DecryptedTech

Wednesday18 May 2022

Attackers are Actively Exploiting Recent Vulnerabilities Found in F5 BIG-IP


Reading time is around minutes.

This one goes in the “this is why patching is important” file and highlights the need to be able to quickly apply patches for critical flaws found in different devices and software. After the disclosure of a critical vulnerability tracked as CVE-2022-1388 (CVSS 9.8) that was identified in multiple versions of F5’s BIG-IP operating system complete with patches last week. We have already seen researchers develop POC code for it and now hear that attackers are actively exploiting the flaw in the wild.

The vulnerability that was identified is in the iControl REST authentication component and can allow an attacker to execute commands, create or delete files and also disable services. It is a nasty flaw to identify in a network appliance, especially one with the footprint that F5 has around the world. A quick search on Shodan shows that thousands of these devices are out there while there are multiple instances of POC code to exploit this flaw. The exploit is rather simple (in relative terms) so it is not surprising that the response by the attacker community has been this quick.

As mentioned, researchers have already seen the exploit being performed in the wild with attackers dropping webshells on the devices for long term access. The shells have been targeting both the management and non-management interfaces. This means that F5’s set up as load balancers or firewalls area also at risk. Things are going to get very messy and soon.

To make matters even worse, some have reviewed the flaw and the exploit process and are starting to think this might not be an accident. It is possible that the flaw was introduced in a supply chain attack for the express purpose of creating this flaw. The logic here is that the timing, type of attack and simplicity in executing it is unlikely to have happened as an honest mistake unless there was some serious incompetence involved. If this theory is true, it would not be the first time a threat group has targeted a supply chain to gain access to many companies/organizations at once.

Right now, there is no evidence to support this theory, but we will be keeping an eye on things to see if any does develop. In the meantime, if you are using F5 BIP-IP devices you should be patching them right now as well as following the provided advice on block iControl REST.
Happy patching

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.