WatchGuard firewall users urged to patch Cyclops Blink vulnerability
Despite the disruption of the Cyclops Blink botnet, the vulnerability in WatchGuard firewalls used to construct it persists, and it has now been added to the Cybersecurity and Infrastructure Security Agency’s (CISA’s) list of known exploited vulnerabilities that have to be patched instantly.
The look of a vulnerability on this listing signifies that below provisions in US regulation, all businesses within the Federal Civilian Executive Branch (FCEB) – that’s to say, the US authorities – should patch it post-haste.
While this path clearly holds no weight in UK regulation, it’s extremely advisable that each one organisations anyplace on this planet prioritise remediating the vulnerabilities listed.
The WatchGuard vulnerability impacts the agency’s Firebox and XTM merchandise and is now being tracked as CVE-2022-23176. It is a privilege escalation vulnerability that if efficiently exploited, permits a distant attacker with unprivileged credentials to entry the system with a privileged administration session by way of uncovered administration entry. US organisations in scope have till 2 May 2022 to repair it.
CVE-2022-23176 was used efficiently by the Russian state superior persistent menace (APT) group often known as Sandworm or Voodoo Bear to set up the Cyclops Blink botnet, a successor to a beforehand favoured malware often known as VPNFilter, which was deployed a couple of years in the past to nice impact towards targets in Ukraine and South Korea.
WatchGuard has additionally are available in for intensive criticism within the wake of CISA’s motion, after it emerged it had quietly patched the vulnerability in query final yr however had held off sharing express particulars out of a need to not guide threat actors towards exploiting it.
Moreover, it has now revealed it was alerted to the existence of Cyclops Blink by the FBI and the UK’s National Cyber Security Centre (NCSC) on 30 November 2021, nearly three months to the day earlier than CISA and the NCSC revealed an alert on it.
In an FAQ detailing its response, WatchGuard stated: “We have been knowledgeable by the FBI on 30 November 2021 about its ongoing worldwide investigation relating to a state-sponsored assault that affected community gadgets from a number of distributors, together with a restricted variety of WatchGuard firewall home equipment.
“Once we were informed, we worked rapidly to develop detection, remediation and protection plans for any affected firewall devices to share with customers as soon as we were authorised to do so in coordination with the relevant government agencies,” it stated.
“The DOJ and court orders directed WatchGuard to delay disclosure until official authorisation was granted. The relevant government agencies informed WatchGuard that they had no evidence of data exfiltration from our customers’ network environments. This disclosure process is also consistent with standard industry principles of responsible disclosure.”
It is, nevertheless, necessary to notice that the vulnerability affected lower than 1% of lively home equipment, as a result of solely people who had been configured to have administration open to the web have been susceptible – any others have been by no means in danger.
Comparitech privateness advocate Paul Bischoff stated: “The irony of the Watchguard bug is the devices that businesses purchased to improve their cyber security actually ended up compromising it. The Firebox and XTM are hardware firewalls designed to prevent unauthorised intrusion into a network. If they’re not updated, hackers – be they state-sponsored or not – can exploit the vulnerability to infiltrate the device and add it to the attacker’s botnet, among other attacks.”
Tripwire technique vice-president Tim Erlin added: “While the focus of this warning is on a vulnerability, it’s important to note that any actual attack involves both a vulnerability and a misconfiguration. There are few, if any, cases where the vulnerable interface should be open to the internet, but based on the reported exploit activity it’s clear that a significant number of organisations are running with just such a configuration. Patching this vulnerability is important, but there are configuration changes that can be made quickly to reduce the attack surface as well.”
WatchGuard users are strongly suggested to observe the steps laid down within the provider’s four-step Cyclops Blink remediation plan.
