The Threat
Sandworm
Sandworm, a Russian-backed hacking group, was attributed to the NotPetya attack on Ukraine in 2017. It now has developed new malware, Cyclops Blink, which targets firewall devices manufactured by WatchGuard. Cyclops Blink is a replacement framework for the VPNFilter malware that was exposed in 2018. VPNFilter exploited network devices, primarily small and home office routers and network-attached storage devices.
Cyclops Blink
Cyclops Blink (T1129) has been active since 2019 and its deployment appears to be indiscriminate and widespread. The threat has so far been primarily deployed on WatchGuard devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware. Currently, for a WatchGuard device to be vulnerable, it must be reconfigured from the manufacturer default settings to open remote management interfaces to external access. The malware itself is modular with basic core functionality to beacon (T1132.002) device information back to a server and enable files to be downloaded and executed. Functionality also exists to add new modules while the malware is running, which allows Sandworm to implement additional capability as required.
Post Exploitation
Cyclops Blink is generally deployed as part of a firmware ‘update’ (T1542.001). This achieves persistence when the device is rebooted and makes remediation harder. Victims’ devices are organized into clusters and each deployment of Cyclops Blink has a list of command and control (C2) IP addresses and ports that it uses (T1008). Communications to the C2 infrastructure are protected via TLS, using individually generated keys and certificates. Sandworm manages the C2 layer through the Tor network.
Figure 1 C2 Infrastructure
Detection
Due to Cyclops Blink’s ability to persist through reboots, and throughout the legitimate firmware update process affected, organizations should take the following steps detect the malware. WatchGuard has posted a detection table on their website that details multiple detection options. These include diagnostic log file detection, WSM 12.7.2 Update 2 Cyclops Blink Detector, and WatchGuard Cloud Cyclops Blink Detector.
All appliances can use the diagnostic log method and WSM 12.7.2 Update 2, but only appliances that have been added to WatchGuard Cloud for logging and reporting can use WatchGuard Cloud Cyclops Blink Detector. The full table and instructions can be found at WatchGuard’s Cyclops Blink Detection Site.
Remediation
To remove Cyclops Blink from your Firebox, you must put the appliance in recovery mode and then use the WSM Quick Setup Wizard to upgrade to the latest Firmware version. Once the upgrade is complete, it is critical that you do not restore a backup image, save an old configuration file or RapidDeploy configuration to the Firebox, or redeploy a previous configuration from WatchGuard Cloud. The old configurations could allow ports and traffic that you would usually deny. You must also have physical access to the Firebox to complete the remediation. The following links show detailed examples for remediating your Firebox type:
- Cyclops Blink: Remediate a Locally-Managed Firebox (You manage the configuration with WSM or Fireware Web UI.)
- Cyclops Blink: Remediate a Cloud-Managed Firebox (You manage the configuration with WatchGuard Cloud.)
- Cyclops Blink: Remediate Firebox Cloud
- Cyclops Blink: Remediate FireboxV and XTMv
- Cyclops Blink: Remediate a Firebox Managed by WSM Management Server
Prevention
Whether your Firebox was compromised or not, it is critical to make sure your Firebox runs the latest version of Firmware. Further prevention measures include regularly updating the Firebox Status and Admin passphrases. Make sure policies that control firewall management are configured so that unrestricted access from the internet is not allowed, and management ports are not accessible from the internet. To configure Firebox management policies, use the following documentation.
- For locally-managed Fireboxes, see Administer the Firebox from a Remote Location and Connect to Fireware Web UI from an External Network.
- For cloud-managed Fireboxes, you use WatchGuard Cloud to securely manage your Firebox remotely. Web UI Access is disabled by default on external and guest networks. If you require remote access to the local Web UI on a cloud-managed Firebox, see Connect to the Local Fireware Web UI from a Remote Location.
Going Forward
Many organizations are banding together to cooperate in joint cyber operations to protect themselves against nation-state threats. State, city, and government agencies should be aware of the potential threats to transportation systems and power grids as targets for international hackers. The White House has warned state governors to be alert given the Russia-Ukraine conflict. Organizations should recognize the increased threat and move forward with more sophisticated security to protect their interests.