Threat Update
In the ongoing conflict between Russia and Ukraine, security experts have been observing cyberattacks targeting Ukrainian government departments with overwhelming levels of Internet traffic and data-wiping malware. Upon further analysis, the Ukrainian government has found software and tactics linked to Russian threat actors. To help organizations outside of Ukraine that may be affected, government agencies have published advisories which provide guidance for preventing, detecting, and responding to these cyber-intrusions.
Technical Detail & Additional Information
WHAT IS THE THREAT?
As tensions escalate between Russia and Ukraine, two new malware threats have surfaced, infecting numerous computers in the region. Labeled as “Cyclops Blink” and “WhisperGate”, these two threats are pieces of malicious software that have impacted Ukrainian government agencies and organizations with alleged links to Russian threat actors. The Cyclops Blink malware is a sophisticated botnet which uses WatchGuard firewall appliances to spread destructive malware. The WhisperGate malware is a type of ransomware which compromises the device MBR (Master Boot Record) and corrupts the hard drive. A ransom note is displayed to the victim convincing them if the ransom is paid their data will be recovered.
WHY IS IT NOTEWORTHY?
Since this string of attacks against Ukrainian organizations is ongoing, organizations should expect an increase in risk associated with cybersecurity attacks and incidents that can spill over to other countries. CISA and NCSC are publishing advisories to help organizations better protect their critical assets from being infected with this malicious software. Although there are currently no threats against the US homeland, there is the potential risk that the Russian government might take destructive action against others outside of Ukraine.
WHAT IS THE EXPOSURE OR RISK?
The Cyclops Blink malware has been deployed to WatchGuard devices and has affected approximately 1 percent of all firewall appliances that are used by business customers. Once a device is infected, the malware can upload and download files to and from its command-and-control (CnC) server, collect and obtain information about the device, and perform updates on the malware. Also, the malware uses an infected devices’ legitimate firmware to maintain its presence even after the device has rebooted.
The WhisperGate malware is known to be a 3-staged MBR (Master Boot Record) wiper created to destroy the MBR and corrupt files on attached storage devices. When the device is infected, the victim is shown a ransom message indicating that their device hard-drive has been corrupted, and that their data can only be recovered after the victim has paid the ransom. However, this is a destructive malware which is known to leave infected devices’ inoperable. The data cannot be recovered after the device has been infected even after the payment has been made.
WHAT ARE THE RECOMMENDATIONS?
FinGarde recommends that organizations have an offsite backup strategy to protect their data from the WhisperGate malware. If your organizations are utilizing WatchGuard Firewall appliances, disable unrestricted management access from the internet and update the firewall device to its latest firmware OS version. Also, please make sure your software is up to date with the latest patches.
REFERENCES
For more in-depth information about the recommendations, please visit the following links:
- https://www.pcrisk.com/removal-guides/22801-whispergate-ransomware
- https://www.cisa.gov/uscert/ncas/alerts/aa22-057a
- https://blog.malwarebytes.com/threat-spotlight/2022/02/cyclops-blink-malware-us-and-uk-authorities-issue-alert/#:~:text=According%20to%20a%20joint%20security,a%20Russian%20state%2Dsponsored%20group
- https://www.watchguard.com/wgrd-news/blog/important-detection-and-remediation-actions-cyclops-blink-state-sponsored-botnet
If you have any questions, please contact us.