The US Department of Justice has just announced the decommissioning of Cyclops flashes, a botnet that has caused a lot of trouble for FBI cybercriminals. It’s actually the successor to VPNFiltera malware attributed to the Sandworm group, which had infected more than 500,000 servers and NAS in 2018.
According to the US government, Sandworm is an offshoot of the Russian military intelligence agency GRU. With the help of the private sector, the FBI had managed to detect and neutralize VPNFilter, which likely caused its replacement by Cyclops Blink.
This new generation is much more advanced for once. It mainly attacks WatchGuard firewalls and Asus Wi-Fi routers to implement a two-stage botnet.
First there is a first set of infected equipment. They are controlled directly by Sandworm hackers and act as Command and Control (C&C) servers for a second set of infected devices, in this case the “bots”.
The police remain fairly discreet about the size of this botnet. The Ministry of Justice is talking about “thousands” of bots scattered around the world.
When reading the search warrant, the C&C servers would be several dozen, but certain passages have been obscured. As of February 23, the vendors issued a warning and patches, but without much success.
the malware depends on the process of updating the firmware to remain persistent. Performing an automatic restart or update is not enough: you have to install the patch manually. After one month, only 39% of the infected equipment has been decontaminated.
See also video:
The US government therefore took the bull by the horns. FBI agents analyzed a copy of the malware and managed to find a way to take remote control.
With the court’s approval, they therefore connected to known infected C&C equipment, removed Cyclops Blink and locked entrance gates to prevent the Russian hackers from returning. A rather radical and intrusive solution, insofar as the security forces break into private equipment.
However, it is specified that no data is collected by the agents other than the serial number. As far as possible, the owners have also been informed of this action before and after the operation. The bots, on the other hand, were not affected and are thus still infected. But it’s a lesser evil, because the C&C layer no longer exists.
Source † US Department of Justice