Security News > 2022 > April > CISA warns orgs of WatchGuard bug exploited by Russian state hackers

The Cybersecurity and Infrastructure Security Agency has ordered federal civilian agencies and urged all US organizations on Monday to patch an actively exploited bug impacting WatchGuard Firebox and XTM firewall appliances.

Sandworm, a Russian-sponsored hacking group, believed to be part of the GRU Russian military intelligence agency, also exploited this high severity privilege escalation flaw to build a new botnet dubbed Cyclops Blink out of compromised WatchGuard Small Office/Home Office network devices.

Even though this directive only applies to federal agencies, CISA also strongly urged all US organizations to prioritize fixing this actively abused security bug to avoid having their WatchGuard appliances compromised.

Cyclops Blink, the malware used by the Sandworm state hackers to create their botnet, has been used to target WatchGuard Firebox firewall appliances with CVE-2022-23176 exploits, as well as multiple ASUS router models, since at least June 2019.

WatchGuard issued its own advisory after US and UK cybersecurity and law enforcement agencies linked the malware to the GRU hackers, saying that Cyclops Blink may have hit roughly 1% of all active WatchGuard firewall appliances.

WatchGuard has shared instructions on restoring infected Firebox appliances to a clean state and updating them to the latest Fireware OS version to prevent future infections.

News URL

https://www.bleepingcomputer.com/news/security/cisa-warns-orgs-of-watchguard-bug-exploited-by-russian-state-hackers/