Important Detection and Remediation Actions for Cyclops Blink State-Sponsored Botnet

2

Comments

  • RalphRalph WatchGuard Representative

    @Bruce,

    Correct Bruce. I've only highlighted the dynamic one. "...saved for later use..." as in until the TTL expires. Should've been more clear here.

  • @Ralph Thank you.

  • Is WatchGuard planning to allow upgrading the firmware to people that have not renewed Live security. Like a one time thing? other companies have done that in the past

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @jeff The fix version (12.7.2 Update 2, 12.5.9 Update 2, and 12.1.3 Update 8, depending on your hardware) should allow an upgrade for any firewall wither it has an active support entitlement or not. The detection tools will also work for any currently supported firewall regardless of support entitlement.

    -James Carson
    WatchGuard Customer Support

  • @james.carson said:
    @greggmh123
    If you're autoreactive for it should be safe. I wouldn't use a service you can't control like a dynamic DNS provider if you can avoid it.

    If you want to use static IPs, I'd suggest making an Alias in Setup -> Aliases and using that on your WatchGuard and WatchGuard WebUI policies (that way you only have to update it once, vice 2+ times.)

    "If you want to use static IPs, I'd suggest making an Alias..." is what I am already doing for my static IP locations.


    "you can't control like a dynamic DNS provider"

    I wonder if we can trust any DNS provider, dynamic or otherwise. DynDNS is a huge dynamic DNS provider.

    Gregg Hill

  • When I try to upload a support.tgz file at https://detection.watchguard.com/Detector, I get an error stating "Error requesting upload URL" and I have to bypass HTTPS/DPI to get the files to upload.

    Gregg Hill

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @greggmh123
    The TGZ is a G-Zipped Tarball (an archive) so GAV will likely spend some time scanning through it. If making an exception works that's likely the best way to handle it.

    -James Carson
    WatchGuard Customer Support

  • OS upgrade doesn't work from either "Download and Install" option nor the "I have an upgrade file" function. The first fails because the servers are down and the second I get 'is_admin' error. So how are we supposed to upgrade then?

  • Is there a way to upgrade OS from Watchguard System Manager app? If so how?

  • @Perry said:
    Is there a way to upgrade OS from Watchguard System Manager app? If so how?

    From WSM, you should be able to open Policy Manager, then upgrade from PM.

    Gregg Hill

  • This site https://www.cisa.gov/uscert/ncas/alerts/aa22-054a states, "Note: Note that only WatchGuard devices that were reconfigured from the manufacturer default settings to open remote management interfaces to external access could be infected."

    When it says "remote management interfaces", just exactly what are we talking about? The web UI is obvious, but does "remote management interfaces" include the https://watchguard-IP-address:4100 "WG-Auth" authentication page?

    Or does that mean just the web UI and the "WatchGuard" WG-Firebox-Mgmt policy?

    Gregg Hill

  • WSM Policy Manager -> File -> Upgrade

  • And you need to have downloaded the OS file and installed it.
    Then you can select it in Upgrade.

  • just curious, in the web detector, if you don't check the "optional box", does watchguard see any of the log files?

  • @WGM said:
    just curious, in the web detector, if you don't check the "optional box", does watchguard see any of the log files?

    The last line on the detector page states, "For information about how data is handled by the Cyclops Blink Web Detector and the other detection tools that WatchGuard provides, see this article."

    That leads here https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S000000SOBISA4&lang=en_US

    I am working on other stuff and have not read that page yet to know the answer.

    Gregg Hill

  • @james.carson said:
    @jeff The fix version (12.7.2 Update 2, 12.5.9 Update 2, and 12.1.3 Update 8, depending on your hardware) should allow an upgrade for any firewall wither it has an active support entitlement or not. The detection tools will also work for any currently supported firewall regardless of support entitlement.

    That is AWESOME NEWS. Thank you, WatchGuard!

    Gregg Hill

  • The WSM tool does not work (inconclusive), and the web detector at https://detection.watchguard.com/Detector doesn't work. I try to upload file "support.tgz" and gives error "Files must be a gzip or tar archive".

  • RalphRalph WatchGuard Representative

    @greggmh123 said:
    This site https://www.cisa.gov/uscert/ncas/alerts/aa22-054a states, "Note: Note that only WatchGuard devices that were reconfigured from the manufacturer default settings to open remote management interfaces to external access could be infected."

    When it says "remote management interfaces", just exactly what are we talking about? The web UI is obvious, but does "remote management interfaces" include the https://watchguard-IP-address:4100 "WG-Auth" authentication page?

    Or does that mean just the web UI and the "WatchGuard" WG-Firebox-Mgmt policy?

    Hello Greg,

    You're correct. It's just how they worded it.

  • RalphRalph WatchGuard Representative

    @Perry said:
    The WSM tool does not work (inconclusive), and the web detector at https://detection.watchguard.com/Detector doesn't work. I try to upload file "support.tgz" and gives error "Files must be a gzip or tar archive".

