Attack on F5 Networks Appliances - ThreatWire

By Shannon Morse, ThreatWire 

F5 Networks is having a bad week.  A vulnerability was found and is being actively targeted by attackers in their server appliances line called BIG-IP and BIG-IQ. These appliances are used to manage traffic on networks and they can help mitigate DDOS attacks, secure web applications, and more. F5 posted on March 10th that several vulnerabilities were found and the CVEs were patched in new versions of their systems.

To note, four of the CVEs are marked as critical, but they found a total of 21. The critical vulnerabilities would let an attacker obtain remote control over a server, and run unauthenticated remote code. Each of the critical issues are considered remote code execution vulnerabilities. Two of them also include a buffer overflow or denial of service attack. Overall, these got a rating of 9.8 out of 10 for severity.

After the patches were made public, many researchers posted proof of concept exploit code.

The big issue now is that these are being exploited in the wild, which many security researchers suspected would happen. Interestingly, the first critical CVE- marked 2021-22986 is currently being used for a full chain exploitation. According to NCC Group Research and Technology, they started seeing successful in the wild exploitation as of the morning of March 19. They believe attackers are spraying and praying to find potential victims, and not necessarily targeting any specific networks.

Palo Alto Networks also mentioned the same vulnerability is being used in targeting by devices that have already been infected with Mirai malware.

Even though the vulnerabilities are now being used in the wild, no one currently knows who is behind the attacks or if multiple groups are behind the attacks at time of recording. CISA has advised users and admins to review the F5 advisory and install the updated software ASAP.

So, the moral of this story is to patch. Patches are available for all of the critical vulnerabilities, so these can be mitigated against. If you haven’t updated yet, your network could end up in the crosshairs of one of these attacks. F5 has had multiple vulnerabilities over the years, so if you’ve never patched your BIG-IP software-- now would be a good time to do it.

Support ThreatWire!  https://www.patreon.com/threatwire

F5:

https://arstechnica.com/gadgets/2021/03/to-security-pros-dread-another-critical-server-vulnerability-is-under-exploit/?utm_brand=arstechnica&utm_source=twitter&utm_social-type=owned&utm_medium=social

https://support.f5.com/csp/article/K02566623

https://twitter.com/buffaloverflow/status/1372861157317435394

https://twitter.com/Unit42_Intel/status/1373017186818781190

https://threatpost.com/critical-f5-big-ip-flaw-now-under-active-attack/164940/

https://us-cert.cisa.gov/ncas/current-activity/2021/03/10/f5-security-advisory-rce-vulnerabilities-big-ip-big-iq

https://www.cyberscoop.com/f5-networks-big-ip-exploit-vulnerability/