Rewterz Threat Alert – Cyclops Blink Disrupted by Intelligence Agencies – Active IOCs

Severity

High

Analysis Summary

Cyclops Blink is an infectious Linux ELF executable. The executable has been associated by security agencies with a botnet that is used to target small offices. Office and home network devices have been targeted by this large-scale malware since 2019. Two samples of the botnet have been analyzed by security researchers and their information has revealed how it works:

Cyclops Blink appears to have been professionally developed, given its modular design approach. A comparison of the core component functionality between the analysed samples indicates that they have most likely been developed from a common code base. The researchers have also attributed Cyclops Blink to Russian APT “Sandworm”.

The U.S. Department of Justice has announced court authorized operation against cyclops blink and two-tiered global botnets affecting thousands of network hardware devices known as Sandworm.

“This court-authorized removal of malware deployed by the Russian GRU demonstrates the department’s commitment to disrupt nation-state hacking using all of the legal tools at our disposal,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “By working closely with WatchGuard and other government agencies in this country and the United Kingdom to analyze the malware and to develop detection and remediation tools, we are together showing the strength that public-private partnership brings to our country’s cybersecurity. The department remains committed to confronting and disrupting nation-state hacking, in whatever form it takes.”

Impact

• DDoS (Distributed Denial of Service)
• File Encryption
• System Infection

Indicators of Compromise

IP

• 1[.]9[.]85[.]247
• 1[.]9[.]85[.]248
• 1[.]9[.]85[.]249
• 1[.]9[.]85[.]252
• 1[.]9[.]85[.]253
• 1[.]9[.]85[.]254
• 50[.]192[.]49[.]210
• 50[.]196[.]104[.]201
• 50[.]243[.]3[.]153
• 50[.]243[.]3[.]154
• 50[.]243[.]3[.]155
• 50[.]243[.]3[.]157
• 72[.]68[.]69[.]63
• 79[.]11[.]46[.]30
• 96[.]80[.]68[.]194
• 96[.]80[.]68[.]195
• 96[.]80[.]68[.]196
• 96[.]80[.]68[.]197
• 102[.]50[.]244[.]205
• 148[.]76[.]89[.]2
• 148[.]76[.]89[.]3
• 148[.]76[.]89[.]4
• 148[.]76[.]89[.]5
• 151[.]0[.]185[.]146
• 151[.]0[.]185[.]149
• 162[.]17[.]254[.]17
• 182[.]73[.]50[.]114
• 182[.]73[.]50[.]115
• 185[.]198[.]198[.]254
• 212[.]103[.]208[.]182
• 216[.]211[.]37[.]59

Remediation

• Search for IOCs in your environment.
• Block all threat indicators at your respective controls.