As political events around the world unfold, state sponsored cyber threats are becoming an ever-present reality in the age of cyber warfare. Even as our own governments try to defend critical infrastructure from becoming the next target of state-sponsored hacking, it’s ultimately our own responsibilities to protect our own networks and technology.
New Online Threats and Hardening Your Defenses
Recently we were made aware of new potential threats coming from state actors. The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with U.K. National Cyber Security Centre (NCSC), FBI, and NSA, jointly published an advisory to alert organizations of new malware called Cyclops Blink, used by Sandworm or Voodoo Bear threat actor to target network devices. Sandworm actor have previously attributed to the Russian GRU’s Main Centre for Special Technologies (GTsST) by NCSC, CISA and FBI.
Since at least 2019, this malicious actor has been identified using malware Cyclops Blink to target network devices, which appears to be indiscriminate and widespread. So far, the actor has primarily deployed Cyclops Blink to WatchGuard devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware. Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, and which exploited network devices, primarily small office/home office (SOHO) routers and network attached storage (NAS) devices.
Cyclops Blink persists on reboot and throughout the legitimate firmware update process, and therefore to remove the malware, organizations should refer to vendor, WatchGuard, guidance. Device owners should follow each step in these instructions to ensure that devices are patched to the latest version and that any infection is removed.
In addition to this latest advisory, we also encourage all organizations to review the Shields Up webpage to find recommended actions on protecting your most critical assets from threat actors.
The advisory can be found at https://www.cisa.gov/uscert/ncas/alerts/aa22-054a. For more information on Russian state-sponsored activity, see Russia Cyber Threat Overview and Advisories. We encourage those reading this to share this information widely.
To reduce the likelihood of a damaging cyber intrusion we recommend following these steps to defend against potential threats:
- Ensure that multi-factor authentication is enabled for you and your teams accounts. Natural Networks requires that our managed IT clients have multi-factor authentication enabled and enforced for Office 365 Email logins, account sign-in’s, and wherever else possible.
- Ensure that software is maintained and up-to-date. Keeping software up to date will help keep security holes patched, and reduce potential exploits.
- Ensure that your computers Anti-Virus is active and up to date and preferably upgrade to Next-Generation Anti-Virus.
- If working with sources outside of the U.S. you should always ensure that their connections are secured, and that there is extra authentication layers when these users must access data inside US data stores.
When considering IT security for your office, it’s a good idea to always factor in new potential threats. By keeping active backups of your data, ensuring IT hardware infrastructure is kept up to date, and that you have an active anti-virus that can detect and deal with threats can go a long way in keeping you secure.
Natural Networks is a complete Managed IT services provider, and we offer a variety of security solutions for all our clients. If you want to find out more about how you can better secure your office IT environment, give us a call today!
