Important Detection and Remediation Actions for Cyclops Blink State-Sponsored Botnet

Hello Community

WatchGuard was informed by the FBI and the UK National Cyber Security Centre (NCSC) about their ongoing international investigation regarding Cyclops Blink, a sophisticated state-sponsored botnet that may have affected a limited number of WatchGuard Firebox and XTM devices. If you have a Firebox or XTM device, it is important for you to check your Fireboxes to make sure they are not affected. To learn more about Cyclops Blink and if it might affect you, please see our corporate blog post, which includes key links to detection tools, FAQs, and available resources.

George Grinnell
WatchGuard Representative

«13

Comments

  • When I try to check and upgrade the OS I get- Unable to contact the WatchGuard software update server.

  • Is there a specific level of diagnostic logging required for the file to be checked? The default setting of error doesn't seem like it would be enough.

  • Error should be adequate.

  • RyanTaitRyanTait WatchGuard Representative

    @John_M said:
    When I try to check and upgrade the OS I get- Unable to contact the WatchGuard software update server.

    The Web UI upgrade function has been temporary disabled. The webUI upgrade will still work but you have to download the sysa-dl file from https://software.watchguard.com for now.

    We plan on re-enabling the web UI upgrade in a few days.

    Ryan Tait | Support Engineer
    WatchGuard Technologies, Inc. | www.watchguard.com
    Office Hours: 5:00AM - 2:00 PM (Pacific Time), Monday - Friday.

  • RyanTaitRyanTait WatchGuard Representative

    @LisaFromIT said:
    Is there a specific level of diagnostic logging required for the file to be checked? The default setting of error doesn't seem like it would be enough.

    The detection tools in WatchGuard System Manager and on the detection site will function with any logging level. There is no need to increase log levels for these to work.

    Ryan Tait | Support Engineer
    WatchGuard Technologies, Inc. | www.watchguard.com
    Office Hours: 5:00AM - 2:00 PM (Pacific Time), Monday - Friday.

  • I do NOT have a Watchguard "Cloud Account" so I assume this does NOT affect me? This is specific to Cloud Accounts...Yes?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Howie
    This isn't specific to cloud managed Fireboxes, and can affect locally managed ones.

    The easiest way to check if your firewall is affected is by using the tool at https://detection.watchguard.com/Detector.

    -James Carson
    WatchGuard Customer Support

  • Ok, thanks. As I manage quite a number of these for clients, this will be a time/money losing exercise. How depressing.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @Howie If you're using the WSM management server, upgrading it to the latest version (12.7.2 U2) includes a detection tool.

    -James Carson
    WatchGuard Customer Support

  • @james.carson said:
    @Howie If you're using the WSM management server, upgrading it to the latest version (12.7.2 U2) includes a detection tool.

    Where is this tool? I just updated OS and WSM to latest U2, but don't see this?

  • NM, I found it.....it's on the main WSM Window, not in Policy or FSM.

    Thanks

  • Sorry...I ran the tool and it fails, so it's not much use.

    **
    The scan did not complete successfully. We recommend that you try again or use the Cyclops Blink Web Detector to get conclusive results for this Firebox.
    **

    Did both ways, WSM and Web Ui, both fail.

    So at this point I am just wasting more time.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Howie
    If the WSM tool does not work, the web detector should. Please go to https://detection.watchguard.com/Detector

    -James Carson
    WatchGuard Customer Support

  • I just tried the WG Cloud scan for my firewall which is logging to the cloud.
    It took a while for the results of the scan to be updated - so for anyone else doing this scan, be patient...

  • In the https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000XeAtSAK&lang=en_US document, it states, "We recommend that you never add the Any-External alias or other aliases that expose the Firebox management interfaces to the Internet...."

    I do not have Any-External on those policies, so I am good there.

    What does "or other aliases" include? I have my management policies set to allow access from an alias that contains multiple trusted IP addresses of mine. I also have my home and my laptop DynDNS FQDNs listed because my own WAN IP is dynamic.

    Are those OK? Or do I have to put in each individual IP address?

    Gregg Hill

  • I was about to ask if the error logging level was enough but seems so, thanks guys and lets hope everyone can handle it.

    Tried out all the 3 methods and worked like a charm and above all without exploitation indicators. Will follow this closely anyway.

  • edited February 2022

    My rules are secure in regards to firebox,however I have one watchguard created rule -- Watchguard SSLVPN, which has FROM any external & any optional TO any trusted & firebox
    Does this rule need to be changed? It is only for the port we use for our sslvpn (which is not the default port, was changed on setup for other reasons) I do not want to screw up my vpn users by making any random changes
    Thanks

  • RyanTaitRyanTait WatchGuard Representative

    @carol.taylor@pwg-inc.com said:
    My rules are secure in regards to firebox,however I have one watchguard created rule -- Watchguard SSLVPN, which has FROM any external & any optional TO any trusted & firebox
    Does this rule need to be changed? It is only for the port we use for our sslvpn (which is not the default port, was changed on setup for other reasons) I do not want to screw up my vpn users by making any random changes
    Thanks

    You do not need to change the "WatchGuard SSLVPN" policy. The WatchGuard SSLVPN policy is the policy that allows remote users to connect to your SSLVPN.

  • RyanTaitRyanTait WatchGuard Representative

    @greggmh123 said:
    In the https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000XeAtSAK&lang=en_US document, it states, "We recommend that you never add the Any-External alias or other aliases that expose the Firebox management interfaces to the Internet...."

    I do not have Any-External on those policies, so I am good there.

    What does "or other aliases" include? I have my management policies set to allow access from an alias that contains multiple trusted IP addresses of mine. I also have my home and my laptop DynDNS FQDNs listed because my own WAN IP is dynamic.

    Are those OK? Or do I have to put in each individual IP address?

    Other Aliases are ones that you have created. If you need to manage your firebox remotely consider a secure VPN instead of adding dynamic IP addresses to the From: field of a policy.

  • Hi all, where is the WatchGuard System Manager Cyclops Blink Detector? i'm on 12.7.2?

    Thanks.

  • edited February 2022

    You need the recently released (today) 12.7.2 U2.

    Then WSM -> Tools

  • Dan_LoucksDan_Loucks WatchGuard Representative

    Hello WGM,

    After installing the latest version of WatchGuard System Manager from the website, launch the application and click on the TOOLS menu. You will see an option for Cyclops Blink Detector

    -Dan

  • Got it. Thank you all!

  • Hi again, i updated to the latest version and ran the Cyclops Blink Detector, but keeps getting both the WSM and Web UI with the following message "The scan did not complete successfully. We recommend that you try again or use the Cyclops Blink Web Detector to get conclusive results for this Firebox."

  • @RyanTait said:

    @greggmh123 said:
    In the https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000XeAtSAK&lang=en_US document, it states, "We recommend that you never add the Any-External alias or other aliases that expose the Firebox management interfaces to the Internet...."

    I do not have Any-External on those policies, so I am good there.

    What does "or other aliases" include? I have my management policies set to allow access from an alias that contains multiple trusted IP addresses of mine. I also have my home and my laptop DynDNS FQDNs listed because my own WAN IP is dynamic.

    Are those OK? Or do I have to put in each individual IP address?

    Other Aliases are ones that you have created. If you need to manage your firebox remotely consider a secure VPN instead of adding dynamic IP addresses to the From: field of a policy.

    That does not fully answer what I asked. I have my management policies set to allow access from an alias that contains multiple trusted IP addresses of mine. I also have my home and my laptop DynDNS FQDNs listed because my own WAN IP is dynamic.

    Would the alias with its trusted IPs be the same as putting those IPs in the From field directly?

    Would the FQDNs in the From field be the same as putting an IP in the From field directly? An FQDN may be from a dynamic IP location or static IP.

    Gregg Hill

  • RalphRalph WatchGuard Representative

    @greggmh123

    Hello Greg,

    Correct on Alias vs IP.

    Not exactly. When you use an FQDN, it's looked up via DNS when policy is saved and save for later use.

    The "...other alias..." piece refers to....

    "...From field: ::/0, 0.0.0.0/0, Any-External alias, Any alias, or any other alias for an external interface...."

    This was highlighted in the Cyclops FAQ under "Q: How do I know if my management ports are open to the Internet? "

  • @Ralph said:
    @greggmh123

    Hello Greg,

    Correct on Alias vs IP.

    Not exactly. When you use an FQDN, it's looked up via DNS when policy is saved and save for later use.

    The "...other alias..." piece refers to....

    "...From field: ::/0, 0.0.0.0/0, Any-External alias, Any alias, or any other alias for an external interface...."

    This was highlighted in the Cyclops FAQ under "Q: How do I know if my management ports are open to the Internet? "

    OK. So the FQDNs are only a risk if someone were to poison public DNS servers. I'll use static IPs whereever possible.

    Gregg Hill

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @greggmh123
    If you're autoreactive for it should be safe. I wouldn't use a service you can't control like a dynamic DNS provider if you can avoid it.

    If you want to use static IPs, I'd suggest making an Alias in Setup -> Aliases and using that on your WatchGuard and WatchGuard WebUI policies (that way you only have to update it once, vice 2+ times.)

    -James Carson
    WatchGuard Customer Support

  • @Ralph

    There are 2 FQDN options - which which looks up the IP addr at the time the policy is created, and a dynamic one, which allows the FQDN IP addr to change over time.
    Your post suggests just the static one is available.

Sign In to comment.