{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cyclopsblink/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Sandworm Tools"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ASUS routers"],"_cs_severities":["high"],"_cs_tags":["iptables","firewall","linux","cyclopsblink"],"_cs_type":"threat","_cs_vendors":["ASUS"],"content_html":"\u003cp\u003eThis detection focuses on identifying malicious modifications to iptables firewall settings on Linux systems. The activity is associated with malware such as Cyclops Blink, known to alter firewall rules to facilitate Command and Control (C2) communication. The Splunk search analyzes process command lines, looking for iptables commands that open specific TCP ports (3269, 636, 989, 994, 995, 8443). The detection logic filters out common legitimate parent process paths to reduce false positives. Successful exploitation can lead to persistent access and data exfiltration. The original Splunk search was published on 2026-05-05.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the Linux system, possibly through exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker or malware executes a command to modify the iptables firewall settings.\u003c/li\u003e\n\u003cli\u003eThe iptables command uses the \u003ccode\u003e--dport\u003c/code\u003e flag to specify a TCP port to open (e.g., 3269, 636, 989, 994, 995, 8443).\u003c/li\u003e\n\u003cli\u003eThe command includes the \u003ccode\u003eACCEPT\u003c/code\u003e action, allowing traffic to the specified port.\u003c/li\u003e\n\u003cli\u003eThe command redirects output to \u003ccode\u003e/dev/null\u003c/code\u003e to hide the activity.\u003c/li\u003e\n\u003cli\u003eThe modified iptables rules allow inbound traffic on the opened port(s).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the opened port(s) for C2 communication with the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access and potentially exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of iptables can expose internal services to external attackers, facilitating unauthorized access, data exfiltration, and further compromise of the affected system. Cyclops Blink malware targets ASUS routers, allowing attackers to gain control over network devices and potentially pivot to other systems on the network. The number of affected devices can range from a few to thousands depending on the scope of the attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eLinux Iptables Firewall Modification\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the \u003ccode\u003eLinux Iptables Firewall Modification\u003c/code\u003e rule, focusing on unusual parent processes and destination systems.\u003c/li\u003e\n\u003cli\u003eReview the references provided, specifically the NCSC report and Trend Micro analysis on Cyclops Blink, for additional context and IOCs.\u003c/li\u003e\n\u003cli\u003eMonitor systems for network connections to the opened ports (3269, 636, 989, 994, 995, 8443) as identified in the rule logic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-linux-iptables-modification/","summary":"This brief details a Splunk search that identifies suspicious command-line activity modifying iptables firewall settings on Linux systems, potentially indicating Cyclops Blink malware activity allowing C2 communication by opening specific TCP ports.","title":"Linux Iptables Firewall Modification Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-linux-iptables-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["linux","malware","cyclopsblink","anomaly","endpoint"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis brief addresses the detection of command-line activity that redirects standard output (stdout) or standard error (stderr) to the \u003ccode\u003e/dev/null\u003c/code\u003e file on Linux systems. This behavior is often used to suppress output from commands, which can be a legitimate administrative practice. However, when used maliciously, it can conceal the actions of malware or attackers. The analysis is based on process execution logs typically collected by Endpoint Detection and Response (EDR) agents. The Cyclops Blink malware has been observed using this technique to hide modifications to \u003ccode\u003eiptables\u003c/code\u003e firewall settings. This activity can allow an attacker to stealthily alter system configurations, potentially leading to unauthorized access or persistent control over the compromised machine. The detection focuses on identifying command lines containing patterns like \u003ccode\u003e*\u0026amp;\u0026gt;/dev/null*\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the Linux system (potentially via an exploit or compromised credentials).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious script or binary on the system.\u003c/li\u003e\n\u003cli\u003eThe script or binary contains commands to modify system configurations (e.g., \u003ccode\u003eiptables\u003c/code\u003e rules).\u003c/li\u003e\n\u003cli\u003eThe output of these commands is redirected to \u003ccode\u003e/dev/null\u003c/code\u003e using \u003ccode\u003e\u0026amp;\u0026gt;/dev/null\u003c/code\u003e to hide the changes from standard logging and user observation.\u003c/li\u003e\n\u003cli\u003eThe modified system configurations allow the attacker to establish persistence or gain unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker may further deploy additional malicious tools or scripts while continuing to redirect output to \u003ccode\u003e/dev/null\u003c/code\u003e to evade detection.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains covert access to the system, using the modified configurations for ongoing malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to the compromised Linux system, allowing attackers to perform a variety of malicious activities undetected. This includes installing backdoors, exfiltrating sensitive data, or disrupting services. In the case of Cyclops Blink, the malware modifies firewall rules, which can open up the system to further attacks. The number of affected systems and the severity of the impact will vary depending on the attacker\u0026rsquo;s objectives and the compromised system\u0026rsquo;s role within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eLinux Stdout Redirection To Dev Null File\u003c/code\u003e to your SIEM and tune it to your environment to detect suspicious command-line activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on processes that are not normally associated with \u003ccode\u003e/dev/null\u003c/code\u003e redirection.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon for Linux Event ID 1 to ensure the necessary process execution logs are available (see \u003ccode\u003edata_source\u003c/code\u003e in the rule).\u003c/li\u003e\n\u003cli\u003eReview the references to understand the Cyclops Blink malware and its use of this technique.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-linux-stdout-redirection-dev-null/","summary":"The redirection of standard output to /dev/null on Linux systems, particularly when observed in conjunction with other suspicious activities, can indicate attempts to hide malicious command execution, as seen in malware like Cyclops Blink, potentially leading to unauthorized system modifications and persistent access.","title":"Linux Stdout Redirection to /dev/null Indicates Potential Malware Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-03-linux-stdout-redirection-dev-null/"}],"language":"en","title":"CraftedSignal Threat Feed — Cyclopsblink","version":"https://jsonfeed.org/version/1.1"}