HOWTO: 4-Step Cyclops Blink Diagnosis and Remediation Plan
Zum deutschen Artikel geht es >> hier.
Working closely with the FBI, CISA, DOJ, and UK National Cyber Security Centre (NCSC), WatchGuard has investigated and developed a remediation for Cyclops Blink, a sophisticated state-sponsored botnet that may have affected a limited number of WatchGuard firewall appliances.
WatchGuard has developed and released a set of Cyclops Blink detection tools, as well as this 4-Step Cyclops Blink Diagnosis and Remediation Plan to help customers diagnose, remediate if necessary, and prevent future infection.
The plan includes these four steps:
- Diagnosis
- Remediate
- Prevent
- Investigate
Diagnosis
WatchGuard provides three tools to help you diagnose if your Firebox is affected by Cyclops Blink:
- Cyclops Blink Web Detector
- WatchGuard System Manager Cyclops Blink Detector
- WatchGuard Cloud Cyclops Blink Detector
Use the information in this table to select a detection tool and use it to diagnose one or more Fireboxes:
| Cyclops Blink Web Detector |
WatchGuard System Manager Cyclops Blink Detector |
WatchGuard Cloud Cyclops Blink Detector |
|
|---|---|---|---|
| Appliance compatibility | All | All | Only for appliances that have been added to WatchGuard Cloud for logging, reporting, or management |
| Access | Public website with no access restrictions | Must download and install WSM 12.7.2 Update 2 or higher | Must have a WatchGuard Cloud account with firewall appliances added for logging, reporting, or management |
| Process | Download diagnostic log file (support.tgz) file from firewall appliance; visit secure Cyclops Blink Web Detector (detection.watchguard.com); upload diagnostic log file from the firewall appliance you want to diagnose | Download WSM 12.7.2 Update 2 or higher, launch the Cyclops Blink Detector and select the firewall appliance you want to diagnose | Log in to WatchGuard Cloud. From the Cyclops Blink Detector widget, select the appliances you want to diagnose |
| Data required | Must share diagnostic log file (support.tgz) with WatchGuard | Diagnosis provided locally with no data/file provided to WatchGuard | WatchGuard Cloud directly queries the appliance (as with other WatchGuard Cloud services). |
| Data retention | Optional – User can opt in to allow WatchGuard to keep the diagnostic log file (support tzg) for research of the botnet. Otherwise, the file is deleted after scan results are displayed to the user. | No data collected or retained by WatchGuard | All data related to diagnosis is preserved for 1 year by default. For more information, see this article. |
| Get started | Generate diagnostic log file (support.tgz) and upload for immediate results.
For more information, see the instructions in the Cyclops Blink Web Detector user interface. |
Install WSM v12.7.2 Update 2 or higher and select Tools > Cyclops Blink Detector.
For more information, see the instructions in Fireware Help. |
Log in to WatchGuard Cloud. In the Cyclops Blink Detector dashboard tile, select Scan Fireboxes in your account.
For more information, see the instructions in WatchGuard Cloud Help. |
Remediate
Important!
- If you cannot complete remediation now, disconnect your Firebox from the network immediately.
- Remediation steps differ from the usual upgrade steps you might be used to. You must read and follow the remediation steps carefully.
- If you upgrade a Firebox through the usual upgrade steps, the Cyclops Blink threat will remain on your Firebox. To remediate the threat, you must put the Firebox in recovery mode, and then use the WSM Quick Setup Wizard to upgrade to the latest Fireware version.
- When you complete remediation, the Cyclops Blink botnet is removed from the Firebox. If you want to collect evidence from the Firebox for your own security investigation, you must do this before you remediate.
- After remediation, it is critical that you do not restore a backup image, save an old configuration file or RapidDeploy configuration to the Firebox, or redeploy a previous configuration from WatchGuard Cloud to the Firebox. If your Firebox was infected with Cyclops Blink, it is possible that your configuration was altered to allow ports and traffic that you would usually deny. The only way to make sure your device is not re-infected is to build a new configuration file.
- You must have physical access to the Firebox to complete remediation. If you cannot get immediate physical access to the device to recover and upgrade immediately, you can use RapidDeploy or WatchGuard Cloud templates to start work on a new configuration file or configuration settings and save time. Do not deploy the new configuration to the appliance until you have recovered and upgraded it.
The remediation steps differ based on whether your Firebox is locally-managed or cloud-managed. In addition, the steps are different for virtual Fireboxes (FireboxV, Firebox Cloud, XTMv) and Fireboxes that are managed by Management Server.
Follow the remediation steps in the relevant article for your appliance:
- Cyclops Blink: Remediate a Locally-Managed Firebox (you manage the configuration with WSM or Fireware Web UI)
- Cyclops Blink: Remediate a Cloud-Managed Firebox (you manage the configuration with WatchGuard Cloud)
- Cyclops Blink: Remediate Firebox Cloud
- Cyclops Blink: Remediate FireboxV and XTMv
- Cyclops Blink: Remediate a Firebox Managed by WSM Management Server
Prevent
Whether your Firebox was compromised or not, it is critical to make sure your Firebox runs the latest version of Fireware.
- To upgrade from WatchGuard Cloud, see Upgrade Firmware from WatchGuard Cloud.
- To upgrade from WatchGuard System Manager or Fireware Web UI, see Upgrade Fireware OS or WatchGuard System Manager.
We also recommend that you:
- Make a plan to regularly update the Firebox Status and Admin passphrases. We recommend you specify unique passwords for each Firebox you manage and change them frequently. See Change the Admin and Status passwords on a Firebox.
- Make sure the policies that control firewall management are configured so that unrestricted access from the Internet is not allowed. This is the recommended best practice. We believe that Fireboxes that were compromised were accessed through their management ports. To secure the Firebox management ports, follow the guidelines in the Firebox Remote Management Best Practices article and the Secure Firebox Management Access video tutorial.To configure Firebox management policies:
- For locally-managed Fireboxes, see Administer the Firebox from a Remote Location and Connect to Fireware Web UI from an External Network.
- For cloud-managed Fireboxes, you use WatchGuard Cloud to securely manage your Firebox remotely. Web UI Access is disabled by default on external and guest networks. If you require remote access to the local Web UI on a cloud-managed Firebox, see Connect to the Local Fireware Web UI from a Remote Location.
Investigate
If you have a Firebox that is infected with the botnet, the steps outlined above will remediate the infection and protect you from future infection. While there is no evidence of any data exfiltration at this time, it is industry best practice to conduct a forensic investigation of your network to determine if it may have been compromised by the threat actor.
Das könnte Sie auch interessieren: