{"id":14536,"date":"2022-02-23T17:49:05","date_gmt":"2022-02-23T16:49:05","guid":{"rendered":"https:\/\/www.boc.de\/watchguard-info-portal\/?p=14536"},"modified":"2022-02-24T17:00:45","modified_gmt":"2022-02-24T16:00:45","slug":"howto-4-step-cyclops-blink-diagnosis-and-remediation-plan","status":"publish","type":"post","link":"https:\/\/wordpress.boc.de\/watchguard-info-portal\/2022\/02\/howto-4-step-cyclops-blink-diagnosis-and-remediation-plan\/","title":{"rendered":"HOWTO: 4-Step Cyclops Blink Diagnosis and Remediation Plan"},"content":{"rendered":"<p>Zum deutschen Artikel geht es <a href=\"https:\/\/www.boc.de\/watchguard-info-portal\/2022\/02\/howto-4-schritte-diagnose-und-behebungsplan-gegen-cyclops-blink-infektion\/\">&gt;&gt; hier<\/a>.<\/p>\n<p>Working closely with the FBI, CISA, DOJ, and UK National Cyber Security Centre (NCSC), WatchGuard has investigated and developed a remediation for Cyclops Blink, a sophisticated state-sponsored botnet that may have affected a limited number of WatchGuard firewall appliances.<\/p>\n<p>WatchGuard has developed and released a set of Cyclops Blink\u00a0detection tools, as well as this\u00a0<em>4-Step Cyclops Blink Diagnosis and Remediation Plan<\/em>\u00a0to help customers diagnose, remediate if necessary, and prevent future infection.<\/p>\n<p>The plan includes these four steps:<\/p>\n<ol>\n<li>Diagnosis<\/li>\n<li>Remediate<\/li>\n<li>Prevent<\/li>\n<li>Investigate<\/li>\n<\/ol>\n<p><!--more--><\/p>\n<hr \/>\n<h2><a id=\"Diagnose\" name=\"Diagnose\"><\/a><strong>Diagnosis<\/strong><\/h2>\n<p>WatchGuard provides three tools to help you diagnose if your Firebox is affected by Cyclops Blink:<\/p>\n<ul>\n<li>Cyclops Blink\u00a0Web Detector<\/li>\n<li>WatchGuard System Manager Cyclops Blink Detector<\/li>\n<li>WatchGuard Cloud Cyclops Blink Detector<\/li>\n<\/ul>\n<p>Use the information in this table to select a detection tool and use it to diagnose one or more Fireboxes:<\/p>\n<table border=\"1\">\n<thead>\n<tr>\n<th colspan=\"1\" rowspan=\"1\" width=\"16%\"><\/th>\n<th colspan=\"1\" rowspan=\"1\" width=\"16%\"><strong>Cyclops Blink<\/strong><br \/>\n<strong>Web Detector<\/strong><\/th>\n<th colspan=\"1\" rowspan=\"1\" width=\"16%\"><strong>WatchGuard System Manager<\/strong><br \/>\n<strong>Cyclops Blink Detector<\/strong><\/th>\n<th colspan=\"1\" rowspan=\"1\" width=\"16%\"><strong>WatchGuard Cloud<\/strong><br \/>\n<strong>Cyclops Blink Detector<\/strong><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td colspan=\"1\" rowspan=\"1\"><strong>Appliance compatibility<\/strong><\/td>\n<td colspan=\"1\" rowspan=\"1\">All<\/td>\n<td colspan=\"1\" rowspan=\"1\">All<\/td>\n<td colspan=\"1\" rowspan=\"1\">Only for appliances that have been added to WatchGuard Cloud for logging, reporting, or management<\/td>\n<\/tr>\n<tr>\n<td colspan=\"1\" rowspan=\"1\"><strong>Access<\/strong><\/td>\n<td colspan=\"1\" rowspan=\"1\">Public website with no access restrictions<\/td>\n<td colspan=\"1\" rowspan=\"1\">Must download and install WSM 12.7.2 Update 2 or higher<\/td>\n<td colspan=\"1\" rowspan=\"1\">Must have a WatchGuard Cloud account with firewall appliances added for logging, reporting, or management<\/td>\n<\/tr>\n<tr>\n<td colspan=\"1\" rowspan=\"1\"><strong>Process<\/strong><\/td>\n<td colspan=\"1\" rowspan=\"1\">Download diagnostic log file (support.tgz) file from firewall appliance; visit secure Cyclops Blink Web Detector (<a href=\"https:\/\/detection.watchguard.com\/Detector\" target=\"_blank\" rel=\"noopener noreferrer\">detection.watchguard.com<\/a>); upload diagnostic log file from the firewall appliance you want to diagnose<\/td>\n<td colspan=\"1\" rowspan=\"1\">Download WSM 12.7.2 Update 2 or higher, launch the Cyclops Blink Detector and select the firewall appliance you want to diagnose<\/td>\n<td colspan=\"1\" rowspan=\"1\">Log in to WatchGuard Cloud. From the Cyclops Blink Detector widget, select the appliances you want to diagnose<\/td>\n<\/tr>\n<tr>\n<td colspan=\"1\" rowspan=\"1\"><strong>Data required<\/strong><\/td>\n<td colspan=\"1\" rowspan=\"1\">Must share diagnostic log file (support.tgz) with WatchGuard<\/td>\n<td colspan=\"1\" rowspan=\"1\">Diagnosis provided locally with no data\/file provided to WatchGuard<\/td>\n<td colspan=\"1\" rowspan=\"1\">WatchGuard Cloud directly queries the appliance (as with other WatchGuard Cloud services).