WatchGuard firewalls exploited by Russian hackers, CISA warns

Federal civilian agencies urged to apply the patch

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered all Federal Civilian Executive Branch (FCEB) agencies topatchany WatchGuard devices immediately, after discovering a number of severe flaws.

The announcement claims a known Russian state-sponsored threat actor called Sandworm is abusing a privilege escalation flaw, tracked as CVE-2022-23176, found in WatchGuard Firebox and XTMfirewallappliances.

The group, allegedly strongly tied to the GRU military intelligence agency, is using the flaw to build a new botnet called Cyclops Blink.

We’re looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn’t take more than 60 seconds of your time. Thank you for taking part.

Click here to start the survey in a new window«

Modular malware

“WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access,” the security advisory reads.

Even though the flaw was rated as critical, abusing it requires the target endpoint to allow unrestricted management access from the internet,BleepingComputerreminds. WatchGuard appliances, by default, aren’t configured like that.

Still, FCEB firms have until May 2 2022 to address the flaw.

Cyclops Blinkmalwareis a successor to the now-defunct VPNFilter. It allows Sandworm to conduct cyber espionage, launch distributed denial of service (DDoS) attacks, brick compromised devices and disrupt networks.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

It is also believed to be modular, capable of upgrading itself to compromise and abuse additional hardware.

In March 2022, the Federal Bureau of Investigation (FBI) took down a large-scale Sandworm botnet.

FBI secretly took down massive Russian botnet last month>Russian cyberattacks were reportedly set to target Tokyo Olympics>Russian criminals accused of hacking this top email service

After receiving the green light from courts in California and Pennsylvania, the FBI removed Cyclops Blink from its C2 servers, disconnecting thousands of compromised endpoints. The Justice Department said the raid was a success, but still advised device owners to review the initial advisory and further secure their devices.

Cyclops Blink had been active since February, the Department of Justice (DoJ) said, and while law enforcement had managed to secure some of the compromised devices, the majority were still infected and in use by the threat actors.

“I should caution that as we move forward, any Firebox devices that acted as bots, may still remain vulnerable in the future until mitigated by their owners,” the publication cited FBI Director Chris Wray.

“So those owners should still go ahead and adopt Watchguard’s detection and remediation steps as soon as possible.”

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Another reason to avoid edge-lit 4K TVs: they may fail faster than others, according to this report