WatchGuard Firewalls - New Malware

Cyclops Blink, is a sophisticated botnet and has been active since June 2019 but has recently come into the spotlight after targeting WatchGuard firewalls and potentially other SOHO network devices. The attacks seem widespread and indiscriminate.

The actor has so far primarily deployed Cyclops Blink to WatchGuard devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.

Note that only WatchGuard devices that were reconfigured from the manufacturer default settings to open remote management interfaces to external access could be infected.

WatchGuard has worked closely with the FBI, CISA and the NCSC, and has provided tooling and guidance to enable detection and removal of Cyclops Blink on WatchGuard devices through a non-standard upgrade process. Device owners should follow each step in these instructions to ensure that devices are patched to the latest version and that any infection is removed.

The WatchGuard tooling and guidance is available at:

If your device is identified as infected with Cyclops Blink, you should assume that any passwords present on the device have been compromised and replace them. Please see our password guidance here.

You should ensure that the management interface of network devices is not exposed to the internet.