The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal civilian agencies and urged all US organizations on Monday to patch an actively exploited bug impacting WatchGuard Firebox and XTM firewall appliances.

Sandworm, a Russian-sponsored hacking group, believed to be part of the GRU Russian military intelligence agency, also exploited this high severity privilege escalation flaw (CVE-2022-23176) to build a new botnet dubbed Cyclops Blink out of compromised WatchGuard Small Office/Home Office (SOHO) network devices.

"WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access," the company explains in a security advisory rating the bug with a critical threat level.

The flaw can only be exploited if they are configured to allow unrestricted management access from the Internet. By default, all WatchGuard appliances are configured for restricted management access.

Federal Civilian Executive Branch Agencies (FCEB) agencies must secure their systems against these security flaws according to November's binding operational directive (BOD 22-01).

CISA has given them three weeks, until May 2nd, to patch the CVE-2022-23176 flaw added today to its catalog of Known Exploited Vulnerabilities.

Even though this directive only applies to federal agencies, CISA also strongly urged all US organizations to prioritize fixing this actively abused security bug to avoid having their WatchGuard appliances compromised.

Malware hit 1% of WatchGuard firewall appliances

Cyclops Blink, the malware used by the Sandworm state hackers to create their botnet, has been used to target WatchGuard Firebox firewall appliances with CVE-2022-23176 exploits, as well as multiple ASUS router models, since at least June 2019.

It establishes persistence on the device through firmware updates, and it provides its operators with remote access to compromised networks.

It uses the infected devices' legitimate firmware update channels to maintain access to the compromised devices by injecting malicious code and deploying repacked firmware images.

This malware is also modular, making it simple to upgrade and target new devices and security vulnerabilities, tapping into new pools of exploitable hardware.

WatchGuard issued its own advisory after US and UK cybersecurity and law enforcement agencies linked the malware to the GRU hackers, saying that Cyclops Blink may have hit roughly 1% of all active WatchGuard firewall appliances.

The UK NCSC, FBI, CISA, and NSA joint advisory says organizations should assume all accounts on infected devices as being compromised. Admins should also immediately remove Internet access to the management interface.

Botnet disrupted, malware removed from C2 servers

On Wednesday, US government officials announced the disruption of the Cyclops Blink botnet before being weaponized and used in attacks.

The FBI also removed the malware from Watchguard devices identified as being used as command and control servers, notifying owners of compromised devices in the United States and abroad before cleaning the Cyclops Blink infection.

"I should caution that as we move forward, any Firebox devices that acted as bots, may still remain vulnerable in the future until mitigated by their owners," FBI Director Chris Wray warned.

"So those owners should still go ahead and adopt Watchguard's detection and remediation steps as soon as possible."

WatchGuard has shared instructions on restoring infected Firebox appliances to a clean state and updating them to the latest Fireware OS version to prevent future infections.

One-two bug punch leads to ‘worst possible impact’, said researcher

WatchGuard has patched several vulnerabilities in two main firewall brands that have been rated between medium and critical severity.

In combination, two of the flaws allowed Ambionics security engineer Charles Fol to obtain pre-authentication remote root on every WatchGuard Firebox or XTM appliance.

Both the Firebox and XTM ranges were implicated earlier this year in a number of hacking attacks, with Russian state-sponsored threat actor Sandworm abusing a privilege escalation flaw in order to build a botnet called Cyclops Blink that was taken down in April. Over a four-month period, WatchGuard released three firmware updates, patching a number of critical vulnerabilities.

DON’T MISSAPI security: Broken access controls, injection attacks plague enterprise security landscape

And, by coincidence, said Fol, this is when he started looking for exploitable bugs in firewalls for a red team engagement. He found five in the WatchGuard products, of which two were patched during his research, which is documented in a write-up published earlier this week.

The three remaining flaws were blind Xpath injection, allowing him to retrieve the configuration of a device, including master credentials; integer overflow, which allowed an attacker to execute malicious code on remote appliances; and a third vulnerability that meant it was possible to escalate privileges from a low-privilege user into root.

Complete access as root

“By combining the two latter, a remote, unauthenticated attacker can get complete access to the firewall system as a super user, or root,” Fol told The Daily Swig.

“This is the worst possible impact. He or she can now read or change the configuration, intercept traffic, et cetera.

“The first one, in some cases, allows an attacker to obtain the master credentials of the authentication servers, and possibly use this to connect as an administrator on the firewall.”

Read more of the latest cybersecurity vulnerability news

Fol believes that fewer WatchGuard users now have their administration interface exposed on the internet, thanks to the many security alerts that were being generated at the time of his research, including those relating to Cyclops Blink.

However, he said, “the first vulnerability – Xpath – is reachable through the standard, client interface, and as such is much more likely to be exposed; a quick shodan search revealed around 350,000 instances.”

He advises users to remove their administration interface from the internet, and make sure they keep their systems up to date.

Fol said he reported the vulnerabilities at the end of March, and received a quick response. A month later, WatchGuard's security team confirmed that a patch would be available on June 21.

Overall, he said, the disclosure was a “great, respectful process”.

YOU MAY ALSO LIKELog4Shell legacy? Patching times plummet for most critical vulnerabilities – report

The web content-filtering service uses the same database as WatchGuard's Fireboxes and offers 118 URL categories that can be blocked or allowed. The main cloud portal provides a status overview of all licensed products, and selecting the EPDR heading opens a new page with full access to all functions. Agents for Windows, Linux and macOS systems can be pulled down directly from the console's Computers page, or you can email users with a download link.