Working closely with the FBI, CISA, DOJ, and UK NCSC1, WatchGuard has investigated and developed a remediation for Cyclops Blink, a sophisticated state-sponsored botnet, that may have affected a limited number (estimated at ~1%) of WatchGuard firewall appliances. WatchGuard customers and partners can eliminate the potential threat posed by malicious activity from the botnet by immediately enacting WatchGuard’s 4-Step Cyclops Blink Diagnosis and Remediation Plan. It is critical for all customers, whether infected or not, to upgrade the appliance to the latest version of Fireware OS.
Scope of Potential Impact:
Based on our own investigation, an investigation conducted jointly with Mandiant, and information provided by the FBI, WatchGuard has concluded the following:
- Based on current estimates, Cyclops Blink may have affected approximately 1% of active WatchGuard firewall appliances; no other WatchGuard products are affected.
- Firewall appliances are not at risk if they were never configured to allow unrestricted management access from the internet. Restricted management access is the default setting for all WatchGuard’s physical firewall appliances.
- There is no evidence of data exfiltration from WatchGuard or its customers.
- WatchGuard’s own network has not been affected or breached.
Detecting, Remediating, and Preventing Cyclops Blink Infection:
WatchGuard, supported by the FBI, CISA, NSA2, and the UK NCSC, recommends that all customers immediately enact the 4-Step Cyclops Blink Diagnosis and Remediation Plan available here. The plan outlines simple and easy-to-use Cyclops Blink detection options in WatchGuard System Manager, WatchGuard Cloud, and a new Web Detector tool.
Remediation steps are only necessary if you have an infected appliance; however, the future protection steps are applicable to all customers.
Visit detection.watchguard.com to review and enact the 4-Step Cyclops Blink Diagnosis and Remediation Plan now.
Please see the joint government advisory issued by the FBI, CISA, NSA, and the UK NCSC.
Our corporate blog post includes additional information and updates about the botnet.
New releases are now available to support the prevention step
WatchGuard System Manager 12.7.2 update 3 is available to support all appliances and includes the detection tool that can be run against multiple appliances. (Note: Update 3 was released on Feb 24 to resolve known issue where scan did not complete successfully against latest firmware)
Fireware 12.7.2 Update 2 (Release Notes) is available for:
- T Series: T20, T40, T55, T70, and T80
- M Series: M270, M290, M370, M390, M400, M440, M470, M500, M570, M590, M670, M690, M4600, M5600, M4800, and M5800
- FireboxV and Firebox Cloud
Fireware 12.5.9 Update 2 (Release Notes) for:
- Firebox T10, T15, T30, T35, T50, M200, M300
Fireware 12.1.3 Update 8 (Release Notes) for:
- XTMv, 850, 860, 870,1520, 1525, 2520
- XTM 25, 26, 33, 330, 515, 525, 535, 545, 810, 820, 8301050, 2050 – Given the criticality of the issue, WatchGuard has also released a build for appliances that are now past End of Life. Customers still running these appliances may upgrade to this build with an expired support license.
How to upgrade
The easiest approach is to use WatchGuard Cloud to schedule upgrades for one or many systems, even for systems managed in WSM. Admins may also download the applicable packages from the WatchGuard Software Download Center.
For Support questions, you can find phone numbers for your region online. If you contact WatchGuard Technical Support, please have your registered appliance Serial Number or Partner ID available.
1 Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, Department of Justice, and UK National Cyber Security Centre.
2 National Security Agency