<\/td>\n<\/tr>\n<tr>\n<td colspan=\"1\" rowspan=\"1\"><strong>Data retention<\/strong><\/td>\n<td colspan=\"1\" rowspan=\"1\">Optional &#8211; User can opt in to allow WatchGuard to keep the diagnostic log file (support tzg) for research of the botnet. Otherwise, the file is deleted after scan results are displayed to the user.<\/td>\n<td colspan=\"1\" rowspan=\"1\">No data collected or retained by WatchGuard<\/td>\n<td colspan=\"1\" rowspan=\"1\">All data related to diagnosis is preserved for 1 year by default. For more information, see\u00a0<a href=\"https:\/\/techsearch.watchguard.com\/KB?type=Article&amp;SFDCID=kA16S000000SOBISA4&amp;lang=en_US\" target=\"_blank\" rel=\"noopener noreferrer\">this article<\/a>.<\/td>\n<\/tr>\n<tr>\n<td colspan=\"1\" rowspan=\"1\"><strong>Get started<\/strong><\/td>\n<td colspan=\"1\" rowspan=\"1\">Generate diagnostic log file (support.tgz) and upload for immediate results.<\/p>\n<p>For more information, see the instructions in the\u00a0<a href=\"https:\/\/detection.watchguard.com\/Detector\" target=\"_blank\" rel=\"noopener noreferrer\">Cyclops Blink Web Detector<\/a>\u00a0user interface.<\/td>\n<td colspan=\"1\" rowspan=\"1\">Install WSM v12.7.2 Update 2 or higher and select\u00a0<strong>Tools &gt; Cyclops Blink Detector<\/strong>.<\/p>\n<p>For more information, see the instructions in\u00a0<a href=\"https:\/\/www.watchguard.com\/help\/docs\/help-center\/en-US\/index.html#cshid=1065\" target=\"_blank\" rel=\"noopener noreferrer\">Fireware Help<\/a>.<\/td>\n<td colspan=\"1\" rowspan=\"1\">Log in to WatchGuard Cloud. In the Cyclops Blink Detector dashboard tile, select\u00a0<strong>Scan Fireboxes in your account<\/strong>.<\/p>\n<p>For more information, see the instructions in\u00a0<a href=\"https:\/\/www.watchguard.com\/help\/docs\/help-center\/en-US\/index.html#cshid=16200\" target=\"_blank\" rel=\"noopener noreferrer\">WatchGuard Cloud Help<\/a>.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h2><a id=\"Remediate\" name=\"Remediate\"><\/a><strong>Remediate<\/strong><\/h2>\n<p><strong>Important!<\/strong><\/p>\n<ul>\n<li>If you cannot complete remediation now, disconnect your Firebox from the network immediately.<\/li>\n<li>Remediation steps differ from the usual upgrade steps you might be used to. You must read and follow the remediation steps carefully.<\/li>\n<li>If you upgrade a Firebox through the usual upgrade steps, the Cyclops Blink threat will remain on your Firebox. To remediate the threat, you must put the Firebox in recovery mode, and then use the WSM Quick Setup Wizard to upgrade to the latest Fireware version.<\/li>\n<li>When you complete remediation, the Cyclops Blink botnet is removed from the Firebox. If you want to collect evidence from the Firebox for your own security investigation, you must do this before you remediate.<\/li>\n<li>After remediation, it is critical that you do not restore a backup image, save an old configuration file or RapidDeploy configuration to the Firebox, or redeploy a previous configuration from WatchGuard Cloud to the Firebox. If your Firebox was infected with Cyclops Blink, it is possible that your configuration was altered to allow ports and traffic that you would usually deny. The only way to make sure your device is not re-infected is to build a new configuration file.<\/li>\n<li>You must have physical access to the Firebox to complete remediation. If you cannot get immediate physical access to the device to recover and upgrade immediately, you can use RapidDeploy or WatchGuard Cloud templates to start work on a new configuration file or configuration settings and save time. Do not deploy the new configuration to the appliance until you have recovered and upgraded it.