WatchGuard firewall admins warned that new malware targets the devices

Share post:

Administrators of WatchGuard firewalls are being warned to search for signs of compromise on the devices after the publication of a report of malware distributed by a threat group believed to be run by Russian army intelligence.

The report, issued this week by U.S. and U.K. cyber intelligence agencies, said the group known as Sandworm (also called APT28, or Voodoo Bear by some researchers) has been quietly deploying what has been dubbed Cyclops Blink malware through a botnet of exploited network devices including small office/home office (SOHO) routers and network-attached storage (NAS) devices.

Cyclops Blink is a replacement for similar malware called VPNFilter.

VPNFilter and its botnet were exposed in 2018 by researchers at Cisco Systems’ Talos threat intelligence service. The U.S. Justice Department then announced an effort to disrupt VPNFilter and what it called a global botnet of hundreds of thousands of infected home and office (SOHO) routers and other networked devices.

According to the new U.S./U.K. report, Cyclops Blink has been deployed since at least June 2019, 14 months after VPNFilter was disrupted.

“In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread,” the report adds. “The actor has so far primarily deployed Cyclops Blink to WatchGuard devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.” Only WatchGuard devices that were reconfigured from the manufacturer’s default settings to open remote management interfaces to external access could be infected, the report says.

The report calls the malware sophisticated and modular, with basic core functionality to beacon device information back to a server and enable files to be downloaded and executed. After initial exploitation of a device, Cyclops Blink is generally deployed as part of a fake firmware update.

The report says WatchGuard has created tooling and guidance to enable detection and removal of Cyclops Blink on WatchGuard devices through a non-standard upgrade process. Device owners should follow each step in these instructions to ensure that devices are patched to the latest version and that any infection is removed.

WatchGuard said that, based on its own investigation, work done with Mandiant, and information provided by the FBI, there is no evidence of data exfiltration from WatchGuard or its customers. WatchGuard firewall appliances are not at risk if they were never configured to allow unrestricted management access from the Internet, it adds.

Because Cyclops Blink can be reconfigured to attack many devices, the intelligence agencies issued the following advice it IT administrators, which applies to protecting against any malware:

  • do not expose management interfaces of network devices to the internet;
  • apply security patches promptly;
  • use multi-factor authentication on network devices to reduce the impact of password compromises;
  • tell staff how to report suspected phishing emails;
  • set up a network security monitoring capability;
  • prevent and detect lateral movement in your organization’s network.
The post WatchGuard firewall admins warned that new malware targets the devices first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.


Related articles

Google’s Gemini AI caught scanning private Google Drive documents without permission

Google's Gemini AI has come under fire for scanning private PDF documents in Google Drive without user consent....

Massive AT&T breach in 2022 one of the largest private communications data breaches

AT&T announced a significant data breach affecting nearly all of its mobile phone customers, marking one of the...

Security research team claims to have helped avert a major supply chain attack

JFrog Security Research team continuously scans public repositories such as Docker Hub, NPM, and PyPI to identify malicious...

Phishing attacks on state and local governments surge by 360%

Phishing attacks targeting state and local governments have surged by 360% between May 2023 and May 2024, according...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways