The CISA has recommended federal civilian agencies and U.S. organizations to patch a critical bug being actively exploited by the Sandworm group. The bug exists in the XTM firewall and WatchGuard Firebox appliances.

What was found?

According to the advisory, the Russian-sponsored Sandworm group had been exploiting the privilege escalation flaw (CVE-2022-23176) to build the botnet Cyclops Blink targeting WatchGuard SOHO network devices.
  • The CISA has given three weeks to federal civilian executive branch agencies until May 2 to fix this flaw. Further, the flaw has been added to the Known Exploited Vulnerabilities Catalog.
  • Even though the advisory only applies to federal agencies, the CISA has urged all U.S. organizations to fix the abused security flaw to avoid WatchGuard appliances being compromised.

Cyclops Blink, before getting disrupted recently, targeted nearly one percent WatchGuard Firebox firewall appliances with CVE-2022-23176 exploits, along with various ASUS router models since June 2019.

Additional advisory 

  • WatchGuard has issued its own advisory after the U.S. and U.K. agencies linked the malware to the GRU hackers. 
  • The U.K. NCSC, FBI, CISA, and NSA joint advisory suggest that all accounts on infected devices should be assumed compromised and internet access to the management interface should be removed.

Concluding notes

The warning against exploitation of privilege escalation by Russia-sponsored hackers should be taken seriously. Additionally, having an exploitable flaw in a network device has the potential to become a severe threat. Thus, infected users are suggested to follow shared instructions on recovering the infected Firebox appliances.
Cyware Publisher

Publisher

Cyware