<\/li>\n<\/ul>\n<p>The remediation steps differ based on whether your Firebox is locally-managed or cloud-managed. In addition, the steps are different for virtual Fireboxes (FireboxV, Firebox Cloud, XTMv) and Fireboxes that are managed by Management Server.<\/p>\n<p>Follow the remediation steps in the relevant article for your appliance:<\/p>\n<ul>\n<li><a href=\"https:\/\/techsearch.watchguard.com\/KB?type=Article&amp;SFDCID=kA16S000000SO3iSAG&amp;lang=en_US\" target=\"_blank\" rel=\"noopener noreferrer\">Cyclops Blink: Remediate a Locally-Managed Firebox<\/a>\u00a0(you manage the configuration with WSM or Fireware Web UI)<\/li>\n<li><a href=\"https:\/\/techsearch.watchguard.com\/KB?type=Article&amp;SFDCID=kA16S000000SO3dSAG&amp;lang=en_US\" target=\"_blank\" rel=\"noopener noreferrer\">Cyclops Blink: Remediate a Cloud-Managed Firebox<\/a>\u00a0(you manage the configuration with WatchGuard Cloud)<\/li>\n<li><a href=\"https:\/\/techsearch.watchguard.com\/KB?type=Article&amp;SFDCID=kA16S000000SO4qSAG&amp;lang=en_US\" target=\"_blank\" rel=\"noopener noreferrer\">Cyclops Blink: Remediate Firebox Cloud<\/a><\/li>\n<li><a href=\"https:\/\/techsearch.watchguard.com\/KB?type=Article&amp;SFDCID=kA16S000000SO4vSAG&amp;lang=en_US\" target=\"_blank\" rel=\"noopener noreferrer\">Cyclops Blink: Remediate FireboxV and XTMv<\/a><\/li>\n<li><a href=\"https:\/\/techsearch.watchguard.com\/KB?type=Article&amp;SFDCID=kA16S000000SO50SAG&amp;lang=en_US\" target=\"_blank\" rel=\"noopener noreferrer\">Cyclops Blink: Remediate a Firebox Managed by WSM Management Server<\/a><\/li>\n<\/ul>\n<hr \/>\n<h2><a id=\"Prevent\" name=\"Prevent\"><\/a><strong>Prevent<\/strong><\/h2>\n<p>Whether your Firebox was compromised or not, it is critical to make sure your Firebox runs the latest version of Fireware.<\/p>\n<ul>\n<li>To upgrade from WatchGuard Cloud, see\u00a0<a title=\"https:\/\/www.watchguard.com\/help\/docs\/help-center\/en-us\/content\/en-us\/wg-cloud\/devices\/sub_upgrade-firmware.html\" href=\"https:\/\/www.watchguard.com\/help\/docs\/help-center\/en-US\/Content\/en-US\/WG-Cloud\/Devices\/sub_upgrade-firmware.html\" target=\"_blank\" rel=\"noopener noreferrer\">Upgrade Firmware from WatchGuard Cloud<\/a>.<\/li>\n<li>To upgrade from WatchGuard System Manager or Fireware Web UI, see\u00a0<a title=\"https:\/\/www.watchguard.com\/help\/docs\/help-center\/en-us\/content\/en-us\/fireware\/installation\/version_upgrade_new_c.html\" href=\"https:\/\/www.watchguard.com\/help\/docs\/help-center\/en-US\/Content\/en-US\/Fireware\/installation\/version_upgrade_new_c.html\" target=\"_blank\" rel=\"noopener noreferrer\">Upgrade Fireware OS or WatchGuard System Manager<\/a>.<\/li>\n<\/ul>\n<p>We also recommend that you:<\/p>\n<ul>\n<li>Make a plan to regularly update the Firebox Status and Admin passphrases. We recommend you specify unique passwords for each Firebox you manage and change them frequently. See\u00a0<a href=\"https:\/\/techsearch.watchguard.com\/KB?type=Article&amp;SFDCID=kA16S000000SO26SAG&amp;lang=en_US\" target=\"_blank\" rel=\"noopener noreferrer\">Change the Admin and Status passwords on a Firebox<\/a>.<\/li>\n<li>Make sure the policies that control firewall management are configured so that unrestricted access from the Internet is not allowed. This is the recommended best practice. We believe that Fireboxes that were compromised were accessed through their management ports. To secure the Firebox management ports, follow the guidelines in the\u00a0<a href=\"https:\/\/techsearch.watchguard.com\/KB?type=Article&amp;SFDCID=kA10H000000XeAtSAK&amp;lang=en_US\" target=\"_blank\" rel=\"noopener noreferrer\">Firebox Remote Management Best Practices<\/a>\u00a0article and the\u00a0<a href=\"https:\/\/www.watchguard.com\/help\/video-tutorials\/Secure_Firebox_Mgmt_Access\/Securing_Firebox_Mgmt_Access.mp4\" target=\"_blank\" rel=\"noopener