The Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to patch a WatchGuard firewall vulnerability exploited in attacks linked to a Russian state-sponsored threat actor. While the US government has known about the exploitation of this flaw for several months, federal agencies are apparently only now being told to patch it.
In fact, some experts believe that the entire disclosure process surrounding this vulnerability was poorly handled.
The existence of the vulnerability affecting WatchGuard firewalls came to light on February 23, when government agencies in the UK and US revealed that a threat actor known as Sandworm APT28 and Fancy Bear, which had been previously linked to Russia, had been using a piece of malware named Cyclops Blink.
Described as a replacement for the malware named VPNFilter, Cyclops Blink has been around since at least June 2019. Its main functionality is to send information about the compromised device back to a server and also to enable its operators to download and execute other files.
When the government agencies issued the public warning about Cyclops Blink attacks in February, they noted that the malware at the time had mainly targeted firewall appliances made by WatchGuard. It was later reported that ASUS routers have also been targeted.
In the attacks aimed at WatchGuard devices, the hackers had exploited a vulnerability that was silently patched by the vendor in May 2021, after being discovered internally.
The flaw, now tracked as CVE-2022-23176, affects the Fireware OS running on WatchGuard Firebox and XTM appliances. It allows a remote attacker with unprivileged credentials “to access the system with a privileged management session via exposed management access.”
WatchGuard learned from the FBI in late November 2021 that the Cyclops Blink botnet had been targeting its products. However, when the existence of Cyclops Blink came to light in February, the company did not release any technical information about the vulnerability, and the limited information that was made available mostly got buried in the noise generated by the botnet itself.
WatchGuard said the botnet attacks only affected less than one percent of its firewall appliances, but the investigation appears to be ongoing. In the meantime, the FBI said it took action to disable the botnet.
[ READ: CISA’s ‘Must Patch’ List Puts Spotlight on Vulnerability Management Processes ]
While WatchGuard did inform customers at the time about a patched vulnerability being exploited, Ars Technica reported last week that the CVE identifier assigned to the flaw in February, CVE-2022-23176, was only added to WatchGuard documentation on Cyclops Blink this month. The CVE was also not mentioned in the government advisories released at the time. This could have made it more difficult for organizations to keep track of the vulnerability.
WatchGuard has argued that “the DOJ and court orders directed WatchGuard to delay disclosure until official authorization was granted.”
Will Dormann, vulnerability analyst at CERT/CC, has described WatchGuard’s handling of the bug as “poor vendor behavior.”
“When an update is released people can compare the before- and after-patch code to see what has changed, exposing the vulnerability. If things like CVE/CVSS are skipped, attackers have all that they need and defenders have nothing. DON’T DO THIS!” Dormann said on Twitter last week.
Another interesting aspect about the disclosure of CVE-2022-23176 is that CISA has only now added it to its Known Exploited Vulnerabilities Catalog, telling federal agencies on Monday that they need to address it by May 2. However, CISA has known about the flaw and its exploitation since at least November 2021 as the agency was involved in the investigation of the Cyclops Blink malware, alongside the FBI and the NSA.
This once again highlights the need for improved cybersecurity processes within the US government.
This comes just days after several senators introduced a bill whose goal is to improve the sharing of cybersecurity information between the DHS — CISA is an operational component under the DHS — and Congress. The lawmakers are displeased with the delays in Congress cybersecurity staff getting information from the DHS — these delays have raised concerns due to the increasing threat posed by Russia.
Related: CISA Says Recent Cisco Router Vulnerabilities Exploited in Attacks
Related: CISA Adds 14 Windows Vulnerabilities to ‘Must-Patch’ List
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
Latest News
- Microsoft: No-Interaction Outlook Zero Day Exploited Since Last April
- US to Adopt New Restrictions on Using Commercial Spyware
- Hackers Earn Over $1 Million at Pwn2Own Exploit Contest
- GoAnywhere Zero-Day Attack Hits Major Orgs
- Australia Dismantles BEC Group That Laundered $1.7 Million
- ‘Grim’ Criminal Abuse of ChatGPT is Coming, Europol Warns
- Webinar Tomorrow: Understanding Hidden Third-Party Identity Access Risks
- GitHub Rotates Publicly Exposed RSA SSH Private Key
