The Russian state-sponsored threat actor, Sandstorm, is pretty active nowadays. The group believed to be directly connected to the Russian military intelligence agency was hit by the FBI; taking down its C2 communication for Cyclops Blink botnet malware. Sandstorm is now abusing the bug in WatchGuard Firebox and XTM firewall appliances for Cyclops Blink, CISA says.
Remote privilege escalation bug
According to CISA’s statement, WatchGuard Firebox and XTM appliances are affected by a bug that allows privilege escalation; which can be tracked by CVE-2022-23176. The flaw is remotely exploitable and its severity is rated as critical. However, the bug requires a non-default configuration: they need to be configured to allow unrestricted management access from the internet, which is restricted by default.
CISA has ordered Federal Civilian Executive Branch agencies to fix their systems within three weeks. The agency urged all US organizations for fixing it as well since the Sandstorm group is actively abusing the bug to deploy their Cyclops Blink botnet malware. WatchGuard states that roughly 1% of their all active WatchGuard firewall appliances were hit by Cyclops Blink. They also published a 4-step diagnosis and remediation plan to prevent the threats, which is linked below:
Click here to read the 4-step diagnosis and remediation plan for WatchGuard
According to the FBI, the Cyclops Blink malware is persistent through firmware updates. It uses firmware update channels of the infected devices for maintaining access and injecting malicious code/firmware.