https://feed.craftedsignal.io/tags/cyclopsblink/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-linux-iptables-modification/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-linux-iptables-modification/This brief details a Splunk search that identifies suspicious command-line activity modifying iptables firewall settings on Linux systems, potentially indicating Cyclops Blink malware activity allowing C2 communication by opening specific TCP ports.This detection focuses on identifying malicious modifications to iptables firewall settings on Linux systems. The activity is associated with malware such as Cyclops Blink, known to alter firewall rules to facilitate Command and Control (C2) communication. The Splunk search analyzes process command lines, looking for iptables commands that open specific TCP ports (3269, 636, 989, 994, 995, 8443). The detection logic filters out common legitimate parent process paths to reduce false positives. Successful exploitation can lead to persistent access and data exfiltration. The original Splunk search was published on 2026-05-05.

Attack Chain

1. The attacker gains initial access to the Linux system, possibly through exploiting a vulnerability or using stolen credentials.
2. The attacker or malware executes a command to modify the iptables firewall settings.
3. The iptables command uses the --dport flag to specify a TCP port to open (e.g., 3269, 636, 989, 994, 995, 8443).
4. The command includes the ACCEPT action, allowing traffic to the specified port.
5. The command redirects output to /dev/null to hide the activity.
6. The modified iptables rules allow inbound traffic on the opened port(s).
7. The attacker uses the opened port(s) for C2 communication with the compromised system.
8. The attacker maintains persistent access and potentially exfiltrates sensitive data.

Impact

Successful modification of iptables can expose internal services to external attackers, facilitating unauthorized access, data exfiltration, and further compromise of the affected system. Cyclops Blink malware targets ASUS routers, allowing attackers to gain control over network devices and potentially pivot to other systems on the network. The number of affected devices can range from a few to thousands depending on the scope of the attack.

Recommendation

• Deploy the Sigma rule Linux Iptables Firewall Modification to your SIEM and tune for your environment.
• Investigate any alerts triggered by the Linux Iptables Firewall Modification rule, focusing on unusual parent processes and destination systems.
• Review the references provided, specifically the NCSC report and Trend Micro analysis on Cyclops Blink, for additional context and IOCs.
• Monitor systems for network connections to the opened ports (3269, 636, 989, 994, 995, 8443) as identified in the rule logic.

]]>highthreatiptablesfirewalllinuxcyclopsblinkhttps://feed.craftedsignal.io/briefs/2024-01-03-linux-stdout-redirection-dev-null/Wed, 03 Jan 2024 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-linux-stdout-redirection-dev-null/The redirection of standard output to /dev/null on Linux systems, particularly when observed in conjunction with other suspicious activities, can indicate attempts to hide malicious command execution, as seen in malware like Cyclops Blink, potentially leading to unauthorized system modifications and persistent access.This brief addresses the detection of command-line activity that redirects standard output (stdout) or standard error (stderr) to the /dev/null file on Linux systems. This behavior is often used to suppress output from commands, which can be a legitimate administrative practice. However, when used maliciously, it can conceal the actions of malware or attackers. The analysis is based on process execution logs typically collected by Endpoint Detection and Response (EDR) agents. The Cyclops Blink malware has been observed using this technique to hide modifications to iptables firewall settings. This activity can allow an attacker to stealthily alter system configurations, potentially leading to unauthorized access or persistent control over the compromised machine. The detection focuses on identifying command lines containing patterns like *&>/dev/null*.

Attack Chain

1. The attacker gains initial access to the Linux system (potentially via an exploit or compromised credentials).
2. The attacker executes a malicious script or binary on the system.
3. The script or binary contains commands to modify system configurations (e.g., iptables rules).
4. The output of these commands is redirected to /dev/null using &>/dev/null to hide the changes from standard logging and user observation.
5. The modified system configurations allow the attacker to establish persistence or gain unauthorized access.
6. The attacker may further deploy additional malicious tools or scripts while continuing to redirect output to /dev/null to evade detection.
7. The attacker maintains covert access to the system, using the modified configurations for ongoing malicious activities.

Impact

Successful exploitation can lead to unauthorized access to the compromised Linux system, allowing attackers to perform a variety of malicious activities undetected. This includes installing backdoors, exfiltrating sensitive data, or disrupting services. In the case of Cyclops Blink, the malware modifies firewall rules, which can open up the system to further attacks. The number of affected systems and the severity of the impact will vary depending on the attacker’s objectives and the compromised system’s role within the network.

Recommendation

• Deploy the Sigma rule Linux Stdout Redirection To Dev Null File to your SIEM and tune it to your environment to detect suspicious command-line activity.
• Investigate any alerts generated by the Sigma rule, focusing on processes that are not normally associated with /dev/null redirection.
• Enable Sysmon for Linux Event ID 1 to ensure the necessary process execution logs are available (see data_source in the rule).
• Review the references to understand the Cyclops Blink malware and its use of this technique.

]]>mediumadvisorylinuxmalwarecyclopsblinkanomalyendpoint