For the second time, the FBI wiped malware off of user’s systems without asking and maybe without telling them. The first time was during last year’s Microsoft Exchange attack.
This time they targeted the Russian Cyclops Blink malware. It is attributed to Sandworm, also known as Fancy Bear and APT28. Sandworm is believed to be part of Russia’s military intelligence group.
Cyclops Blink is a modular bit of malware that goes after routers and firewalls. I don’t just mean cheap knock-off home firewalls, but enterprise grade ones like Watchguard.
Cyclops Blink is thought to be a replacement for VPNFilter, which infects a lot of home network gear such as Linksys, Microtik, QNAP and others.
The feds were able to disable VPNFilter by taking over its command and control server.
In the case of the Watchguard cleanup, the FBI followed these 5 steps:
- Confirm the presence of the malware binary on a device
- Log the serial number of the device
- Retrieve a copy of the malware
- Remove the malware from the device
- Add a firewall rule to block remote access to the management interface
One important thing. They did not save the configs, so if the owner was unhappy, all the had to do is reboot the device. Assuming they could get to the device after step 5.
They could do all this because they seized control of the C2 servers and those servers “owned” the infected firewalls.
This was similar to what they did last year when they cleaned out the Hafnium malware from Exchange servers.
The Federal Rule of Criminal Procedure requires officers to make “reasonable efforts to serve a copy of the warrant and receipt on the person whose property is searched” when dealing with remote access to electronic storage and the seizure of electronically stored information. However, such notifications can be accomplished by any means, including electronic ones, that have a “reasonably calculated” chance of reaching that person. To comply with this requirement, the FBI sent emails, including a copy of the warrants, to the email addresses associated with the domain names associated with the IP addresses of the infected devices. If the domains used a privacy service that hid the associated email address, the FBI contacted the IP owners’ domain registrars and ISP and asked them to notify their customers.
But here is the problem.
What if they take down the firewall and something bad happens (like this is a firewall that protects a steel furnace and when it loses control the furnace goes into an emergency shutdown). In some cases, when this happens, the furnace actually needs to be replaced (its complicated).
If they disable remote access and that is the only way the device can be maintained, well, that is a problem too.
At least they tried to tell people what they were doing.
But this is very risky and I hope they don’t try it too often because they will screw up.
If their wonderful plan goes awry and it costs the company money – maybe a lot of money – who gets to pay for that? It is really hard to sue the government.
Credit: CSO Online