A leading US cybersecurity agency has ordered civilian federal government entities to urgently patch a bug being exploited by Russian state hackers.
The high severity privilege escalation vulnerability CVE-2022-23176 affects WatchGuard Firebox and XTM appliances. It has now been added to the Known Exploited Vulnerabilities Catalog maintained by the US Cybersecurity and Infrastructure Security Agency (CISA).
According to NIST, it allows a “remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access.”
Russia’s notorious Sandworm group has been exploiting the bug as part of its Cyclops Blink campaign to build a large botnet out of compromised home office WatchGuard and Asus router devices.
The malware itself has been described as “sophisticated and modular,” meaning new functionality could be added at any time. It’s deployed as part of a firmware ‘update’ to achieve persistence when an infected device is rebooted and make remediation harder.
It’s not known to what ends the botnet has been put, although some have suggested it may have been used to support DDoS attacks against Ukrainian entities. However, it was deemed dangerous enough for the US authorities to intervene recently.
A special DoJ operation saw court orders issued to enable investigators to “copy and remove” the malware from infected devices used for command and control (C&C).
Officers also closed the ports Sandworm was using to remotely manage the infected C&C devices. However, the FBI warned that any devices previously attacked may still be vulnerable to exploitation unless owners follow vendor advice on remediation.
That’s where patching CVE-2022-23176 comes in.
Although the CISA catalog applies only to federal agencies, it urges all organizations to follow the list as a best practice measure to improve cyber-hygiene.
Civilian federal agencies now have until May 2 to patch the flaw.