Sandworm attacked power plants in Ukraine in 2015 and 2016, and also distributed NotPetya ransomware on a large scale around the world. Sandworm’s previous botnet malicious program was VPNFilter, which was discovered by Cisco threat intelligence organization Talos in May 2018. At that time, VPNFilter had infected 500,000 network devices around the world, and the hacked devices were mainly located in Ukraine. In the same month, the FBI destroyed the botnet by taking over the domain of VPNFilter.
The above organizations believe that Cyclops Blink is a work used by Sandworm to replace VPNFilter, and it has been deployed since 2019, which means that Cyclops Blink has been lurking for more than two years, and it is mainly deployed on WatchGuard firewall equipment.
Hackers reverse-engineer the Firebox software update program of WatchGuard equipment, and find the weakness in the program. They can recalculate the HMAC value used to verify the software update image file, so that Cyclops Blink can stay on WatchGuard equipment, and it can’t be removed regardless of restarting or updating the software.
Cyclops Blink also has the ability to read and write the device file system, and can replace legal files. Therefore, even if the above weaknesses have been fixed, hackers can still deploy new functions to maintain the existence of Cyclops Blink, which is a very high-level malicious program.
On the same day, WatchGuard gave the detection tools and remediation plan, indicating that less than 1% of WatchGuard firewall equipment was infected. If it was not configured to allow unrestricted access from the network, there would be no danger, and there was no evidence that WatchGuard or customer data was leaked.
WatchGuard provides three detection tools, including Cyclops Blink Web Detector which can be accessed from the network, and Cyclops Blink Detector which must be downloaded and installed. The main difference between the two is that the former must share the diagnosis records with WatchGuard, while the latter does not. In addition, there is a WatchGuard Cloud Cyclops Blink Detector specially designed for the account of Watchguard Cloud.
If the device is infected, it must be reset to a clean state according to WatchGuard’s instructions, and then upgraded to the latest version of Fireware OS. Not only that, the user must also update the password phrase of the management account, and replace all the vouchers or phrases previously used by the device. Finally, it is necessary to confirm that the management policy of the firewall does not allow unlimited access from the network.
WatchGuard also suggests that all users, whether infected or not, should upgrade to the latest Fireware OS, because it fixes the latest vulnerabilities and provides automatic system integrity checking ability, which can strengthen the protection of software.