For the second time in a year, the FBI has used search and seizure warrants to clean malware from devices owned by private companies and users without their explicit approval. The agency used this approach to disrupt a botnet believed to have been created by Russian government hackers.
The operation targeted the Cyclops Blink malware that was discovered earlier this year and is attributed to a group known in the security industry as Sandworm, which is believed by US and UK intelligence agencies to be a unit within of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU).
What is Cyclops Blink?
Cyclops Blink is a modular malware program designed to infect and control network hardware devices such as routers and firewalls. The UK National Cyber Security Center (NCSC), in collaboration with the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) , published a notice in February it named WatchGuard Firebox firewall appliances as one of the malware’s targets. Since then, routers made by ASUS have also been confirmed as targets for the botnet.
Cyclops Blink is believed to replace VPNFilter, another malware program that infected more than 500,000 home and small business routers made by various networking hardware manufacturers, including Linksys, MikroTik, Netgear, QNAP, and TP-Link. VPNFilter had modules that allowed monitoring and manipulation of traffic and allowed downstream devices to be attacked. A module enabled monitoring of Modbus SCADA protocols, which are used in industrial control environments.
The FBI took down the VPNFilter botnet after the agency seized the domain name attackers used to control it and issued commands to reboot devices. That action did not completely remove the malware from all devices. According to research from security firm Trend Micro, as of January 2021, a third of devices infected with VPNFilter were still compromised.
However, since their malware operation had failed, the Sandworm group decided to reorganize and developed Cyclops Blink, which is believed to have been in operation since at least June 2019. Like VPNFilter, Cyclops Blink can download and run additional modules. that extend its functionality, but it is more persistent because it is implemented as part of a firmware update and its command and control (C2) mechanism is more complex.
In particular, each device infected with Cyclops Blink contains an encrypted list of C2 servers. These servers serve a relay function and are all connected to a central command panel used by the attackers and hosted on the Tor network.
How did the FBI disrupt the botnet?
FBI agents managed to retrieve a firmware image from one of the compromised WatchGuard devices with owner approval and used it to study the malware. They also monitored traffic from the infected device, which allowed them to identify one of the C2 relay servers located in the US.
The agents then gained access to the server and analyzed how it worked. This provided the information that each C2 server used a digital certificate with particular characteristics that was deployed by the attackers. By scanning the internet for these characteristics, the agency managed to identify 38 Cyclops Blink C2 servers, 22 of them based in the US. They then obtained a search and seizure warrant to take control of some of the servers.
The agency also developed a technique that allowed it to impersonate the attacker’s Tor-hosted control panel to servers, allowing them to issue commands that would be relayed to bots served by those servers. The agency then worked with WatchGuard and other law enforcement partners to develop and test a cleanup strategy that involves sending a series of commands to infected devices.
According an unsealed affidavitthese commands accomplish the following goals: confirm the presence of the malware binary (known as CPD) on the device, record the serial number of the infected device, retrieve a copy of the malware and its list of encrypted C2 servers, remove the CPD malware from the device and add firewall rules to the device that would block remote access to the management interface.
The last step is important because the Sandworm attackers exploited an authentication bypass vulnerability (CVE-2022-23176) on devices to access their management interfaces if they were configured for remote management from the Internet. By adding firewall rules to block this access, the FBI prevented the Sandworm attackers from re-compromising the devices. However, the agency noted that these firewall rules are not persistent and device owners can simply reboot their devices to return them to the previous settings.
In the affidavit, which was filed in support of the agency’s request for a search and seizure warrant to enable the operation, FBI agents note that neither command allows the agency to view or retrieve the contents or data. of the device owner and that the technique has been tested beforehand to ensure that it does not affect the functionality of the device in any way.
The FBI obtained search warrants from the Western District Court of Pennsylvania and the Eastern District Court of California to execute the warrants of at least two C2 servers. While this is not the first time that law enforcement agencies, including the FBI, have used search warrants to issue commands to botnets via seized C2 servers, extract evidence from those devices, such as a copy of the malware without the Owner approval, relatively new.
The agency used a similar approach in April last year to copy and then delete web shells deployed by a Chinese cyber espionage group called Hafnium on Microsoft Exchange servers that had been compromised by zero-day vulnerabilities. The operation raised questions about privacy and transparency.
The Federal Rule of Criminal Procedure requires officers to make “reasonable efforts to deliver a copy of the warrant and receipt to the person whose property is searched” when it comes to remote access to electronic storage and seizure of electronically stored information. However, such notifications may be made by any means, including electronic, that have a “reasonably calculated” chance of reaching that person. To meet this requirement, the FBI sent emails, including a copy of the court orders, to the email addresses associated with the domain names associated with the IP addresses of the infected devices. If the domains used a privacy service that obscured the associated email address, the FBI contacted the IP owners’ domain registrars and ISPs and asked them to notify their customers.
Who is Sandworm?
The group of sandworms it is believed to be the most competent hacking team in the Russian government. The group has been responsible for attacks against Ukraine’s energy infrastructure in 2015 with the Black Energy malware and in 2016 with the Industroyer malware. It has also been responsible for the destructive NotPetya pseudo-ransomware attack in 2017 and the attacks against the IT infrastructure of the Winter Olympics in 2018. The 2019 attacks against government and private websites in Georgia have also been attributed to Sandworm by the US and UK intelligence agencies.
The group, also known as Voodoo Bear or GRU Unit 74455, is believed to be one of multiple units within the GRU that are involved in cyber operations. Yet another is APT28, also known as Fancy Bear in the security industry. Sandworm, which has been active since at least 2009 and operates out of GRU’s Main Center for Special Technologies (GTsST) military unit 74455, is typically tasked with destructive sabotage-style attacks, while APT28, or the 85th Service Center GRU Senior Specials (GTsSS) military unit 26165, typically engages in cyber-espionage and disinformation campaigns.
In October 2020, the Department of Justice indicted six GRU officers for their involvement in cyberattacks attributed to Sandworm.
Copyright © 2022 IDG Communications, Inc.