The vulnerability that was identified is in the iControl REST authentication component and can allow an attacker to execute commands, create or delete files and also disable services. It is a nasty flaw to identify in a network appliance, especially one with the footprint that F5 has around the world. A quick search on Shodan shows that thousands of these devices are out there while there are multiple instances of POC code to exploit this flaw. The exploit is rather simple (in relative terms) so it is not surprising that the response by the attacker community has been this quick.
As mentioned, researchers have already seen the exploit being performed in the wild with attackers dropping webshells on the devices for long term access. The shells have been targeting both the management and non-management interfaces. This means that F5’s set up as load balancers or firewalls area also at risk. Things are going to get very messy and soon.
To make matters even worse, some have reviewed the flaw and the exploit process and are starting to think this might not be an accident. It is possible that the flaw was introduced in a supply chain attack for the express purpose of creating this flaw. The logic here is that the timing, type of attack and simplicity in executing it is unlikely to have happened as an honest mistake unless there was some serious incompetence involved. If this theory is true, it would not be the first time a threat group has targeted a supply chain to gain access to many companies/organizations at once.
Right now, there is no evidence to support this theory, but we will be keeping an eye on things to see if any does develop. In the meantime, if you are using F5 BIP-IP devices you should be patching them right now as well as following the provided advice on block iControl REST.
Happy patching