Security News > 2022 > April > CISA warns orgs of WatchGuard bug exploited by Russian state hackers
The Cybersecurity and Infrastructure Security Agency has ordered federal civilian agencies and urged all US organizations on Monday to patch an actively exploited bug impacting WatchGuard Firebox and XTM firewall appliances.
Sandworm, a Russian-sponsored hacking group, believed to be part of the GRU Russian military intelligence agency, also exploited this high severity privilege escalation flaw to build a new botnet dubbed Cyclops Blink out of compromised WatchGuard Small Office/Home Office network devices.
Even though this directive only applies to federal agencies, CISA also strongly urged all US organizations to prioritize fixing this actively abused security bug to avoid having their WatchGuard appliances compromised.
Cyclops Blink, the malware used by the Sandworm state hackers to create their botnet, has been used to target WatchGuard Firebox firewall appliances with CVE-2022-23176 exploits, as well as multiple ASUS router models, since at least June 2019.
WatchGuard issued its own advisory after US and UK cybersecurity and law enforcement agencies linked the malware to the GRU hackers, saying that Cyclops Blink may have hit roughly 1% of all active WatchGuard firewall appliances.
WatchGuard has shared instructions on restoring infected Firebox appliances to a clean state and updating them to the latest Fireware OS version to prevent future infections.
News URL
Related news
- Russian hackers deliver malicious RDP configuration files to thousands (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- Russian Hackers Deploy HATVIBE and CHERRYSPY Malware Across Europe and Asia (source)
- Faraway Russian hackers breached US organization via Wi-Fi (source)
- Firefox and Windows zero-days exploited by Russian RomCom hackers (source)
- Wanted Russian Hacker Linked to Hive and LockBit Ransomware Arrested (source)
- North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russian Turla hackers hit Starlink-connected devices in Ukraine (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-02-24 | CVE-2022-23176 | Unspecified vulnerability in Watchguard Fireware WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access. | 8.8 |