On Monday, the Cybersecurity and Infrastructure Security Agency (CISA) ordered federal civilian agencies to patch an actively exploited bug affecting WatchGuard Firebox and XTM firewall appliances, as well as urging all US enterprises to do so. Sandworm, a Russian-based hacking group thought to be linked to the GRU Russian military intelligence agency, used this high-severity privilege escalation flaw (CVE-2022-23176) to create the Cyclops Blink botnet out of compromised WatchGuard Small Office/Home Office (SOHO) network devices. “WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access,” reads the security advisory rating. The vulnerability can be exploited if WatchGuard appliances are configured to provide unrestricted management access via the Internet, which is restricted by default. According to the binding operational directive (BOD 22-01) instruction issued in November, Federal Civilian Executive Branch (FCEB) organizations must secure their systems against these security weaknesses. CISA gave them up to three weeks to patch the CVE-2022-23176 vulnerability.
Since June 2019, the malware Cyclops Blink has been used by the Sandworm hackers to attack WatchGuard Firebox firewall appliances and several ASUS router models, utilizing CVE-2022-23176 exploits. It provides persistence on devices through firmware updates and grants its operators remote access to infected networks. Also, it injects malicious code and deploys repacked firmware images through legitimate firmware update channels on infected devices to maintain access to the compromised devices. The malware is modular, which simplifies updating and targeting new devices and security flaws. The Cyclops Blink botnet was disrupted by US government officials before it was weaponized and deployed in assaults. Before cleaning the Cyclops Blink infestation, the FBI uninstalled the malware from Watchguard devices identified as command and control servers, alerting owners of affected devices in the United States and internationally. In order to avoid further infections, WatchGuard has given instructions for cleaning infected Firebox appliances and updating them to the current Fireware OS version.