{"id":7479,"date":"2022-02-23T15:12:43","date_gmt":"2022-02-23T23:12:43","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=7479"},"modified":"2022-02-28T13:39:48","modified_gmt":"2022-02-28T21:39:48","slug":"joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/security\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\/","title":{"rendered":"Joint Cybersecurity Advisory\u2014New Sandworm Malware Cyclops Blink Replaces VPNFilter"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">In February 2022, a <\/span><a href=\"https:\/\/www.ncsc.gov.uk\/news\/joint-advisory-highlights-increased-globalised-threat-of-ransomware\"><span style=\"font-weight: 400;\">Joint Cybersecurity Advisory<\/span><\/a><span style=\"font-weight: 400;\"> was issued by key agencies in the United States (CISA, FBI, and the NSA), Australia\u2019s Cybersecurity Center (ACSC), and the United Kingdom\u2019s National Cyber Security Center. This advisory identified a threat actor known as Sandworm (or Voodoo Bear) that is using new and dangerous malware, which is identified as Cyclops Blink.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Per MITRE ATT&amp;CK <\/span><a href=\"https:\/\/attack.mitre.org\/groups\/G0034\/\"><span style=\"font-weight: 400;\">groups data<\/span><\/a><span style=\"font-weight: 400;\"> the Sandworm Team has been attributed to Russia&#8217;s General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies military unit 74455 and has been active since 2009. In October 2020, the United States indicted six GRU Unit 74455 officers associated with Sandworm Team for multiple cyber operations to include the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations. Further, Sandworm is believed to be responsible for the 2017 worldwide <\/span><a href=\"https:\/\/attack.mitre.org\/software\/S0368\"><span style=\"font-weight: 400;\">NotPetya<\/span><\/a><span style=\"font-weight: 400;\"> attack, targeting of the 2017 French presidential campaign, the 2018 <\/span><a href=\"https:\/\/attack.mitre.org\/software\/S0365\"><span style=\"font-weight: 400;\">Olympic Destroyer<\/span><\/a><span style=\"font-weight: 400;\"> attack against the Winter Olympic Games, the 2018 operation against the Organization for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019. Some of these attacks were conducted with the support and assistance of GRU Unit 26165, which is also referred to and known as the infamous and nefarious <\/span><a href=\"https:\/\/attack.mitre.org\/groups\/G0007\"><span style=\"font-weight: 400;\">APT28<\/span><\/a><span style=\"font-weight: 400;\">.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Sandworm has a history of malicious and damaging activity to include:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The BlackEnergy disruption of Ukrainian electricity in 2015<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Industroyer in 2016<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">NotPetya in 2017<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Attacks against the Winter Olympics and Paralympics in 2018\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">A series of disruptive attacks against Georgia in 2019<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Cyclops Blink seems to be a replacement framework for the VPNFilter malware, which was exposed in 2018. This VPNFilter malware exploited network devices, home, or small business routers and network attached storage devices. Cyclops Blink and has been deployed since approximately June 2019, fourteen months after VPNFilter was disrupted. Cyclops Blink, like VPNFilter, seems to be deployed widely.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Sandworm has so far primarily deployed Cyclops Blink to WatchGuard devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware. The Cyclops Blink malware itself is modular. It includes basic core functionality to beacon (see MITRE ATT&amp;CK sub technique: <\/span><a href=\"https:\/\/attack.mitre.org\/techniques\/T1132\/002\/\"><span style=\"font-weight: 400;\">T1132.002<\/span><\/a><span style=\"font-weight: 400;\">) device information back to a server, and then download and execute files. There is also functionality to add new modules while the malware is running, which allows Sandworm to implement additional capability as required.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Cyclops Blink is often deployed as part of a firmware update (MITRE ATT&amp;CK <\/span><a href=\"https:\/\/attack.mitre.org\/techniques\/T1542\/001\/\"><span style=\"font-weight: 400;\">T1542.001<\/span><\/a><span style=\"font-weight: 400;\">). This achieves persistence when the device is rebooted and makes remediation more difficult.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Victim devices are organized into clusters, and each deployment of Cyclops Blink has a list of command and control (C2) IP addresses and ports being used (MITRE ATT&amp;CK <\/span><a href=\"https:\/\/attack.mitre.org\/techniques\/T1008\/\"><span style=\"font-weight: 400;\">T1008<\/span><\/a><span style=\"font-weight: 400;\">). Sandworm manages Cyclops Blink by connecting to the C2 layer through the Tor network.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">So how can you mitigate Cyclops Blink?<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Cyclops Blink persists on reboot and throughout the legitimate firmware update process, so it must be removed. Special tools have been provided by Watchguard to enable detection and removal of Cyclops Blink on WatchGuard devices through a non-standard upgrade process. Device owners should follow each step in these instructions to ensure that devices are patched to the latest version and that any infection is removed. The tooling and guidance from WatchGuard can be found at: <\/span><a href=\"https:\/\/detection.watchguard.com\/\"><span style=\"font-weight: 400;\">https:\/\/detection.watchguard.com\/<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">If you are infected with Cyclops Blink, assume that any passwords present on the device have been compromised. They need to be replaced immediately.