WatchGuard firewalls exploited by Russian hackers, CISA warns

The United States Cybersecurity and Infrastructure Security Agency (CISA) has ordered all Federal Civilian Executive Branch (FCEB) agencies to patch (opens in a new tab) all WatchGuard devices immediately, after discovering a number of serious flaws.

The announcement claims that a known Russian state-sponsored threat actor called Sandworm is abusing a privilege escalation flaw, tracked as CVE-2022-23176, found in WatchGuard Firebox and Firewall. XTM fire. (opens in a new tab) Appliances.

The group, allegedly strongly linked to the GRU military intelligence agency, is using the flaw to create a new botnet called Cyclops Blink.

Modular Malware

“The WatchGuard Firebox and XTM appliances allow a remote attacker with non-privileged credentials to access the system with a privileged management session through exposed management access,” the security advisory reads.

Even though the flaw has been classified as critical, its misuse requires the target endpoint to allow unrestricted management access from the Internet, BeepComputer remember. WatchGuard appliances, by default, are not configured like this.

Still, FCEB companies have until May 2, 2022 to fix the flaw.

Cyclops Blink Malware (opens in a new tab) is the successor to the defunct VPNFilter. It allows Sandworm to conduct cyber espionage, launch Distributed Denial of Service (DDoS) attacks, brick compromised devices, and disrupt networks.

It is also believed to be modular, able to upgrade to compromise and abuse additional hardware.

In March 2022, the Federal Bureau of Investigation (FBI) busted a large-scale Sandworm botnet.

After receiving the green light from courts in California and Pennsylvania, the FBI removed Cyclops Blink from its C2 servers, disconnecting thousands of compromised endpoints. The Department of Justice declared the raid a success, but still advised device owners to review the original advisory and make their devices more secure.

See also  Almost half of businesses have suffered a data breach in recent years

Cyclops Blink had been active since February, the Department of Justice (DoJ) said, and while law enforcement managed to secure some of the compromised devices, the majority were still infected and used by threat actors.

“I must warn that as we move forward, any Firebox devices that have acted as bots may still remain vulnerable in the future until mitigated by their owners,” said Chris Wray, director of the FBI.

“Those owners should therefore always go ahead and adopt Watchguard’s detection and remediation steps as soon as possible.”

Via: BleepingComputer (opens in a new tab)

Leave a Comment