Researchers discovered that Cyclops Blink, a botnet linked to Russian advanced persistent threat group Sandworm, is actively targeting ASUSrouters and WatchGuardfirewall appliances. The malware is modular – meaning it can easily be updated to target new devices – and features a specialized module that may allow the malware to read flash memory in order to gather information about critical files, executables, data, and libraries. The malware then receives a command to nest in the flash memory and establish persistence, as this storage space can survive factory resets. Due to the number of indiscriminate targets, analysts assess that the group’s intent behind this iteration of distribution is to build and maintain a botnet infrastructure for future attacks on high-value targets.
The purpose of this report is to empower MSPs and IT solution providers to hone defense and recovery strategies in order to keep SMBs safe in the year ahead.