Attacks have been spotted today by Rich Warren, a security researcher for the NCC Group.

Earlier today, Warren told that the attacks are malicious in nature, and hackers are attempting to steal administrator passwords from the hacked devices.

Summary: BIG-IP and CVE-2020-5902

These attacks are targeting BIG-IP, a multi-purpose networking device manufactured by F5 Networks. BIG-IP devices can be configured to work as traffic shaping systems, load balancers, firewalls, access gateways, rate limiters, or SSL middleware.

These devices are some of the most popular networking products in use today, and they are used to underpin some of the largest and sensitive networks around.

BIG-IP devices are used in government networks, on the networks of internet service providers, inside cloud computing data centers, and they’re widely deployed across enterprise networks.

The devices are so powerful and popular that on its website, F5 claims that 48 of the 50 companies included in the Fortune 50 list rely on BIG-IP systems.

On Wednesday, F5 Networks published patches and released a security advisory about a “remote code execution” vulnerability in BIG-IP devices.

F5 said the vulnerability, tracked as CVE-2020-5902, could allow attackers to take full control over unpatched systems that are accessible on the internet.

The vulnerability was deemed so dangerous that it received a 10 severity score, the maximum on the CVSSv3 severity scale. This score means the vulnerability is easy to exploit, automate, can be used over the internet, and doesn’t require valid credentials or advanced coding skills to take advantage of.

Exploitation attempts started after three days

The cyber-security community expected that this bug would come under active attacks as soon as hackers figured out how they could exploit it.

Cyber-security experts have been trying to raise the alarm about the urgent need to patch this bug, without any delay, since Wednesday, when it became public, as any successful attacks would grant threat actors full access to some of the world’s most important IT networks.

The urgency of patching this cannot be understated. I worked for F5 for a decade; they power cell carriers, banks, Fortune 500 and many governments.

If deployed correctly the mgmt interface shouldn’t be internet exposed but @binaryedgeio returns 14k hits for ‘tmui’ so YMMV https://t.co/IgKGgE7wBK— Nate W. | #BlackLivesMatter | #NoJusticeNoPeace (@n0x08) July 2, 2020

Their efforts to raise attention to this issue were helped by US Cyber Command, which, on Friday night, just hours before July 4th, asked system administrators to take the time to patch BIG-IP devices, also fearing the same thing.

URGENT: Patching CVE-2020-5902 and 5903 should not be postponed over the weekend. Remediate immediately. https://t.co/UBKECuN7Vv— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) July 3, 2020

According to Warren, those attacks began just hours after the US Cyber Command tweet. Warren, who is currently operating BIG-IP honeypots — servers made to look like BIG-IP devices — said he detected malicious attacks coming from five different IP addresses.

First exploits coming from pic.twitter.com/HAySCfh79y— Rich Warren (@buffaloverflow) July 4, 2020

In logs, Warren pointed out the source of those attacks and confirmed they were malicious.

“The vulnerability allows you to invoke .JSP files using a traversal sequence,” Warren told earlier today.

“This, in turn, allows you to (ab)use functionality of otherwise authenticated .JSP files to do things like read files or, eventually, execute code.

“So far, what we’ve seen is an attacker reading various different files from the honeypots and executing commands via a built-in .JSP file. With this they were able to dump out the encrypted admin passwords, settings., etc.,” Warren said.

Pulse Secure, Citrix, and now… BIG-IP

The BIG-IP vulnerability is the type of securit ybug that nation-state hacking groups and ransomware gangs have been exploiting for almost a year — but in other products.

Since August, hacking groups have been exploiting similar RCE bugs in Pulse Secure VPNs and Citrix networking gateways to gain a foothold on corporate networks, and then plant backdoors, steal sensitive files, or install ransomware.

The Pulse Secure and Citrix bugs have been the bread and butter for ransomware gangs, in particular. In many cases, they didn’t even exploit the bugs right away. They planted backdoors, and then came back days, weeks, or months later to monetize their access.

Ransomware gangs like REvil, Maze, or Netwalker have been known to heavily rely on these types of bugs to attack some of the world’s largest companies, and security experts say the BIG-IP vulnerability is just the type of bug that will fuel their next wave of attacks.

At the same time, the boundaries between work and private life are breaking down: Business is being done over home ISPs, with unmanaged routers and printers, home automation systems in the background and even partners and children listening in on conversations or sharing machines while working for different organizations. 

And all the while, new security threats are surfacing. Some are old attacks brought back now that we’re more vulnerable, and others are new scams that prey on our desires to get news, buy basic supplies, avoid infection and recover quickly if we do get sick. Traditional security measures that have been used daily for years can’t protect a fully remote staff without adaption. That means we need to rethink our mindsets and approach to security right now. 

The most important element of effective security in a time of change is to realize that while you can do anything, you can’t do everything. The job of security is not to eliminate all risks, because all threats are not equally dangerous or likely, and they won’t all be exploited at once. Discuss risk early and often, and revisit triage on a regular basis. The risks you face today will not be the ones you face next week or the week after.

These are four major risks businesses need to address to get ahead in this period of adjustment:

Hackers can manipulate VPNs without a view of the whole

Virtual private networks, or VPNs, have become the new lifeline for many businesses, extending encrypted networks to our homes. However, many home networks are already infected with malware or compromised hardware that can be exploited for staging attacks through machines with VPN termini. A compromised identity or a machine, especially when behavioral baselining on the backend is in flux, can allow hackers to piggyback through the VPN. It’s critical to have endpoint integrity checking and strong authentication in place at this stage once the VPN is in place and active.