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The <\/span><a href=\"https:\/\/www.cisa.gov\/uscert\/ncas\/alerts\/aa22-054a\"><span style=\"font-weight: 400;\">advisory<\/span><\/a><span style=\"font-weight: 400;\"> lists many indicators of compromise which should be reviewed for ongoing reference. Further, broader guidance to defend against the Cyclops Blink malware are delineated:\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Do not expose management interfaces of network devices to the internet: the management interface is a significant attack surface, so not exposing them reduces the risk.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Use the latest supported versions, apply security patches promptly, use antivirus and scan regularly to guard against known malware threats.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Use multifactor authentication to reduce the impact of password compromises.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Make sure your staff know how to report suspected phishing emails, and ensure they feel confident to do so. Investigate their reports promptly and thoroughly.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Set up a security monitoring capability, so you are collecting the data that will be needed to analyze network intrusions.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Prevent and detect lateral movement in your organization\u2019s networks.\u00a0<\/span><\/li>\n<\/ul>\n<h3><b>DNS is always part of the battlefield<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Leveraging a DNS security solution like Infoblox\u2019s <\/span><a href=\"https:\/\/www.infoblox.com\/products\/bloxone-threat-defense\/\"><span style=\"font-weight: 400;\">BloxOne\u00ae Threat Defense<\/span><\/a><span style=\"font-weight: 400;\"> to help protect against threats attempting to use DNS as a back channel is highly recommended. It is a fact that most malware and advanced threats must rely on the use or compromise of DNS to execute and complete their attack successfully to avoid detection by standard security tools. BloxOne Threat Defense will close this security gap and enhance the\u00a0 ecosystem for hardened defense against sophisticated threats.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">DNS security works at the ground level\u2014that\u2019s why we say it is foundational. DNS security is designed to prevent users\u2019 connection to malicious destinations, and to detect anomalous behaviors in the network such as C&amp;C communications, advanced persistent threat activity, domain generation algorithm (DGA) activity, botnet communications, DNS tunneling, and data exfiltration. In addition, Infoblox DNS security integrates with Security Orchestration Automation and Remediation (SOAR) systems, ITSM solutions, vulnerability scanners and other security ecosystem tools to trigger remediation actions automatically when any malicious activity is detected. This helps speed up an organization\u2019s response to security events and rapid threat containment.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Analyzing DNS logs is a highly effective way to see what resources a client has been accessing historically. DHCP fingerprint and IPAM metadata provide contextual information on compromised devices such as type of device, OS information, network location and current and historical IP address allocations. All this information helps with event correlation and understanding the scope of a breach.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">BloxOne Threat Defense also combines advanced analytics based on machine learning, highly accurate and aggregated threat intelligence and automation to detect and prevent a broad range of threats. These threats may include DGA, data exfiltration, look-alike domain use, fast flux and many others.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">There is plenty of consensus on the high value of DNS security. A June 2021 <\/span><a href=\"https:\/\/www.gartner.com\/en\/documents\/4002327\"><span style=\"font-weight: 400;\">Gartner report<\/span><\/a><span style=\"font-weight: 400;\"> recommends organizations leverage DNS logs for threat detection and forensic purposes with their Security Information and Event Management platforms.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">To learn more about the Cyclops Advisory, please go to <\/span><a href=\"https:\/\/www.cisa.gov\/uscert\/ncas\/alerts\/aa22-054a\"><span style=\"font-weight: 400;\">https:\/\/www.cisa.gov\/uscert\/ncas\/alerts\/aa22-054a<\/span><\/a><span style=\"font-weight: 400;\">.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">To find out more about how Infoblox can help with DNS security, please reach out to us via <\/span><a href=\"https:\/\/info.infoblox.com\/contact-form\/\"><span style=\"font-weight: 400;\">https:\/\/info.infoblox.com\/contact-form\/<\/span><\/a><span style=\"font-weight: 400;\">.\u00a0<\/span><\/p>\n<table width=\"624\">\n<tbody>\n<tr>\n<td><a href=\"https:\/\/www.cisa.gov\/shields-up\">Shields Up | CISA<\/a><\/p>\n<p>Every organization in the United States is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety. Over the past year, cyber incidents have impacted many companies, non-profits, and other organizations, large and small, across multiple sectors of the economy.