noreferrer\">Secure Firebox Management Access<\/a>\u00a0video tutorial.To configure Firebox management policies:\n<ul>\n<li>For locally-managed Fireboxes, see\u00a0<a href=\"https:\/\/www.watchguard.com\/help\/docs\/help-center\/en-US\/Content\/en-US\/Fireware\/basicadmin\/manage_firebox_remote_loc_c.html\" target=\"_blank\" rel=\"noopener noreferrer\">Administer the Firebox from a Remote Location<\/a>\u00a0and\u00a0<a href=\"https:\/\/www.watchguard.com\/help\/docs\/help-center\/en-US\/Content\/en-US\/Fireware\/system_status\/connect_webui_external.html\" target=\"_blank\" rel=\"noopener noreferrer\">Connect to Fireware Web UI from an External Network<\/a>.<\/li>\n<li>For cloud-managed Fireboxes, you use WatchGuard Cloud to securely manage your Firebox remotely. Web UI Access is disabled by default on external and guest networks. If you require remote access to the local Web UI on a cloud-managed Firebox, see\u00a0<a href=\"https:\/\/www.watchguard.com\/help\/docs\/help-center\/en-US\/index.html#cshid=16163\" target=\"_blank\" rel=\"noopener noreferrer\">Connect to the Local Fireware Web UI from a Remote Location<\/a>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<h2><a id=\"Investigate\" name=\"Investigate\"><\/a><strong>Investigate<\/strong><\/h2>\n<p>If you have a Firebox that is infected with the botnet, the steps outlined above will remediate the infection and protect you from future infection. While there is no evidence of any data exfiltration at this time, it is industry best practice to conduct a forensic investigation of your network to determine if it may have been compromised by the threat actor.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Zum deutschen Artikel geht es &gt;&gt; hier. Working closely with the FBI, CISA, DOJ, and UK National Cyber Security Centre (NCSC), WatchGuard has investigated and developed a remediation for Cyclops Blink, a sophisticated state-sponsored botnet that may have affected a limited number of WatchGuard firewall appliances. WatchGuard has developed and released a set of Cyclops Blink\u00a0detection tools, as well as this\u00a04-Step Cyclops Blink Diagnosis and &hellip; <a href=\"https:\/\/wordpress.boc.de\/watchguard-info-portal\/2022\/02\/howto-4-step-cyclops-blink-diagnosis-and-remediation-plan\/\" class=\"more-link\">Weiterlesen <span class=\"screen-reader-text\">HOWTO: 4-Step Cyclops Blink Diagnosis and Remediation Plan<\/span> <span class=\"meta-nav\">&raquo;<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[362],"tags":[626,827,826],"class_list":["post-14536","post","type-post","status-publish","format-standard","hentry","category-howto","tag-cyber-security","tag-cyclop-blink","tag-security-alert"],"_links":{"self":[{"href":"https:\/\/wordpress.boc.de\/watchguard-info-portal\/wp-json\/wp\/v2\/posts\/14536"}],"collection":[{"href":"https:\/\/wordpress.boc.de\/watchguard-info-portal\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wordpress.boc.de\/watchguard-info-portal\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.boc.de\/watchguard-info-portal\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.boc.de\/watchguard-info-portal\/wp-json\/wp\/v2\/comments?post=14536"}],"version-history":[{"count":9,"href":"https:\/\/wordpress.boc.de\/watchguard-info-portal\/wp-json\/wp\/v2\/posts\/14536\/revisions"}],"predecessor-version":[{"id":14719,"href":"https:\/\/wordpress.boc.de\/watchguard-info-portal\/wp-json\/wp\/v2\/posts\/14536\/revisions\/14719"}],"wp:attachment":[{"href":"https:\/\/wordpress.boc.de\/watchguard-info-portal\/wp-json\/wp\/v2\/media?parent=14536"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wordpress.boc.de\/watchguard-info-portal\/wp-json\/wp\/v2\/categories?post=14536"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wordpress.boc.de\/watchguard-info-portal\/wp-json\/wp\/v2\/tags?post=14536"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}