There are also vulnerabilities for VPNs that require really understanding and internalizing rather than blindly trusting, and many applications that are becoming the new critical IT infrastructure will see new vulnerabilities. This is not cause for panic, but it does mean you need to talk to vendors and plan for patching and failover. Remember, vendors, too, are going through change and doing triage on their support and escalations, but start the dialogue now. Contact your hardware or software providers to ensure configurations and policies are in order, starting with the VPN, endpoint and identity solutions.

Endpoint first, then mobile

Although there are many endpoint challenges, the first priority is to ensure critical business processes recover. Then, make sure the new enterprise footprint is brought into the fold from a policy and control perspective. Next, focus on mobile, which is the most pervasive and ubiquitous platform in our personal lives. Employees who have to learn new devices and applications will turn to their phones even more than usual because they feel familiar. Most companies have established policies defining what can and can’t be done with mobile phones, but set these policies if you don’t already have them. Cyber criminals will start with identity theft and classic machine exploits, but they’ll think of new ways to target them before moving on to other devices. Get ahead of mobile threats before dealing with other devices. 

Information can be weaponized

In the past few weeks, attackers have started taking advantage of human weaknesses. For example, hackers developed a malicious mobile application posing as a legitimate one developed by the World Health Organization. A vulnerable person could easily mistake this malicious app for a real WHO app. Once installed, the application downloads the Cerberus banking trojan to steal sensitive data. These types of attacks essentially weaponize tools and information, because they can easily be done with applications that provide legitimate benefits, too. Before, attackers had to plan their cons for diverse interests and lures, but right now the entire world has a shared crisis. COVID-19 has become our common watering hole, but with the right awareness and education, we will be able to defend ourselves. 

Physical location matters again

When employees take their machines home or use their home machines for work, those machines now sit in a physical and digital space unlike any within the office. Between routers, printers, foreign machines, devices, gaming consoles and home automation, the average home has a more complex and diverse communication and processing system than some small companies. 

Employees might be taking conference calls within earshot of family members or even employees of other companies. Nothing should be taken for granted when it comes to the privacy of employee homes. Simple policies are important — these are relevant not only to security but also to privacy in general. Should employees have cameras on or off for meetings?  Should they wear earphones? Should they take notes on paper or digital applications? How should they handle viewed or created IP or PII? What communications applications are acceptable? What happens when others intrude, see notes or overhear discussions? These questions might seem trivial, but you need to address them up front. Above all, listen and adapt when things aren’t working. 

These four areas are far from a complete list of the cybersecurity concerns you need to address. If you’ve got these under control, enumerate the risks that remain, sort them by order of importance and deal with them methodically.

Security is never “finished” because the opponent is never finished; cyber criminals are endlessly innovative and adaptive. In the words of Winston Churchill, “Never let a good crisis go to waste.” Use this as the chance to start a new, ongoing security dialogue within your business.

Ripple20 was originally discovered by Israel-based security company JSOF in September 2019. It affects a lightweight, proprietary TCP/IP library created by a small company in Ohio called Treck, which has issued a patch for the vulnerabilities. Several of those vulnerabilities would allow for remote-code execution, allowing for data theft, malicious takeovers and more, said the security vendor.

When you’re dealing with threats to the TCP/IP stack, you’re talking about the fundamental networking core of these devices

That, however, isn’t the end of the problem. The TCP/IP library that contains the vulnerabilities has been used in a huge range of connected devices, from medical devices to industrial control systems to printers, and actually delivering and applying the patch is a vast undertaking. JSOF said that “hundreds of millions” of devices could be affected. Many devices don’t have the capacity to receive remote patches, and Terry Dunlap, co-founder of security vendor ReFirm Labs, said that there are numerous hurdles to getting patches onto older equipment in particular.

“How many of these devices are sitting in some closet covered with five years of dust that hasn’t been touched by human hands?” he said. “When you’re dealing with threats to the TCP/IP stack, you’re talking about the fundamental networking core of these devices.”

Even discovering whether or not a company’s networks are affected by the flaws can be a challenge, according to Brian Kime, a senior analyst at Forrester Research.

“Network vulnerability scanners have challenges in detecting flaws in those libraries,” he said. “[The flaws aren’t] really advertised, sitting there, waiting for a connection to be made from outside.”

“It’s gonna be tough to fix the actual devices,” Kime said. “Bceause it’s embedded and because these vendors don’t advertise all the software components that go into their devices, [companies] probably won’t be able to identify just by looking at the vendor website.”

Efforts are already under way to patch affected devices, but it’s a mammoth task, involving dozens upon dozens of companies at every level of the supply chain. Business will have to work closely with vendors, their suppliers and on down the chain just to identify their potential exposure to Ripple20.

For those vendors and OEMs with the option, Dunlap suggested that there are alternative options available. Instead of using a proprietary TCP/IP library, companies could make use of one of the numerous open source options available.

“I don’t understand what a proprietary stack is going to get you over the open source stack that’s already out there,” he said.

The silver lining is that there’s no indication that it’s being exploited in the wild at this point. That may change, as bad actors react to its being made public and develop potential exploits, but they still might have a difficult time taking advantage of Ripple20, according to Dunlap.

Many of the most critical pieces of equipment that could be targeted using these vulnerabilities are not visible to the Internet at large and don’t have a direct connection to it. So while an infrastructure attack a la Stuxnet is possible, it would have to be delivered in much the same way – via “sneakernet” and an infected USB stick or another traditional malware delivery technique.

“A lot of these embedded systems that are vulnerable to this aren’t public facing,” he said. “They might be on an intranet, and if a company was the victim of a sophisticated phishing attack, that could open the door to an intruder.”

JSOF’s official post on the matter contains additional specifics about what devices might be affected, which could offer a starting point to companies looking to avoid a breach.