The Cybersecurity and Infrastructure Security Agency has warned of Russian state actors exploiting a bug impacting WatchGuard Firebox and XTM firewall appliances.
Sandworm, a Russian-sponsored hacking group, believed to be part of the GRU Russian military intelligence agency, reportedly exploited the high severity privilege escalation flaw (CVE-2022-23176) to develop a new botnet, dubbed “Cyclops Blink”, out of WatchGuard Small Office/Home Office (SOHO) network devices.
CISA has rated the bug with a critical threat level, explaining in a security advisory: “WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access.”
It is only possible to exploit the flaw if it is configured to allow unrestricted management access from the Internet. All WatchGuard appliances are configured for restricted management access.
CISA has given Federal Civilian Executive Branch Agencies three weeks, until May 2nd, to secure their networks against the vulnerability.