{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/iptables/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Sandworm Tools"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ASUS routers"],"_cs_severities":["high"],"_cs_tags":["iptables","firewall","linux","cyclopsblink"],"_cs_type":"threat","_cs_vendors":["ASUS"],"content_html":"\u003cp\u003eThis detection focuses on identifying malicious modifications to iptables firewall settings on Linux systems. The activity is associated with malware such as Cyclops Blink, known to alter firewall rules to facilitate Command and Control (C2) communication. The Splunk search analyzes process command lines, looking for iptables commands that open specific TCP ports (3269, 636, 989, 994, 995, 8443). The detection logic filters out common legitimate parent process paths to reduce false positives. Successful exploitation can lead to persistent access and data exfiltration. The original Splunk search was published on 2026-05-05.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the Linux system, possibly through exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker or malware executes a command to modify the iptables firewall settings.\u003c/li\u003e\n\u003cli\u003eThe iptables command uses the \u003ccode\u003e--dport\u003c/code\u003e flag to specify a TCP port to open (e.g., 3269, 636, 989, 994, 995, 8443).\u003c/li\u003e\n\u003cli\u003eThe command includes the \u003ccode\u003eACCEPT\u003c/code\u003e action, allowing traffic to the specified port.\u003c/li\u003e\n\u003cli\u003eThe command redirects output to \u003ccode\u003e/dev/null\u003c/code\u003e to hide the activity.\u003c/li\u003e\n\u003cli\u003eThe modified iptables rules allow inbound traffic on the opened port(s).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the opened port(s) for C2 communication with the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access and potentially exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of iptables can expose internal services to external attackers, facilitating unauthorized access, data exfiltration, and further compromise of the affected system. Cyclops Blink malware targets ASUS routers, allowing attackers to gain control over network devices and potentially pivot to other systems on the network. The number of affected devices can range from a few to thousands depending on the scope of the attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eLinux Iptables Firewall Modification\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the \u003ccode\u003eLinux Iptables Firewall Modification\u003c/code\u003e rule, focusing on unusual parent processes and destination systems.\u003c/li\u003e\n\u003cli\u003eReview the references provided, specifically the NCSC report and Trend Micro analysis on Cyclops Blink, for additional context and IOCs.\u003c/li\u003e\n\u003cli\u003eMonitor systems for network connections to the opened ports (3269, 636, 989, 994, 995, 8443) as identified in the rule logic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-linux-iptables-modification/","summary":"This brief details a Splunk search that identifies suspicious command-line activity modifying iptables firewall settings on Linux systems, potentially indicating Cyclops Blink malware activity allowing C2 communication by opening specific TCP ports.","title":"Linux Iptables Firewall Modification Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-linux-iptables-modification/"}],"language":"en","title":"CraftedSignal Threat Feed — Iptables","version":"https://jsonfeed.org/version/1.1"}