In the dreaded growing security patch, attackers are actively targeting yet another set of server vulnerabilities that leave companies and governments vulnerable to serious network intrusions.
The weakness this time is in BIG-IP, a line of server equipment sold by Seattle-based F5 Networks. Customers use BIG-IP servers to manage traffic going in and out of large networks. Functions include load balancing, DDoS mitigation, and web application security.
Last week, F5 was shown and hidden critical BIG-IP vulnerabilities that allows hackers to gain complete control of a server. Despite the terrible score of 9.8 out of 10, the security flaws are overshadowed by a variety of important vulnerabilities Microsoft has revealed and hidden in the Exchange server in the past week. Within days of Microsoft’s emergency update, thousands of Exchange servers in the US were compromised.
Date of calculation
When security researchers aren’t active in finding the open exchange vulnerability, many of them warn that it’s only a matter of time before F5 vulnerabilities come under attack again. Now, the day has come.
Investigators at security firm NCC Group on Friday tell they are “finding a full chain exploit” of CVE-2021-22986, a vulnerability that allows remote attackers without a password or other credentials to execute commands of their choice on BIG-IP devices that have injury.
“After seeing many broken operations and failed attempts, we have now seen success in a wild exploitation of this vulnerability, this morning,” wrote Rich Warren, senior security advisor at the NCC Group and author of the blog. .
After seeing many broken operations and failed attempts, we now see success in wild exploitation of this vulnerability, this morning. https://t.co/Sqf55OFkzI
— Rich Warren (@buffaloverflow) March 19, 2021
In a blog post, The NCC team shared a screenshot showing exploit code that can successfully steal an authenticated session token, which is a type of browser cookie that allows administrators to use a web-based programming interface to remotely manage BIG-IP equipment. deep.
“The attackers are hitting multiple bees in different areas, suggesting there is no specific target,” Warren wrote in an email. “It is more likely that they are ‘spraying’ attempts across the internet, in the hope that they can exploit the vulnerability before organizations have a chance to disappear.”
He said that previous efforts used inadequate measures derived from the limited information available in the public domain.
Security firm Palo Alto Networks, meanwhile, tell that CVE-2021-22986 is targeted by infected devices difference of the open source Mirai malware. The tweet said the variant “attempted to exploit” the vulnerability, but it was not clear if the attempts were successful.
Other researchers reported Internet-wide scanners designed to find vulnerable BIG-IP servers.
CVE-2021-22986 is one of several critical BIG-IP vulnerabilities F5 has disclosed and patched over the past week. The worst part is because the vulnerabilities require limited expertise to exploit. But more importantly, once the attackers have control of a BIG-IP server, they are more or less inside the protected area of the network using it. That means attackers can quickly access other sensitive parts of the network.
As if administrators don’t already have enough to attend to, securing vulnerable BIG-IP servers and detecting exploits should be a top priority. The NCC Group provides indicators of the agreement in the link above, and Palo Alto Networks has IOCs Here.
Update 8:22 pm EDT: After this post went live, F5 made a statement. It read: “We are aware of attacks targeting vulnerabilities recently published by F5. As with all critical vulnerabilities, we advise customers to patch their systems as soon as possible.”
Meanwhile, Rich Warren of the NCC Group responded to the questions I posted earlier. Here is a partial Q&A:
What does “see full chain abuse” mean? What has the NCC Group already seen, and how has “full chain utilization” changed?
What we mean is that, in the past we saw attackers trying to exploit the SSRF vulnerability in a way that could not work, because an important part of the exploit was not public knowledge, so the operations would fail. By now, attackers have figured out the full details needed to use SSRF to bypass authentication and obtain authentication tokens. These credentials can then be used to execute remote commands. So far, we’ve seen attackers a) get the certificate token, and b) run commands to dump the credentials. We haven’t seen any web shells dropped like we did with CVE-2020-5902, however.
Where, exactly, do you see abuse attempts? Is it in honey, on production servers, somewhere else?
The attackers are hitting several honeypots in different areas, suggesting that there is no specific target. It is more likely that they are “spraying” attempts across the internet, hoping that they can exploit the vulnerability before the groups have a chance to disappear. Previous attempts we’ve seen against our honey infrastructure show that attackers are using inaccurate exploits based on the limited information available in the public domain. This shows that attackers obviously want to exploit the vulnerability – even if some of them don’t have the knowledge needed to engineer their own attack code.
Do you know if the exploits are successful in damaging production servers? If yes, what are the attackers exploiting after?
At this time, we cannot comment on whether similar attacks have been successful on other people’s servers. With regards to post-exploitation activities, we have only seen the certification dump so far.
I’m reading that multiple threat groups are exploiting the vulnerability. Do you know this to be true? If so, how many dangerous players are there?
We do not say that there are many attacks. In fact, while we have seen many successful exploit attempts from different IPs, all attempts have had some specific signs which are consistent with other attempts, suggesting that the same underlying exploit is possible.