The FBI was able to remotely access and destroy US-located devices that were running a powerful new strain of Russian state botnet malware. The authorities said that the Kremlin was using the software to hack its adversaries.
The majority of the infections were made up of WatchGuard and network devices from Asus. Both manufacturers recently issued advisories about how to treat devices that have been compromised by the Cyclops blink. Russia's Sandworm is one of the world's most elite and destructive state-sponsored hacking outfits.
Researchers discovered that 500,000 US-based routers were infecting with a piece of Sandworm-designed software called VPNFilter. Sandworm was using a server that was seized by the FBI. The public was told to restart their devices once that was done. The botnet was dismantled after that.
Sandworm tried to regain persistent control of networking devices with the help of a piece of software. Federal prosecutors wrote in a court affidavit.
As with VPNFilter, Sandworm actors have deployed Cyclops Blink on network devices worldwide in a manner that appears to be indiscriminate; i.e., the Sandworm actors’ infection of any particular device appears to have been driven by that device’s vulnerability to the malware, rather than a concerted effort to target that particular device or its owner for other reasons. The Sandworm actors have done so through the exploitation of software vulnerabilities in various network devices, primarily WatchGuard firewall appliances. In particular, the WatchGuard devices are vulnerable to an exploit that allows unauthorized remote access to the management panels of those devices.
Even after February 23, the botnet persisted. Instructions for returning disinfected devices to a clean state and configuring the devices to prevent unrestricted access to management interface were released by WatchGuard. There was a vulnerability that was fixed by WatchGuard, which allowed unrestricted management access from external addresses. The vulnerability was fully addressed in May 2021.
AdvertisementThe number of devices fell after the February advisory. In response, the FBI went further than it did in the past. The agents accessed the WatchGuard devices remotely through 13 US-based addresses. From there, the agents.
It is not the first time that the FBI has remotely accessed a device to remove a threat, but it is an early example. Many security professionals are concerned that such moves could cause harm if they disrupt a mission-critical process. Privacy advocates worry that the actions may expose private information.
Jake Williams is the Executive Director of Cyber Threat Intelligence at a security firm. He said the steps the FBI took made him feel more comfortable. He wrote in a message.
I think it’s always dicey for LE [law enforcement] to modify anything on a server that they don’t control. However, in this case, I don’t think there was significant risk, so the benefits clearly outweighed the risks. Many will cite slippery slope arguments as reasons this particular action was improper, but I think that’s wrong. The fact that the FBI coordinated with private enterprise (WatchGuard) in this action is particularly significant.
The company representatives were interviewed by the FBI last September. The company allowed the agents to take a forensic image of the machine and observe the network traffic associated with the appliance.