WatchGuard firewalls exploited by Russian hackers, CISA warns
Date:
Tue, 12 Apr 2022 12:25:28 +0000
Description:
Known Russian state-sponsored threat actor called Sandworm abusing a
privilege escalation flaw.
FULL STORY ======================================================================
The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered
all Federal Civilian Executive Branch (FCEB) agencies to patch any WatchGuard devices immediately, after discovering a number of severe flaws.
The announcement claims a known Russian state-sponsored threat actor called Sandworm is abusing a privilege escalation flaw, tracked as CVE-2022-23176, found in WatchGuard Firebox and XTM firewall appliances.
The group, allegedly strongly tied to the GRU military intelligence agency,
is using the flaw to build a new botnet called Cyclops Blink. Modular malware
"WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access," the security advisory reads.
Even though the flaw was rated as critical, abusing it requires the target endpoint to allow unrestricted management access from the internet, BleepingComputer reminds. WatchGuard appliances, by default, arent configured like that.
Still, FCEB firms have until May 2 2022 to address the flaw.
Cyclops Blink malware is a successor to the now-defunct VPNFilter. It allows Sandworm to conduct cyber espionage, launch distributed denial of service (DDoS) attacks, brick compromised devices and disrupt networks.
It is also believed to be modular, capable of upgrading itself to compromise and abuse additional hardware.
In March 2022, the Federal Bureau of Investigation (FBI) took down a large-scale Sandworm botnet. Read more
FBI secretly took down massive Russian botnet last month
Russian cyberattacks were reportedly set to target Tokyo Olympics
Russian criminals accused of hacking this top email service
After receiving the green light from courts in California and Pennsylvania, the FBI removed Cyclops Blink from its C2 servers, disconnecting thousands of compromised endpoints. The Justice Department said the raid was a success,
but still advised device owners to review the initial advisory and further secure their devices.
Cyclops Blink had been active since February, the Department of Justice (DoJ) said, and while law enforcement had managed to secure some of the compromised devices, the majority were still infected and in use by the threat actors.
"I should caution that as we move forward, any Firebox devices that acted as bots, may still remain vulnerable in the future until mitigated by their owners," the publication cited FBI Director Chris Wray.
"So those owners should still go ahead and adopt Watchguard's detection and remediation steps as soon as possible. Defend from threat actors with the
best antivirus solutions right now
Via: BleepingComputer
======================================================================
Link to news story:
https://www.techradar.com/news/watchguard-firewalls-exploited-by-russian-hacke rs-cisa-warns/
--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)