On February 23rd, the UK National Cyber Security Center (NCSC) with the US Cybersecurity &
Infrastructure Security Agency (CISA) and other security agencies released information that the
threat actor group known as “Voodoo Bear” or “Sandworm” has been leveraging a modular and
fairly sophisticated implant dubbed “Cyclops Blink”.
Cyclops Blink appears to be a replacement of the previously discovered and documented VPNFilter modular implant framework, also previously leveraged by Sandworm. The VPNFilter and Cyclops Blink implants primarily target Small Office/Home Office (SOHO) network devices. The VPNFilter implant was previously used by the threat actor to redirect and manipulate traffic and infected devices were also used to maintain persistence on victim networks.
The devices infected by Cyclops Blink have been incorporated into a large-scale botnet operated
by the threat actor, which appears to have first become active as early as June 2019. As of today,
of the 1500+ impacted IPv4 that were reported, around 40% are geolocated in the United States.
In its current iteration, Cyclops Blink is highly modular and provides attackers several capabilities
(as well as writing and deploying implant modules on the fly). Cyclops Blink has been observed
primarily targeting SOHO devices from WatchGuard (Watchguard Firebox appliances). Additionally, Cyclops Blink is deployed persistently on infected WatchGuard devices by abusing the firmware upgrade mechanism.
While Cyclops Blink has only been observed on WatchGuard devices as of today, an assessment of the malware reveals that it could also be compiled and deployed onto other architectures and
Organizations with WatchGuard firewalls should review the solution section of this advisory for
details on how to identify a potential infection and restore the system to a known good state. If the Watchguard management interface was exposed to the internet, organizations should assume the appliance has been compromised and investigate the system for signs of the implant prior to upgrading.
Affected Operating Systems
All Watchguard Firebox appliances are currently known vulnerable. As such organizations with
Firebox appliances must be upgraded to the latest versions for the Firebox appliances as soon as
possible. The latest Firmware for WatchGuard Firebox appliances is available for download from:
Before upgrading any appliances, it is critical to assess whether your Firebox appliance may have
been infected with Cyclops Blink. Watchguard, with the assistance of the NSA, CISA, and UK NCSC
have provided with different methods to investigate and identify a potential infection as described in https://detection.watchguard.com/
CISA and the NCSC both describe the Cyclops Blink malware as a successor to an earlier
Sandworm tool known as VPNFilter, which had infected over half a million routers before it
identified by Cisco and the FBI and dismantled in 2018.
This implant is a multi-stage, modular platform with versatile capabilities to support both
intelligence-collection and potentially destructive cyber-attack operations. It targets devices
running firmware based on Busybox and Linux and is compiled for several CPU architectures.
The first stage primary ensures persistence (via crontab) which sets it apart from other IOT
malware such as Mirai. Furthermore, it implements various redundant mechanisms to resolve the address of the second stage deployment server. The second stage once downloaded exposes the usual modules of a remotely management implant Command-and-Control including:
• File collection
• Command execution
• Data exfiltration
• Device management
However, some of the most interesting modules are implemented in a third stage and are
deployed independently as “plugins”. One such plugin implements a packet sniffer that allows
inspection of traffic and consequently theft of credentials.
The Cyclops Blink malware comes in the form of a firmware update which abuses Watchguard’s
standard firmware upgrade to install the malicious firmware. It leverages a vulnerability in the
firmware update process where the Hash-based Message Authentication Code (HMAC) can be
recalculated due to a hard-coded key in WatchGuard Firebox devices used to initialize hash
calculation. This allows persistence between reboots.
The Cyclops Blink malware has the following capabilities (most critical ones listed):
• Add a new module to Cyclops Blink.
• Update the Cyclops Blink Linux ELF executable.
• Update the list of C2 server IPv4 addresses
• Resend the current Cyclops Blink configuration to all running modules
• Gather all system information like sysinfo, /etc/passwd, /proc/mounts/, …
The full technical details are linked in the reference section.
Firmware upgrades are available and if you have a legitimate firmware running in your Fireboxes
you need to upgrade to the latest versions.
If your Fireboxes have been impacted by a malicious firmware you first need to remediate as
described in watchguard’s documentation listed below:
Temporary Workarounds and Mitigations
To mitigate the risks until upgrading to the latest version the CFC recommends:
• Ensuring network devices’ management interfaces are not exposed to the internet.
• Ensuring strong authentication material, rotated regularly, on Firebox devices management
• Monitoring firewall management activities on Fireboxes that have not yet been updated
What the Cyber Fusion Center is doing
The CFC has created hunting campaigns and compiled IOCs to identify potential communication
with known Cyclops Blink C2 servers.