Posted on July 6, 2020 at 6:43 PM
Few days after the F5 BIG-IP mega-bug was disclosed, hackers have already started exploiting it. The threat actors are currently launching attacks against the F5 BIG-IP mega-bug devices, according to recent reports.
Attack was malicious in nature
The attack was discovered yesterday by Rich Warren, a cybersecurity researcher at NCC Group.
In a recent statement from warren, the attacks were malicious in nature and the threat actors are trying to steal administrator passwords from the compromised devices.
The attacks are infiltrating Bit-IP in particular, which is a multipurpose networking device owned by F5 networks.
These devices can be configured and used as SSL middleware, rate timers, access gateways, firewalls, load balancers, as well as traffic shaping systems.
The BIG-IP devices are used to strengthen some of the sensitive and largest networks around, as they are the most popular networking devices in use presently.
The BIG-IP devices can be utilized in different ways too. They can be deployed across enterprise network, used inside cloud computing data centers, or on the networks of internet service providers.
F5 recently revealed that almost the entire companies on the fortune 50 list depend on the BIG-IP systems, which shows the level of popularity the devices are.
Last week, the F5 Network published and released patches related to the vulnerability in BIG-IP devices. It also released a security advisory about a “remote code execution”, which is vulnerable in the BIG-IP devices.
F5 pointed out that the weakness, known as CVE-2020-5902 may give hackers the opportunity to launch attacks on unpatched system switch as they can be accessed over the internet.
Vulnerability is dangerous
The level of vulnerability on the system was deemed dangerous, as it even received a 10 security score, the highest rate on the CVSSv3 severity scale. The high vulnerability rating shows that exploiting the vulnerability will be very easy as it’s more porous threat actors to launch attacks on the system.
It doesn’t need advanced coding skills or valid credentials for the hackers to explore.
Attack attempts began after three days
Generally, when hackers receive information about vulnerability, they try to find ways to exploit the flaw. Once they’ve discovered how to attack the system successfully, they simply launch their exploitation to get as much information as they can.
Cyber security experts have tried warning the firm to patch the vulnerability on time before it becomes known to hackers. According to the experts, if the threat actors succeed in any attack, it would grant them complete access over the most important IT networks in the world.
The US Cyber Command sounded the same warning and asked the BIG-IP system administrators to patch the BIG-IP devices. This warning was issued on the night of Friday. Three days later, the hackers got news about vulnerability and decided to pounce.
Warren said the attacks started few hours after the warning tweet from the US cyber commend unit.
He revealed that he discovered malicious attacks coming from five different IP addresses. He also pointed out that the attacks were malicious after confirming their source.
“The vulnerability allows you to invoke .JSP files using a traversal sequence,” Warren said.
He further revealed that the attacker reads the different files from the honeypots and execute the commands through built-in JSP. As a result, the hackers could easily dump out the encrypted admin passwords, Warren said.
The BIG-IP weakness is the type of security ybug that ransomware groups and nation-state hacking groups have been attacking since last year. However, it’s the first time the hackers are infiltrating the BI-UP devices.
Since August last year, hackers have been exploiting familiar RCE bugs in Citrix networking gateways and Secure VPNs. The goal is to plant backdoor and come back in the near future to install ransomware and steal sensitive information and data. ransomware gangs are always exploiting the Citrix bugs and secure network.