On Monday, the Cybersecurity and Infrastructure Security Agency (CISA) ordered federal civilian agencies to patch an actively exploited bug affecting WatchGuard Firebox and XTM firewall appliances, as well as urging all US enterprises to do so. Sandworm, a Russian-based hacking group thought to be linked to the GRU Russian military intelligence agency, used this high-severity privilege escalation flaw (CVE-2022-23176) to create the Cyclops Blink botnet out of compromised WatchGuard Small Office/Home Office (SOHO) network devices. “WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access,” reads the security advisory rating. The vulnerability can be exploited if WatchGuard appliances are configured to provide unrestricted management access via the Internet, which is restricted by default. According to the binding operational directive (BOD 22-01) instruction issued in November, Federal Civilian Executive Branch (FCEB) organizations must secure their systems against these security weaknesses. CISA gave them up to three weeks to patch the CVE-2022-23176 vulnerability.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased