Cyclops blink malware targets WatchGuard network firewalls

Sicherheit (Pexels, allgemeine Nutzung)[German]Administrators of Watchguard network firewalls (WatchGuard Fireware for Firebox) need to pay attention. A Cyclops Blink malware is capable of abusing a legitimate vendor firmware update mechanism in infected devices in such a way that it is persistent, meaning it survives reboots. The Cyclops Blink malware is used by the Sandworm group, attributed to the Russian military intelligence agency GRU, and is believed to have infected 1% of network firewall devices from network device manufacturer Watchguard worldwide.


WatchGuard Technologies  is an Internet security solutions provider based in Seattle, USA. WatchGuard became known for its firewall and VPN solution for small and medium-sized businesses.

Serious security vulnerability at WatchGuard

German blog reader der Seb points out a security warming from WatchGuard in this comment – and blog reader Timo also left a hint (thanks for that):


A serious security vulnerability has been disclosed at Watchguard today. The botnet "Cyclops Blink" has apparently already infected several Watchguards. It is advised to take the following measures as soon as possible.

You can also read about it on the following pages: (German)

According to this report, WatchGuard is investigating an infection of its firewall by the Cyclops Blink botnet. About 1 percent of WatchGuard firewall appliances are probably infected by Cyclops Blink. The Cyclops Blink botnet is operated by Russian state cyber actors (see also Russian Sandworm Group Responsible for Cyclops Blink Botnet). 

The Cyclops Blink malware is capable of abusing a legitimate vendor firmware update mechanism in infected devices in such a way that it is persistent and survives reboots. Blog reader Frank also emailed me about a WatchGuard security alert. Frank also sent along the following sceenshot. 

WatchGuard Warning


The WatchGuard installer notes this known issue with firmware updates and warns not to update the Firebox until the linked knowledge base article has been read and considered. The issue is that malware can abuse the update process on infected firewall appliances. WatchGuard has published the knowledge base article 4-Step Cyclops Blink Diagnosis and Remediation Plan on this. WatchGuard provides three tools administrators can use to determine if their Firebox is affected by Cyclops Blink: 

  • WatchGuard System Manager Cyclops Blink-Detektor
  • WatchGuard Cloud Cyclops Blink Detektor

The manufacturer recommends selecting a detection tool and using it to diagnose one or more Fireboxes. Information on the individual measures, tools and firmware updates can be found in the Knowledge Base article 4-Step Cyclops Blink Diagnosis and Remediation Plan and in this blog post.

WatchGuard has concluded, based on our own investigation, an investigation conducted jointly with Mandiant, and information provided by the FBI, that there is no evidence of data exfiltration from WatchGuard or its customers and that firewall appliances are not at risk if they were never configured to allow unrestricted management access from the Internet.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *