valentint - Fotolia
Despite the disruption of the Cyclops Blink botnet, the vulnerability in WatchGuard firewalls used to build it persists, and it has now been added to the Cybersecurity and Infrastructure Security Agency’s (CISA’s) list of known exploited vulnerabilities that must be patched immediately.
The appearance of a vulnerability on this list means that under provisions in US law, all agencies in the Federal Civilian Executive Branch (FCEB) – that is to say, the US government – must patch it post-haste.
While this direction clearly holds no weight in UK law, it is highly recommended that all organisations anywhere in the world prioritise remediating the vulnerabilities listed.
The WatchGuard vulnerability affects the firm’s Firebox and XTM products and is now being tracked as CVE-2022-23176. It is a privilege escalation vulnerability that if successfully exploited, enables a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access. US organisations in scope have until 2 May 2022 to fix it.
CVE-2022-23176 was used successfully by the Russian state advanced persistent threat (APT) group known as Sandworm or Voodoo Bear to establish the Cyclops Blink botnet, a successor to a previously favoured malware known as VPNFilter, which was deployed a few years ago to great effect against targets in Ukraine and South Korea.
WatchGuard has also come in for extensive criticism in the wake of CISA’s action, after it emerged it had quietly patched the vulnerability in question last year but had held off sharing explicit details out of a desire to not guide threat actors towards exploiting it.
Moreover, it has now revealed it was alerted to the existence of Cyclops Blink by the FBI and the UK’s National Cyber Security Centre (NCSC) on 30 November 2021, almost three months to the day before CISA and the NCSC published an alert on it.
Read more about Cyclops Blink
- 24 February: A joint NCSC CISA advisory attributed a dangerous malware, dubbed Cyclops Blink, to Russia’s Sandworm APT.
- 17 March: Trend Micro discovered that the Cyclops Blink botnet, which had originally targeted WatchGuard devices, had spread to Asus and ‘at least one other vendor’.
- 7 April: An operation by US authorities successfully took the Russia-attributed Cyclops Blink botnet ‘off the board’.
In an FAQ detailing its response, WatchGuard said: “We were informed by the FBI on 30 November 2021 about its ongoing international investigation regarding a state-sponsored attack that affected network devices from multiple vendors, including a limited number of WatchGuard firewall appliances.
“Once we were informed, we worked rapidly to develop detection, remediation and protection plans for any affected firewall devices to share with customers as soon as we were authorised to do so in coordination with the relevant government agencies,” it said.
“The DOJ and court orders directed WatchGuard to delay disclosure until official authorisation was granted. The relevant government agencies informed WatchGuard that they had no evidence of data exfiltration from our customers’ network environments. This disclosure process is also consistent with standard industry principles of responsible disclosure.”
It is, however, important to note that the vulnerability affected less than 1% of active appliances, because only those that had been configured to have management open to the internet were vulnerable – any others were never at risk.
Comparitech privacy advocate Paul Bischoff said: “The irony of the Watchguard bug is the devices that businesses purchased to improve their cyber security actually ended up compromising it. The Firebox and XTM are hardware firewalls designed to prevent unauthorised intrusion into a network. If they’re not updated, hackers – be they state-sponsored or not – can exploit the vulnerability to infiltrate the device and add it to the attacker’s botnet, among other attacks.”
Tripwire strategy vice-president Tim Erlin added: “While the focus of this warning is on a vulnerability, it’s important to note that any actual attack involves both a vulnerability and a misconfiguration. There are few, if any, cases where the vulnerable interface should be open to the internet, but based on the reported exploit activity it’s clear that a significant number of organisations are running with just such a configuration. Patching this vulnerability is important, but there are configuration changes that can be made quickly to reduce the attack surface as well.”
WatchGuard users are strongly advised to follow the steps laid down in the supplier’s four-step Cyclops Blink remediation plan.