Important Detection and Remediation Actions for Cyclops Blink State-Sponsored Botnet

13»

Comments

  • RalphRalph WatchGuard Representative

    @Perry said:
    '''''''
    Yes I tried the other method "Web Detector" and it won't let me upload the file. Errors out with "Files must be a gzip or tar archive" but it is.

    That's if you use the Web Detector and a snapshot.

    I was referring to scanning the device directly using WSM / Tools / CBD / enter device IP and admin login instead of via the Management Server.
    We'll update the KB article with the inconclusive result when scanning with the former.

  • RalphRalph WatchGuard Representative

    @Perry said:
    The WSM tool does not work (inconclusive), .

    This defect affected the latest firmware and running the tool from the Management Server. This issue is resolved in WSM v12.7.2 Update 3 which is already available for download.

  • edited February 2022

    Is it possible for the detector https://detection.watchguard.com/Detector to claim that the box is clean (green indicator) yet still be infected?
    I ask because I did not follow the directions exactly as indicated because I don't have on-site access to the router. This box (T35) tested as infected initially. I then applied the v12.5.9.B655824 OS update through the WSM. After the update and the reboot I immediately applied a config file from 2018 that was most likely clean because its so old. Exported support.tgz and uploaded to detector and now it shows green (not infected). Question is, can it still be infected because I did not follow the official procedure?

  • FYI - the config does not include the infection.
    It is in the OS.

  • Exactly where are you seeing this cert error message?
    I'm running Dimension 2.2 on VMware Workstation 15, installed less than 1 month ago, and I don't recall such an issue.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @Perry
    The only way to completely wipe the main partition is to follow the procedure posted. I would suggest following the directions at detection.watchguard.com. As your device did show that it had the issue once, I would suggest that you treat it as infected until those procedures are complete.

    -James Carson
    WatchGuard Customer Support

  • edited March 2022

    @james.carson said:
    @Perry
    The only way to completely wipe the main partition is to follow the procedure posted. I would suggest following the directions at detection.watchguard.com. As your device did show that it had the issue once, I would suggest that you treat it as infected until those procedures are complete.

    I know the official procedure and the suggestion. What I wanted confirmation from you is weather a clean test really means clean or not. From what your saying I gather that a test could return clean yet I could still be infected. So basically I should treat the test result as meaningless, correct?

  • @Bruce_Briggs said:
    FYI - the config does not include the infection.
    It is in the OS.

    The reason I said I loaded a config that was saved before infection is because the procedure to remove the infection stated not to load an old config because it could have been tainted (configured for back doors) during the infection. But my config was saved in 2018 long before this infection occurred so we know it's a clean config.

  • mboscolomboscolo Moderator, WatchGuard Representative

    Perry, the outlined procedure is to create a new configuration file, regardless from when it was created. We strongly recommend that you follow the information in this link -
    https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S000000SO3iSAG&lang=en_US

    Mark Boscolo
    WatchGuard Moderator

  • @james.carson said:
    @jeff The fix version (12.7.2 Update 2, 12.5.9 Update 2, and 12.1.3 Update 8, depending on your hardware) should allow an upgrade for any firewall wither it has an active support entitlement or not. The detection tools will also work for any currently supported firewall regardless of support entitlement.

    will be release this same fix for XTM21/W, XTM505 devices?

    Regards,
    Rafael da Costa

  • RalphRalph WatchGuard Representative

    @RafaelSOCNET

    hello Rafael,

    See below

    https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S000000SOCGSA4&lang=en_US

    "....Q: What if there isn’t a supported release of Fireware for my firewall appliance?
    A: WatchGuard has released remediation support for an extensive population of Fireboxes including every supported model and some models that are no longer supported. If your appliance is not eligible for a firmware upgrade to remediate Cyclops Blink, please contact your WatchGuard sales representative to discuss moving to a newer model. Click here to review the full list of all models eligible for the latest firmware updates......"

    Supported platform list ...
    https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S000000SOFPSA4&lang=en_US

  • I have come across an older XTM26-W device running an out of date version Fireware 11.6.5.B364214. From a post in this thread I understand that the current Fireware version is available for devices that are not under a current support agreement. Thanks for that!

    The question I have is regarding detection. I am unable to find a way to download the support.tgz file in this version of the WebUI and I do not have the ability to install the WatchGuard System Manager at the moment. Is there a way, in this version to download the diagnostic file?

    Thanks in advance,

    Darren

  • james.carsonjames.carson Moderator, WatchGuard Representative
    edited March 2022

    @Darren
    There isn't any way to download the support file in the older flash based webUI -- it's very limited. It's only possible in 11.8 forward under system status -> diagnostics, download a support log file.

    You may be able to use the CLI (ssh to port 4118) to export a support file provided you have a place to put it. I am not 100% sure that your older version supports that.

    export support to (location|[usb (filename)])

    Export the support snapshot file.
    location — the FTP or TFTP location to save the file
    usb — save the support snapshot to the specified file on a USB drive connected to the Firebox

    Examples
    export blocked-site to ftp://joez:1pass@ftp.example.com:23/upload/blocked.dot
    export muvpn client-type shrew-soft-client to ftp://joez:1pass@ftp.example.com:23/upload/vpn-users.vpn
    export support to usb support.tgz

    -James Carson
    WatchGuard Customer Support

  • @james.carson Thank you for your reply. It looks like we are going to replace these devices rather than attempt to maintain them based on the age and the fact that they are past EOL. IF we don't replace them, I will give your suggestions a try.

    Thanks again,

  • If you decide to update to 12.1.3 Update 8, pay attention to the release notes!

    You cannot go directly from Fireware 11.6.5 to 12.1.3 Update 8 without it factory resetting the Firebox, and that requires using the web UI anyway. You have to update to 11.7.5 at a minimum first.

    Gregg Hill

Sign In to comment.