Reply

Detection and remediation of new Sandworm Malware Cyclops Blink that Replaces VPNFilter

gumpgump
Aspirant

Detection and remediation of new Sandworm Malware Cyclops Blink that Replaces VPNFilter

I've read a couple of older articles that suggests this or similar malware has found itself on Netgear Orbi devices.   While I'm uncertain as to the entry point (ie: a misconfiguration or vulnerable firmware), I am interested in how this malware is detected in the Netgear ecosystem.    For example, I'm on MacOS but I do run a few Linux systems, and I don't see "out there" the typical tools to detect specific malware.

 

I would think that based on the above, there are likely solutions I've not found.    Anyone let me know?  

 

Thanks.

Message 1 of 2
CrimpOn
Guru

Re: Detection and remediation of new Sandworm Malware Cyclops Blink that Replaces VPNFilter


@gumpgump wrote:

I've read a couple of older articles that suggests this or similar malware has found itself on Netgear Orbi devices.   While I'm uncertain as to the entry point (ie: a misconfiguration or vulnerable firmware), I am interested in how this malware is detected in the Netgear ecosystem. 


Could you please post links to some of those articles.  My searches for "Sandworm CVE" turn up references to Microsoft Office from 2014 and more recent references to the exim package included in some versions of Linux (but not Orbi).

 

In general, verifying the existance of a vulnerability is done by:

  • Examining the file system contents, which Netgear does not allow users to do on the AX series products.
  • Performing the exploit to see if it "takes".  This is going to be difficult since the Orbi firewall rejects all connection attempts from the internet side.

In addition to the firewall, Orbi's other protection mechanism is that every time the router reboots (whether intentionally or because of power interruption) a fresh copy of the firmware is loaded from flash memory.  This is one of the factors that used to frustrate Orbi users who attempted to 'hack' the firmware by using telnet access to modify file contents.  Next reboot: all gone.

 

This is a fascinating topic. Would love to do some research.

I love my Orbi.
Message 2 of 2
Top Contributors
Discussion stats
  • 1 reply
  • 334 views
  • 0 kudos
  • 2 in conversation
Announcements

Orbi WiFi 6E