Important Detection and Remediation Actions for Cyclops Blink State-Sponsored Botnet
George_Grinnell
WatchGuard Representative
Hello Community
WatchGuard was informed by the FBI and the UK National Cyber Security Centre (NCSC) about their ongoing international investigation regarding Cyclops Blink, a sophisticated state-sponsored botnet that may have affected a limited number of WatchGuard Firebox and XTM devices. If you have a Firebox or XTM device, it is important for you to check your Fireboxes to make sure they are not affected. To learn more about Cyclops Blink and if it might affect you, please see our corporate blog post, which includes key links to detection tools, FAQs, and available resources.
George Grinnell
WatchGuard Representative
5
Sign In to comment.
Comments
When I try to check and upgrade the OS I get- Unable to contact the WatchGuard software update server.
Is there a specific level of diagnostic logging required for the file to be checked? The default setting of error doesn't seem like it would be enough.
Error should be adequate.
The Web UI upgrade function has been temporary disabled. The webUI upgrade will still work but you have to download the sysa-dl file from https://software.watchguard.com for now.
We plan on re-enabling the web UI upgrade in a few days.
Ryan Tait | Support Engineer
WatchGuard Technologies, Inc. | www.watchguard.com
Office Hours: 5:00AM - 2:00 PM (Pacific Time), Monday - Friday.
The detection tools in WatchGuard System Manager and on the detection site will function with any logging level. There is no need to increase log levels for these to work.
Ryan Tait | Support Engineer
WatchGuard Technologies, Inc. | www.watchguard.com
Office Hours: 5:00AM - 2:00 PM (Pacific Time), Monday - Friday.
I do NOT have a Watchguard "Cloud Account" so I assume this does NOT affect me? This is specific to Cloud Accounts...Yes?
Hi @Howie
This isn't specific to cloud managed Fireboxes, and can affect locally managed ones.
The easiest way to check if your firewall is affected is by using the tool at https://detection.watchguard.com/Detector.
-James Carson
WatchGuard Customer Support
Ok, thanks. As I manage quite a number of these for clients, this will be a time/money losing exercise. How depressing.
@Howie If you're using the WSM management server, upgrading it to the latest version (12.7.2 U2) includes a detection tool.
-James Carson
WatchGuard Customer Support
Where is this tool? I just updated OS and WSM to latest U2, but don't see this?
NM, I found it.....it's on the main WSM Window, not in Policy or FSM.
Thanks
Sorry...I ran the tool and it fails, so it's not much use.
**
The scan did not complete successfully. We recommend that you try again or use the Cyclops Blink Web Detector to get conclusive results for this Firebox.
**
Did both ways, WSM and Web Ui, both fail.
So at this point I am just wasting more time.
Hi @Howie
If the WSM tool does not work, the web detector should. Please go to https://detection.watchguard.com/Detector
-James Carson
WatchGuard Customer Support
I just tried the WG Cloud scan for my firewall which is logging to the cloud.
It took a while for the results of the scan to be updated - so for anyone else doing this scan, be patient...
In the https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000XeAtSAK&lang=en_US document, it states, "We recommend that you never add the Any-External alias or other aliases that expose the Firebox management interfaces to the Internet...."
I do not have Any-External on those policies, so I am good there.
What does "or other aliases" include? I have my management policies set to allow access from an alias that contains multiple trusted IP addresses of mine. I also have my home and my laptop DynDNS FQDNs listed because my own WAN IP is dynamic.
Are those OK? Or do I have to put in each individual IP address?
Gregg Hill
I was about to ask if the error logging level was enough but seems so, thanks guys and lets hope everyone can handle it.
Tried out all the 3 methods and worked like a charm and above all without exploitation indicators. Will follow this closely anyway.
My rules are secure in regards to firebox,however I have one watchguard created rule -- Watchguard SSLVPN, which has FROM any external & any optional TO any trusted & firebox
Does this rule need to be changed? It is only for the port we use for our sslvpn (which is not the default port, was changed on setup for other reasons) I do not want to screw up my vpn users by making any random changes
Thanks
You do not need to change the "WatchGuard SSLVPN" policy. The WatchGuard SSLVPN policy is the policy that allows remote users to connect to your SSLVPN.
Other Aliases are ones that you have created. If you need to manage your firebox remotely consider a secure VPN instead of adding dynamic IP addresses to the From: field of a policy.
Hi all, where is the WatchGuard System Manager Cyclops Blink Detector? i'm on 12.7.2?
Thanks.
You need the recently released (today) 12.7.2 U2.
Then WSM -> Tools
Hello WGM,
After installing the latest version of WatchGuard System Manager from the website, launch the application and click on the TOOLS menu. You will see an option for Cyclops Blink Detector
-Dan
Got it. Thank you all!
Hi again, i updated to the latest version and ran the Cyclops Blink Detector, but keeps getting both the WSM and Web UI with the following message "The scan did not complete successfully. We recommend that you try again or use the Cyclops Blink Web Detector to get conclusive results for this Firebox."
That does not fully answer what I asked. I have my management policies set to allow access from an alias that contains multiple trusted IP addresses of mine. I also have my home and my laptop DynDNS FQDNs listed because my own WAN IP is dynamic.
Would the alias with its trusted IPs be the same as putting those IPs in the From field directly?
Would the FQDNs in the From field be the same as putting an IP in the From field directly? An FQDN may be from a dynamic IP location or static IP.
Gregg Hill
@WGM
https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S000000SOJMSA4&lang=en_US
@greggmh123
Hello Greg,
Correct on Alias vs IP.
Not exactly. When you use an FQDN, it's looked up via DNS when policy is saved and save for later use.
The "...other alias..." piece refers to....
"...From field: ::/0, 0.0.0.0/0, Any-External alias, Any alias, or any other alias for an external interface...."
This was highlighted in the Cyclops FAQ under "Q: How do I know if my management ports are open to the Internet? "
OK. So the FQDNs are only a risk if someone were to poison public DNS servers. I'll use static IPs whereever possible.
Gregg Hill
@greggmh123
If you're autoreactive for it should be safe. I wouldn't use a service you can't control like a dynamic DNS provider if you can avoid it.
If you want to use static IPs, I'd suggest making an Alias in Setup -> Aliases and using that on your WatchGuard and WatchGuard WebUI policies (that way you only have to update it once, vice 2+ times.)
-James Carson
WatchGuard Customer Support
@Ralph
There are 2 FQDN options - which which looks up the IP addr at the time the policy is created, and a dynamic one, which allows the FQDN IP addr to change over time.
Your post suggests just the static one is available.