F5 is next

Hackers have started launching attacks against F5 BIG-IP networking devices.

Attacks have been spotted today by Rich Warren, a security researcher for the NCC Group.

Earlier today, Warren told that the attacks are malicious in nature, and hackers are attempting to steal administrator passwords from the hacked devices.

Summary: BIG-IP and CVE-2020-5902

These attacks are targeting BIG-IP, a multi-purpose networking device manufactured by F5 Networks. BIG-IP devices can be configured to work as traffic shaping systems, load balancers, firewalls, access gateways, rate limiters, or SSL middleware.

These devices are some of the most popular networking products in use today, and they are used to underpin some of the largest and sensitive networks around.

BIG-IP devices are used in government networks, on the networks of internet service providers, inside cloud computing data centers, and they’re widely deployed across enterprise networks.

The devices are so powerful and popular that on its website, F5 claims that 48 of the 50 companies included in the Fortune 50 list rely on BIG-IP systems.

On Wednesday, F5 Networks published patches and released a security advisory about a “remote code execution” vulnerability in BIG-IP devices.

F5 said the vulnerability, tracked as CVE-2020-5902, could allow attackers to take full control over unpatched systems that are accessible on the internet.

The vulnerability was deemed so dangerous that it received a 10 severity score, the maximum on the CVSSv3 severity scale. This score means the vulnerability is easy to exploit, automate, can be used over the internet, and doesn’t require valid credentials or advanced coding skills to take advantage of.

Exploitation attempts started after three days

The cyber-security community expected that this bug would come under active attacks as soon as hackers figured out how they could exploit it.

Cyber-security experts have been trying to raise the alarm about the urgent need to patch this bug, without any delay, since Wednesday, when it became public, as any successful attacks would grant threat actors full access to some of the world’s most important IT networks.

The urgency of patching this cannot be understated. I worked for F5 for a decade; they power cell carriers, banks, Fortune 500 and many governments.

If deployed correctly the mgmt interface shouldn’t be internet exposed but @binaryedgeio returns 14k hits for ‘tmui’ so YMMV 🤷‍♂️ https://t.co/IgKGgE7wBK— Nate W. | #BlackLivesMatter | #NoJusticeNoPeace (@n0x08) July 2, 2020

Their efforts to raise attention to this issue were helped by US Cyber Command, which, on Friday night, just hours before July 4th, asked system administrators to take the time to patch BIG-IP devices, also fearing the same thing.

URGENT: Patching CVE-2020-5902 and 5903 should not be postponed over the weekend. Remediate immediately. https://t.co/UBKECuN7Vv— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) July 3, 2020

According to Warren, those attacks began just hours after the US Cyber Command tweet. Warren, who is currently operating BIG-IP honeypots — servers made to look like BIG-IP devices — said he detected malicious attacks coming from five different IP addresses.

First exploits coming from 🇮🇹 pic.twitter.com/HAySCfh79y— Rich Warren (@buffaloverflow) July 4, 2020

In logs, Warren pointed out the source of those attacks and confirmed they were malicious.

“The vulnerability allows you to invoke .JSP files using a traversal sequence,” Warren told earlier today.

“This, in turn, allows you to (ab)use functionality of otherwise authenticated .JSP files to do things like read files or, eventually, execute code.

“So far, what we’ve seen is an attacker reading various different files from the honeypots and executing commands via a built-in .JSP file. With this they were able to dump out the encrypted admin passwords, settings., etc.,” Warren said.

Pulse Secure, Citrix, and now… BIG-IP

The BIG-IP vulnerability is the type of securit ybug that nation-state hacking groups and ransomware gangs have been exploiting for almost a year — but in other products.

Since August, hacking groups have been exploiting similar RCE bugs in Pulse Secure VPNs and Citrix networking gateways to gain a foothold on corporate networks, and then plant backdoors, steal sensitive files, or install ransomware.

The Pulse Secure and Citrix bugs have been the bread and butter for ransomware gangs, in particular. In many cases, they didn’t even exploit the bugs right away. They planted backdoors, and then came back days, weeks, or months later to monetize their access.

Ransomware gangs like REvil, Maze, or Netwalker have been known to heavily rely on these types of bugs to attack some of the world’s largest companies, and security experts say the BIG-IP vulnerability is just the type of bug that will fuel their next wave of attacks.