CISA warns organizations of WatchGuard bug exploited by Russian state hackers


The Cybersecurity and Infrastructure Security Agency (CISA) ordered federal civilian agencies on Monday urging all U.S. organizations to patch an actively exploited bug affecting WatchGuard Firebox and XTM firewall devices.

Sandworm, a Russian-sponsored hacking group believed to be part of Russia’s military intelligence GRU, also took advantage of this very serious escalation flaw (CVE-2022-23176) to build a new botnet called Cyclops Blink from the compromised WatchGuard Small Office /Home Office (SOHO) network devices.

“WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged admin session through exposed admin access,” the company explains in a security advisory that rates the bug at a critical threat level.

The flaw can only be exploited if they are configured to allow unrestricted administrative access from the Internet. By default, all WatchGuard appliances are configured for limited administrative access.

Federal Civilian Executive Branch (FCEB) agencies are required to secure their systems against these security flaws under the November Binding Operational Directive (BOD 22-01).

CISA has given them three weeks, until May 2, to patch the CVE-2022-23176 bug, which was added today to the catalog of known exploited vulnerabilities.

While this guidance only applies to federal agencies, CISA urged all US organizations to prioritize fixing this actively exploited security bug to prevent their WatchGuard devices from being compromised.

Malware affects 1% of WatchGuard firewall devices

Cyclops Blink, the malware used by Sandworm’s state hackers to create their botnet, has been used since at least June 2019 to attack WatchGuard Firebox firewall devices running CVE-2022-23176 exploits, as well as multiple ASUS router models.

It ensures persistence on the device through firmware updates and it provides its operators remote access to compromised networks.

It uses the legitimate firmware update channels of the infected devices to maintain access to the infected devices by injecting malicious code and deploying repackaged firmware images.

This malware is also modular, making it easy to upgrade and address new devices and security vulnerabilities, leveraging new pools of exploitable hardware.

WatchGuard issued its own advice after US and UK cybersecurity and law enforcement agencies linked the malware to the GRU hackers, saying Cyclops Blink may have affected about 1% of all active WatchGuard firewall devices.

The joint advice from the UK’s NCSC, FBI, CISA and NSA says organizations should assume all accounts on infected devices have been compromised. Administrators should also immediately remove Internet access to the management interface.

Botnet disrupted, malware removed from C2 servers

On Wednesday, US government officials announced the disruption of the Cyclops Blink botnet before it was armed and used in attacks.

The FBI also removed the malware from Watchguard devices identified as command and control servers, and notified owners of compromised devices in the United States and abroad before removing the Cyclops Blink infection.

“I must warn that as we move forward, any Firebox devices that acted as bots may still remain vulnerable in the future until they are fixed by their owners,” FBI Director Chris Wray warned.

“So those owners still need to go ahead and adopt Watchguard’s detection and recovery steps as soon as possible.”

WatchGuard shared instructions on how to restore infected Firebox devices to a clean state and update them to the latest Fireware OS version to prevent future infections.

This post CISA warns organizations of WatchGuard bug exploited by Russian state hackers

was original published at “”