WatchGuard firewall admins warned that new malware targets the devices

Administrators of WatchGuard firewalls are being warned to search for signs of compromise on the devices after the publication of a report of malware distributed by a threat group believed to be run by Russian army intelligence.

The report, issued this week by U.S. and U.K. cyber intelligence agencies, said the group known as Sandworm (also called APT28, or Voodoo Bear by some researchers) has been quietly deploying what has been dubbed Cyclops Blink malware through a botnet of exploited network devices including small office/home office (SOHO) routers and network-attached storage (NAS) devices.

Cyclops Blink is a replacement for similar malware called VPNFilter.

VPNFilter and its botnet were exposed in 2018 by researchers at Cisco Systems’ Talos threat intelligence service. The U.S. Justice Department then announced an effort to disrupt VPNFilter and what it called a global botnet of hundreds of thousands of infected home and office (SOHO) routers and other networked devices.

According to the new U.S./U.K. report, Cyclops Blink has been deployed since at least June 2019, 14 months after VPNFilter was disrupted.

“In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread,” the report adds. “The actor has so far primarily deployed Cyclops Blink to WatchGuard devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.” Only WatchGuard devices that were reconfigured from the manufacturer’s default settings to open remote management interfaces to external access could be infected, the report says.

The report calls the malware sophisticated and modular, with basic core functionality to beacon device information back to a server and enable files to be downloaded and executed. After initial exploitation of a device, Cyclops Blink is generally deployed as part of a fake firmware update.

The report says WatchGuard has created tooling and guidance to enable detection and removal of Cyclops Blink on WatchGuard devices through a non-standard upgrade process. Device owners should follow each step in these instructions to ensure that devices are patched to the latest version and that any infection is removed.

WatchGuard said that, based on its own investigation, work done with Mandiant, and information provided by the FBI, there is no evidence of data exfiltration from WatchGuard or its customers. WatchGuard firewall appliances are not at risk if they were never configured to allow unrestricted management access from the Internet, it adds.

Because Cyclops Blink can be reconfigured to attack many devices, the intelligence agencies issued the following advice it IT administrators, which applies to protecting against any malware:

  • do not expose management interfaces of network devices to the internet;
  • apply security patches promptly;
  • use multi-factor authentication on network devices to reduce the impact of password compromises;
  • tell staff how to report suspected phishing emails;
  • set up a network security monitoring capability;
  • prevent and detect lateral movement in your organization’s network.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.