<\/p>\n<p><a href=\"http:\/\/www.cisa.gov\">www.cisa.gov<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In February 2022, a Joint Cybersecurity Advisory was issued by key agencies in the United States (CISA, FBI, and the NSA), Australia\u2019s Cybersecurity Center (ACSC), and the United Kingdom\u2019s National Cyber Security Center. This advisory identified a threat actor known as Sandworm (or Voodoo Bear) that is using new and dangerous malware, which is identified [&hellip;]<\/p>\n","protected":false},"author":324,"featured_media":668,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[2],"tags":[32,643,644,645],"class_list":{"0":"post-7479","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security","8":"tag-malware","9":"tag-cyclops-bllink","10":"tag-sandworm-malware","11":"tag-voodoo-bear","12":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Joint Cybersecurity Advisory\u2014New Sandworm Malware Cyclops Blink Replaces VPNFilter<\/title>\n<meta name=\"description\" content=\"Joint Cybersecurity Advisory\u2014New Sandworm Malware Cyclops Blink Replaces VPNFilter. In February 2022, a Joint Cybersecurity Advisory was issued by key agencies in the United States (CISA, FBI, and the NSA), Australia\u2019s Cybersecurity Center (ACSC), and the United Kingdom\u2019s National Cyber Security Center. This advisory identified a threat actor known as Sandworm (or Voodoo Bear) that is using new and dangerous malware, which is identified as Cyclops Blink.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/security\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Joint Cybersecurity Advisory\u2014New Sandworm Malware Cyclops Blink Replaces VPNFilter\" \/>\n<meta property=\"og:description\" content=\"Joint Cybersecurity Advisory\u2014New Sandworm Malware Cyclops Blink Replaces VPNFilter. In February 2022, a Joint Cybersecurity Advisory was issued by key agencies in the United States (CISA, FBI, and the NSA), Australia\u2019s Cybersecurity Center (ACSC), and the United Kingdom\u2019s National Cyber Security Center. This advisory identified a threat actor known as Sandworm (or Voodoo Bear) that is using new and dangerous malware, which is identified as Cyclops Blink.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/security\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-02-23T23:12:43+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-02-28T21:39:48+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/security-banner-3.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"660\" \/>\n\t<meta property=\"og:image:height\" content=\"454\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Michael Zuckerman\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Michael Zuckerman\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\\\/\"},\"author\":{\"name\":\"Michael Zuckerman\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/212816c17be869578ba1574b5fc7abf4\"},\"headline\":\"Joint Cybersecurity Advisory\u2014New Sandworm Malware Cyclops Blink Replaces VPNFilter\",\"datePublished\":\"2022-02-23T23:12:43+00:00\",\"dateModified\":\"2022-02-28T21:39:48+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\\\/\"},\"wordCount\":1132,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/security-banner-3.jpg\",\"keywords\":[\"Malware\",\"Cyclops Bllink\",\"Sandworm Malware\",\"Voodoo Bear\"],\"articleSection\":[\"Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\\\/\",\"name\":\"Joint Cybersecurity Advisory\u2014New Sandworm Malware Cyclops Blink Replaces VPNFilter\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/security-banner-3.jpg\",\"datePublished\":\"2022-02-23T23:12:43+00:00\",\"dateModified\":\"2022-02-28T21:39:48+00:00\",\"description\":\"Joint Cybersecurity Advisory\u2014New Sandworm Malware Cyclops Blink Replaces VPNFilter. In February 2022, a Joint Cybersecurity Advisory was issued by key agencies in the United States (CISA, FBI, and the NSA), Australia\u2019s Cybersecurity Center (ACSC), and the United Kingdom\u2019s National Cyber Security Center. This advisory identified a threat actor known as Sandworm (or Voodoo Bear) that is using new and dangerous malware, which is identified as Cyclops Blink.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/security-banner-3.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/security-banner-3.jpg\",\"width\":660,\"height\":454},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/security\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Joint Cybersecurity Advisory\u2014New Sandworm Malware Cyclops Blink Replaces VPNFilter\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/212816c17be869578ba1574b5fc7abf4\",\"name\":\"Michael Zuckerman\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_324_1628613720-96x96.jpg\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_324_1628613720-96x96.jpg\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_324_1628613720-96x96.jpg\",\"caption\":\"Michael Zuckerman\"},\"description\":\"Michael Zuckerman is a seasoned B2B product marketing and marketing strategy consultant with experience in the cybersecurity marketplace. Zuckerman\u2019s domain experience in cybersecurity over the past 10 years includes DNS security, threat intelligence, threat intelligence platforms (TIP), container security, mobile device security, moving target defense, network threat analysis (AI), sandbox, deception technology, cloud access security brokers (CASB), SASE, AI based SIEM, secure collaborative governance, and related technology sets to include data loss prevention (DLP), user and entity behavior analytics (UEBA), and encryption.