HOWTO: 4-Step Cyclops Blink Diagnosis and Remediation Plan

Zum deutschen Artikel geht es >> hier.

Working closely with the FBI, CISA, DOJ, and UK National Cyber Security Centre (NCSC), WatchGuard has investigated and developed a remediation for Cyclops Blink, a sophisticated state-sponsored botnet that may have affected a limited number of WatchGuard firewall appliances.

WatchGuard has developed and released a set of Cyclops Blink detection tools, as well as this 4-Step Cyclops Blink Diagnosis and Remediation Plan to help customers diagnose, remediate if necessary, and prevent future infection.

The plan includes these four steps:

  1. Diagnosis
  2. Remediate
  3. Prevent
  4. Investigate


WatchGuard provides three tools to help you diagnose if your Firebox is affected by Cyclops Blink:

  • Cyclops Blink Web Detector
  • WatchGuard System Manager Cyclops Blink Detector
  • WatchGuard Cloud Cyclops Blink Detector

Use the information in this table to select a detection tool and use it to diagnose one or more Fireboxes:

Cyclops Blink
Web Detector
WatchGuard System Manager
Cyclops Blink Detector
WatchGuard Cloud
Cyclops Blink Detector
Appliance compatibility All All Only for appliances that have been added to WatchGuard Cloud for logging, reporting, or management
Access Public website with no access restrictions Must download and install WSM 12.7.2 Update 2 or higher Must have a WatchGuard Cloud account with firewall appliances added for logging, reporting, or management
Process Download diagnostic log file (support.tgz) file from firewall appliance; visit secure Cyclops Blink Web Detector (; upload diagnostic log file from the firewall appliance you want to diagnose Download WSM 12.7.2 Update 2 or higher, launch the Cyclops Blink Detector and select the firewall appliance you want to diagnose Log in to WatchGuard Cloud. From the Cyclops Blink Detector widget, select the appliances you want to diagnose
Data required Must share diagnostic log file (support.tgz) with WatchGuard Diagnosis provided locally with no data/file provided to WatchGuard WatchGuard Cloud directly queries the appliance (as with other WatchGuard Cloud services).
Data retention Optional – User can opt in to allow WatchGuard to keep the diagnostic log file (support tzg) for research of the botnet. Otherwise, the file is deleted after scan results are displayed to the user. No data collected or retained by WatchGuard All data related to diagnosis is preserved for 1 year by default. For more information, see this article.
Get started Generate diagnostic log file (support.tgz) and upload for immediate results.

For more information, see the instructions in the Cyclops Blink Web Detector user interface.

Install WSM v12.7.2 Update 2 or higher and select Tools > Cyclops Blink Detector.

For more information, see the instructions in Fireware Help.

Log in to WatchGuard Cloud. In the Cyclops Blink Detector dashboard tile, select Scan Fireboxes in your account.

For more information, see the instructions in WatchGuard Cloud Help.



  • If you cannot complete remediation now, disconnect your Firebox from the network immediately.
  • Remediation steps differ from the usual upgrade steps you might be used to. You must read and follow the remediation steps carefully.
  • If you upgrade a Firebox through the usual upgrade steps, the Cyclops Blink threat will remain on your Firebox. To remediate the threat, you must put the Firebox in recovery mode, and then use the WSM Quick Setup Wizard to upgrade to the latest Fireware version.
  • When you complete remediation, the Cyclops Blink botnet is removed from the Firebox. If you want to collect evidence from the Firebox for your own security investigation, you must do this before you remediate.
  • After remediation, it is critical that you do not restore a backup image, save an old configuration file or RapidDeploy configuration to the Firebox, or redeploy a previous configuration from WatchGuard Cloud to the Firebox. If your Firebox was infected with Cyclops Blink, it is possible that your configuration was altered to allow ports and traffic that you would usually deny. The only way to make sure your device is not re-infected is to build a new configuration file.
  • You must have physical access to the Firebox to complete remediation. If you cannot get immediate physical access to the device to recover and upgrade immediately, you can use RapidDeploy or WatchGuard Cloud templates to start work on a new configuration file or configuration settings and save time. Do not deploy the new configuration to the appliance until you have recovered and upgraded it.

The remediation steps differ based on whether your Firebox is locally-managed or cloud-managed. In addition, the steps are different for virtual Fireboxes (FireboxV, Firebox Cloud, XTMv) and Fireboxes that are managed by Management Server.

Follow the remediation steps in the relevant article for your appliance:


Whether your Firebox was compromised or not, it is critical to make sure your Firebox runs the latest version of Fireware.

We also recommend that you:


If you have a Firebox that is infected with the botnet, the steps outlined above will remediate the infection and protect you from future infection. While there is no evidence of any data exfiltration at this time, it is industry best practice to conduct a forensic investigation of your network to determine if it may have been compromised by the threat actor.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>