    Hello Perry,

    You might be using an encrypted version of the support snapshot. Pull it from
    FSM / Status Report / Support
    or
    Web UI / System Status / Diagnostics

  • RalphRalph WatchGuard Representative

    @Perry said:
    The WSM tool does not work (inconclusive)

    Which CB tool are you using, Management Server ?

    Try WSM / Tools and connect directly to device. If the scan errors out, check https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA16S000000SOJ2SAO&lang=en_US

    .... if you're running the latest firmware.

  • RalphRalph WatchGuard Representative

    @Perry said:
    OS upgrade doesn't work from either "Download and Install" option nor the "I have an upgrade file" function. The first fails because the servers are down

    Back online and servicing upgrade requests..

  • @Ralph said:

    @greggmh123 said:
    This site https://www.cisa.gov/uscert/ncas/alerts/aa22-054a states, "Note: Note that only WatchGuard devices that were reconfigured from the manufacturer default settings to open remote management interfaces to external access could be infected."

    When it says "remote management interfaces", just exactly what are we talking about? The web UI is obvious, but does "remote management interfaces" include the https://watchguard-IP-address:4100 "WG-Auth" authentication page?

    Or does that mean just the web UI and the "WatchGuard" WG-Firebox-Mgmt policy?

    Hello Greg,

    You're correct. It's just how they worded it.

    Which part is correct? There were two questions.

    The web UI is obvious, but does "remote management interfaces" include the https://watchguard-IP-address:4100 "WG-Auth" authentication page?

    Or does that mean just the web UI and the "WatchGuard" WG-Firebox-Mgmt policy?


    The only policy I have with Any-External is the auth page for one client. They authenticate using Duo Security for 2FA, then it opens an RDP port for them. I am going to narrow that down to remove Any-External and use IPs, but the remote users have dynamic addresses. hence why I want to use DynDNS FQDNs.

    Gregg Hill

  • RalphRalph WatchGuard Representative

    @greggmh123 said:

    The web UI is obvious, but does "remote management interfaces" include the https://watchguard-IP-address:4100 "WG-Auth" authentication page?

    It's the wording they used. The auth page isn't a 'management interface'.No admin anything here.Management users cannot auth. against the Firebox-DB.

    Or does that mean just the web UI and the "WatchGuard" WG-Firebox-Mgmt policy?

    This part is correct.

  • This whole story is quite disturbing, I understand, I quote verbatim "Persistence on target devices is obtained by exploiting an apparently legitimate firmware update, which guarantees the execution of malicious code even following any reboots of the affected systems", someone me explains...

    a thousand thanks

  • @Ralph said:

    @Perry said:
    The WSM tool does not work (inconclusive), and the web detector at https://detection.watchguard.com/Detector doesn't work. I try to upload file "support.tgz" and gives error "Files must be a gzip or tar archive".

    Hello Perry,

    You might be using an encrypted version of the support snapshot. Pull it from
    FSM / Status Report / Support
    or
    Web UI / System Status / Diagnostics

    I tried from both and same problem. Is it not encrypted because I can open it and read all the text files. They are in the clear.

  • @Ralph said:

    @Perry said:
    The WSM tool does not work (inconclusive)

    Which CB tool are you using, Management Server ?

    Try WSM / Tools and connect directly to device. If the scan errors out, check https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA16S000000SOJ2SAO&lang=en_US

    .... if you're running the latest firmware.

    Yes I tried the other method "Web Detector" and it won't let me upload the file. Errors out with "Files must be a gzip or tar archive" but it is.

  • @Perry said:

    @Ralph said:

    @Perry said:
    The WSM tool does not work (inconclusive), and the web detector at https://detection.watchguard.com/Detector doesn't work. I try to upload file "support.tgz" and gives error "Files must be a gzip or tar archive".

    Hello Perry,

    You might be using an encrypted version of the support snapshot. Pull it from
    FSM / Status Report / Support
    or
    Web UI / System Status / Diagnostics

    I tried from both and same problem. Is it not encrypted because I can open it and read all the text files. They are in the clear.

    I found the problem. It doesn't work in Firefox but Works in Chrome. Watchguard should fix this issue.

  • I uploaded my support file just fine using Firefox yesterday

  • @toscanatlc

    "Cyclops Blink maintains persistence throughout the legitimate device firmware update process. This is achieved by patching the firmware when it is
    downloaded to the device."

    https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf

  • @Ralph said:

    @greggmh123 said:

    The web UI is obvious, but does "remote management interfaces" include the https://watchguard-IP-address:4100 "WG-Auth" authentication page?

    It's the wording they used. The auth page isn't a 'management interface'.No admin anything here.Management users cannot auth. against the Firebox-DB.

    Or does that mean just the web UI and the "WatchGuard" WG-Firebox-Mgmt policy?

    This part is correct.

    Perfect! I get it now.

    Thank you!

    Gregg Hill

Sign In to comment.