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/michael-zuckerman\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Joint Cybersecurity Advisory\u2014New Sandworm Malware Cyclops Blink Replaces VPNFilter","description":"Joint Cybersecurity Advisory\u2014New Sandworm Malware Cyclops Blink Replaces VPNFilter. In February 2022, a Joint Cybersecurity Advisory was issued by key agencies in the United States (CISA, FBI, and the NSA), Australia\u2019s Cybersecurity Center (ACSC), and the United Kingdom\u2019s National Cyber Security Center. This advisory identified a threat actor known as Sandworm (or Voodoo Bear) that is using new and dangerous malware, which is identified as Cyclops Blink.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/security\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\/","og_locale":"en_US","og_type":"article","og_title":"Joint Cybersecurity Advisory\u2014New Sandworm Malware Cyclops Blink Replaces VPNFilter","og_description":"Joint Cybersecurity Advisory\u2014New Sandworm Malware Cyclops Blink Replaces VPNFilter. In February 2022, a Joint Cybersecurity Advisory was issued by key agencies in the United States (CISA, FBI, and the NSA), Australia\u2019s Cybersecurity Center (ACSC), and the United Kingdom\u2019s National Cyber Security Center. This advisory identified a threat actor known as Sandworm (or Voodoo Bear) that is using new and dangerous malware, which is identified as Cyclops Blink.","og_url":"https:\/\/www.infoblox.com\/blog\/security\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\/","og_site_name":"Infoblox Blog","article_published_time":"2022-02-23T23:12:43+00:00","article_modified_time":"2022-02-28T21:39:48+00:00","og_image":[{"width":660,"height":454,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/security-banner-3.jpg","type":"image\/jpeg"}],"author":"Michael Zuckerman","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Michael Zuckerman","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/security\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\/"},"author":{"name":"Michael Zuckerman","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/212816c17be869578ba1574b5fc7abf4"},"headline":"Joint Cybersecurity Advisory\u2014New Sandworm Malware Cyclops Blink Replaces VPNFilter","datePublished":"2022-02-23T23:12:43+00:00","dateModified":"2022-02-28T21:39:48+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\/"},"wordCount":1132,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/security-banner-3.jpg","keywords":["Malware","Cyclops Bllink","Sandworm Malware","Voodoo Bear"],"articleSection":["Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/security\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\/","url":"https:\/\/www.infoblox.com\/blog\/security\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\/","name":"Joint Cybersecurity Advisory\u2014New Sandworm Malware Cyclops Blink Replaces VPNFilter","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/security-banner-3.jpg","datePublished":"2022-02-23T23:12:43+00:00","dateModified":"2022-02-28T21:39:48+00:00","description":"Joint Cybersecurity Advisory\u2014New Sandworm Malware Cyclops Blink Replaces VPNFilter. In February 2022, a Joint Cybersecurity Advisory was issued by key agencies in the United States (CISA, FBI, and the NSA), Australia\u2019s Cybersecurity Center (ACSC), and the United Kingdom\u2019s National Cyber Security Center. This advisory identified a threat actor known as Sandworm (or Voodoo Bear) that is using new and dangerous malware, which is identified as Cyclops Blink.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/security\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/security\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/security-banner-3.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/security-banner-3.jpg","width":660,"height":454},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/security\/joint-cybersecurity-advisory-new-sandworm-malware-cyclops-blink-replaces-vpnfilter\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Security","item":"https:\/\/www.infoblox.com\/blog\/category\/security\/"},{"@type":"ListItem","position":3,"name":"Joint Cybersecurity Advisory\u2014New Sandworm Malware Cyclops Blink Replaces VPNFilter"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/212816c17be869578ba1574b5fc7abf4","name":"Michael Zuckerman","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_324_1628613720-96x96.jpg","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_324_1628613720-96x96.jpg","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_324_1628613720-96x96.jpg","caption":"Michael Zuckerman"},"description":"Michael Zuckerman is a seasoned B2B product marketing and marketing strategy consultant with experience in the cybersecurity marketplace. Zuckerman\u2019s domain experience in cybersecurity over the past 10 years includes DNS security, threat intelligence, threat intelligence platforms (TIP), container security, mobile device security, moving target defense, network threat analysis (AI), sandbox, deception technology, cloud access security brokers (CASB), SASE, AI based SIEM, secure collaborative governance, and related technology sets to include data loss prevention (DLP), user and entity behavior analytics (UEBA), and encryption.","url":"https:\/\/www.infoblox.com\/blog\/author\/michael-zuckerman\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/7479","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/324"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=7479"}],"version-history":[{"count":5,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/7479\/revisions"}],"predecessor-version":[{"id":7488,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/7479\/revisions\/7488"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/668"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=7479"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=7479"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=7479"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}