WE'D LOVE YOUR FEEDBACK

Please help us improve our website by providing your feedback

Security Alert: Watchguard firewalls vulnerability
A joint security advisory published by US and UK cybersecurity and law enforcement agencies, advises a new malware called Cyclops Blink has surfaced and is primarily been deployed to networking hardware company WatchGuard’s devices.
February 28, 2022

The alert issued by the Cybersecurity & Infrastructure Security Agency (CISA) and an analysis published by the UK’s National Cyber Security Center (NCSC) show Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) for this new malware.


Cyclops Blink has primarily been deployed to networking hardware company WatchGuard’s devices. According to WatchGuard, Cyclops Blink may have affected approximately 1% of active firewall appliances, which are devices mainly used by business customers.


The analysis says Cyclops Blink malware also comes with modules specifically developed to upload/download files to and from its command and control server, collect and exfiltrate device information, and update the malware. The presence of a Cyclops Blink infection does not mean that an organization is the primary target, but its machines could be used to conduct attacks on others. Either way, it is in your best interest to disconnect and remediate any affected devices.


In light of world news, it’s important to note that the Sandworm group has been known to target Ukrainian companies and government agencies.


What You Should Do

In response to this sophisticated, state-sponsored attack, WatchGuard has developed and released a set of simple and easy-to-implement Cyclops Blink detection tools, as well as a 4-Step Cyclops Blink Diagnosis and Remediation Plan to help customers diagnose, remediate if necessary, and prevent future infection. WatchGuard, supported by the FBI, CISA, NSA and UK NCSC, strongly recommends that all WatchGuard customers promptly take the actions outlined in the 4-Step Cyclops Blink Diagnosis and Remediation Plan to eliminate the threat posed by malicious activity from the botnet.


Diagnosis and Remediation Plan


Owners of infected appliances will also need to update the passphrases for the Status and Admin device management accounts and replace any other secrets, credentials, and passphrases configured on the appliance. All accounts on infected devices should be assumed to be compromised.

Source: Malwarebytes.com / NCSC.gov.uk / Watchguard.com

Please help us improve our website by providing your feedback