An extremely dangerous RCE problem was discovered and fixed last week in the configuration interface of the popular BIG-IP application delivery controller. After publication of the exploit, information security experts record massive attacks on vulnerabilities in F5 BIG-IP.
This vulnerability was discovered by Positive Technologies experts, received the identifier CVE-2020-5902 and scored 10 points on the CVSSv3 scale (out of 10 possible), which corresponds to the highest level of danger.By exploiting found by experts bug, an attacker is able to execute commands on behalf of an unauthorized user and completely compromise the system, for example, intercept the traffic of web resources, managed by the controller. The attack can be implemented remotely.
As of the end of June 2020, in the world there were over 8,000 vulnerable devices, accessible from the Internet, 40% of them in the USA, 16% in China, 3% in Taiwan, 2.5% in Canada and Indonesia . At the same time, it should be noted that F5 engineers have already released fixes and organizations were recommended to install them immediately”, – wrote Positive Technologies analysts.
IS researchers also reported that in terms of scale this problem is in many ways similar to the RCE vulnerabilities in Pulse Secure VPN and Citrix network gateways. Such bugs are very popular with cybercriminals and they usually use them to gain a foothold in corporate networks (after that, hackers deploy backdoors in organizations’ networks, steal confidential files or deploy ransomware).
For example, hacking groups REvil and Maze often rely on such vulnerabilities, which allow them to compromise the largest companies in the world. Let me remind you that attackers even united in a criminal cartel.
The other day, experts already warned about the availability of PoC exploits for this problem and the beginning of attacks on vulnerabilities. Exploits and technical information were released shortly after disclosing data on the vulnerability itself, and researchers noted that the entire exploit fits in one tweet.
NCC Group specialist Rich Warren warned that the vulnerability is already under attack. The specialist owns several honeypot baits masked as BIG-IP.
Attacks on baits began a few hours after the publication of a warning from the US Cyber Command. The attacks came from at least five different IP addresses: hackers tried to steal administrator passwords from vulnerable devices”, – reported Rich Warren.
Now, Bad Packets experts have estimated that approximately 635 unique network service providers still host vulnerable BIG-IP endpoints, and among them there are government organizations, educational institutions, medical and financial companies from the Fortune 500 list.
If hackers previously searched for vulnerable systems and tried to get passwords from them, now Bad Packets analysts write that they have detected attacks on CVE-2020-5902 aimed at spreading DDoS-malware, and this activity comes from an IP address that was previously noted in other malicious activities.
