WatchGuard firewalls exploited by Russian hackers, CISA warns

(Image credit: Shutterstock / Aleksandra Gigowska)

The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered all Federal Civilian Executive Branch (FCEB) agencies to patch any WatchGuard devices immediately, after discovering a number of severe flaws.

The announcement claims a known Russian state-sponsored threat actor called Sandworm is abusing a privilege escalation flaw, tracked as CVE-2022-23176, found in WatchGuard Firebox and XTM firewall appliances.

The group, allegedly strongly tied to the GRU military intelligence agency, is using the flaw to build a new botnet called Cyclops Blink. 

TechRadar needs yo...

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window <<

Modular malware

"WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access," the security advisory reads.

Even though the flaw was rated as critical, abusing it requires the target endpoint to allow unrestricted management access from the internet, BleepingComputer reminds. WatchGuard appliances, by default, aren’t configured like that.

Still, FCEB firms have until May 2 2022 to address the flaw. 

Cyclops Blink malware is a successor to the now-defunct VPNFilter. It allows Sandworm to conduct cyber espionage, launch distributed denial of service (DDoS) attacks, brick compromised devices and disrupt networks. 

It is also believed to be modular, capable of upgrading itself to compromise and abuse additional hardware.

In March 2022, the Federal Bureau of Investigation (FBI) took down a large-scale Sandworm botnet.

After receiving the green light from courts in California and Pennsylvania, the FBI removed Cyclops Blink from its C2 servers, disconnecting thousands of compromised endpoints. The Justice Department said the raid was a success, but still advised device owners to review the initial advisory and further secure their devices.

Cyclops Blink had been active since February, the Department of Justice (DoJ) said, and while law enforcement had managed to secure some of the compromised devices, the majority were still infected and in use by the threat actors.

"I should caution that as we move forward, any Firebox devices that acted as bots, may still remain vulnerable in the future until mitigated by their owners," the publication cited FBI Director Chris Wray.

"So those owners should still go ahead and adopt Watchguard's detection and remediation steps as soon as possible.”

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.