According to current information, a limited number (~1%) of WatchGuard firewalls have been infected by a state-sponsored botnet called Cyclops Blink. Although there is currently no evidence of data exfiltration, it is possible that data from the firewalls has been compromised.
Blog article in German can be found here: https://blog.boll.ch/watchguard-firewalls-cyclops-blink-botnet-befall/
Blog with additional information
Cyclops Blink FAQ
1. Is my firewall affected?
WatchGuard provides several ways to find an infestation of the botnet software on the firewalls:
Cyclops Blink Web Detector (online)
On the website https://detection.watchguard.com/Detector you can upload a support.tgz of the firewall and check for botnet infestation.
WatchGuard System Manager Cyclops Blink Detector
In the latest WSM version 12.7.2 update 2 (downloadable now) there is a Cyclops Blink Detector:
Download WSM Version 12.7.2 Update 2
WatchGuard Cloud Cyclops Blink Detector
Firewalls added to the WatchGuard Cloud also have a Cyclops Blink Detector:
2a. My firewall is not affected
Even if your firewall is not affected, you should implement the following advice as soon as possible:
Install the latest firmware
Here you can find the latest firmware:
Close the management ports from the Internet
WatchGuard assumes that the malware could be installed through the management ports.
Changing administrator password
Administrator passwords should be changed regularly.
2b. My firewall is affected
Depending on the type of management, it may be necessary to completely reset and rebuild the firewall, as the malware may take root in the configuration and software:
Locally managed Firebox via WSM or Fireware WebUI
WatchGuard Cloud managed Fireboxes
FireboxV / XTMv
Fireboxes managed by the management server
766 total views, 2 views today