March 2022) |
Enterprise | T1070 | .006 | Indicator Removal: Timestomp |
Cyclops Blink has the ability to use the Linux API function `utime` to change the timestamps of modified firmware update images.(Citation: NCSC Cyclops Blink February 2022) |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Cyclops Blink can rename its running process to |
Enterprise | T1542 | .002 | Pre-OS Boot: Component Firmware |
Cyclops Blink has maintained persistence by patching legitimate device firmware when it is downloaded, including that of WatchGuard devices.(Citation: NCSC Cyclops Blink February 2022) |
Enterprise | T1090 | .003 | Proxy: Multi-hop Proxy |
Cyclops Blink has used Tor nodes for C2 traffic.(Citation: NCSC CISA Cyclops Blink Advisory February 2022) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0034 | Sandworm Team |
(Citation: NCSC CISA Cyclops Blink Advisory February 2022) (Citation: Trend Micro Cyclops Blink March 2022) |
References
- Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022.
- NCSC, CISA, FBI, NSA. (2022, February 23). New Sandworm malware Cyclops Blink replaces VPNFilter. Retrieved March 3, 2022.
- NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.