By Staff Writer.
The United Kingdom’s National Cyber Security Centre, CISA, the National Security Agency, and the Federal Bureau of Investigation have released a joint Cybersecurity Advisory (CSA) reporting that the malicious cyber actor known as Sandworm or Voodoo Bear is using new malware, referred to as Cyclops Blink. Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office routers and network-attached storage devices. The NCSC, CISA, and the FBI have previously attributed the Sandworm actor to the Russian General Staff Main Intelligence Directorate’s Russian (GRU’s) Main Centre for Special Technologies (GTsST).
Given the rising geopolitical tensions between Russia and Ukraine, the US Cyber Command has created a webpage, named Shields Up, to help disseminate the latest information to help organisations prepare for potential cyber threats.
The S-CERT Alert (AA22-047A) reports “From at least January 2020, through February 2022, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) have observed regular targeting of U.S. cleared defense contractors (CDCs) by Russian state-sponsored cyber actors. The actors have targeted both large and small CDCs and subcontractors with varying levels of cybersecurity protocols and resources.
Historically, Russian state-sponsored cyber actors have used common but effective tactics to gain access to target networks, including spearphishing, credential harvesting, brute force/password spray techniques, and known vulnerability exploitation against accounts and networks with weak security. These actors take advantage of simple passwords, unpatched systems, and unsuspecting employees to gain initial access before moving laterally through the network to establish persistence and exfiltrate data.
In many attempted compromises, these actors have employed similar tactics to gain access to enterprise and cloud networks, prioritizing their efforts against the widely used Microsoft 365 (M365) environment. The actors often maintain persistence by using legitimate credentials and a variety of malware when exfiltrating emails and data.”
On 23 February 2022, the ACSC released an Alert “Australian organisations encouraged to urgently adopt an enhanced cyber security posture”. This Technical Advisory provides additional information to support entities to take appropriate actions in order to secure their systems and networks.
While the ACSC confirms it is not aware of any current or specific threats to Australian organisations, however adopting an enhanced cyber security posture and increased monitoring for threats will help to reduce the impacts to Australian organisations.
The advisory is compiled on the MITRE ATT&CK® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
The advisory also draws on information derived from ACSC partner agencies. For further information visit https://www.cyber.gov.au/acsc/view-all-content/advisories/australian-organisations-should-urgently-adopt-enhanced-cyber-security-posture