WatchGuard firewall users are encouraged to patch the Cyclops Blink vulnerability
Despite the disruption of the Cyclops Blink botnet, the vulnerability in WatchGuard firewalls used to create it persists and has now been added to the Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities for immediate patching.
The appearance of a vulnerability on this list means that according to US law, all agencies of the Federal Civilian Executive Branch (FCEB) – i.e. the US government – must patch it immediately.
Whilst this instruction clearly has no weight under UK law, it is strongly recommended that all organizations around the world prioritize remediation of the listed vulnerabilities.
The WatchGuard vulnerability affects the company’s Firebox and XTM products and is now tracked as CVE-2022-23176. It is an escalation of privilege vulnerability that, if successfully exploited, could allow a remote attacker with unprivileged credentials to gain access to the system with a privileged management session via exposed management access. US organizations in scope have until May 2, 2022 to resolve the issue.
CVE-2022-23176 was successfully used by the Russian State Advanced Persistent Threat (APT) group known as Sandworm or Voodoo Bear to build the Cyclops Blink botnet, a successor to a previously popular malware called VPNFilter that was deployed a few years ago to great effect against targets in Ukraine and South Korea.
WatchGuard has also been heavily criticized in the wake of the CISA action, after it was revealed that it had quietly patched the vulnerability in question for the past year, but has held back from sharing explicit details out of a desire not to trick attackers into to exploit them.
Additionally, it has now announced that it was alerted to the existence of Cyclops Blink by the FBI and the UK’s National Cyber Security Center (NCSC) on November 30, 2021, almost to the day three months before CISA and the NCSC issued a warning about it.
In an FAQ detailing its response, WatchGuard said, “We were briefed by the FBI on November 30, 2021 of its ongoing international investigation into a state-sponsored attack that affected multi-vendor network equipment, including a limited number of WatchGuard firewall appliances.
“Once we were informed, we worked quickly to develop detection, remediation and protection plans for all impacted firewall devices, which we could release to customers in coordination with the relevant government agencies once we were authorized to do so,” it said.
“The DOJ and court orders have directed WatchGuard to defer disclosure until official approval is obtained. Relevant government agencies informed WatchGuard that they had no evidence of data exfiltration from our customers’ network environments. This disclosure process also conforms to industry-standard principles of responsible disclosure.”
It’s important to note, however, that the vulnerability affected less than 1% of active appliances, as only those configured for Internet open management were vulnerable – all others were never compromised.
Comparitech’s data protection officer, Paul Bischoff, said: “The irony of the Watchguard bug is that the devices companies bought to improve their cybersecurity actually compromised them. The Firebox and XTM are hardware firewalls designed to prevent unauthorized intrusion into a network. If they are not updated, hackers — government-sponsored or not — can exploit the vulnerability to infiltrate the device and add it to the attacker’s botnet, among other attacks.”
Tim Erlin, Vice President of Tripwire Strategy, added, “While the focus of this alert is on a vulnerability, it’s important to note that any actual attack involves both a vulnerability and a misconfiguration. There are few, if any, instances where the vulnerable interface should be exposed to the Internet, but based on reported exploit activity, it is clear that a significant number of organizations operate with just such a configuration. Patching this vulnerability is important, but there are configuration changes that can be made quickly to also reduce the attack surface.”
WatchGuard users are strongly encouraged to follow the steps outlined in the vendor’s four-step Cyclops Blink remediation plan.