Attackers Exploiting F5 Networks BIG-IP Server Vulnerability

Attackers are exploiting a critical remote code vulnerability in F5 Networks’ BIG-IP platform, tracked as CVE-2021-22986, for which the company released patches on March 10.

See Also: Live Webinar | Mitigating the Risks Associated with Remote Work

The vulnerability, which has a CVSS ranking of 9.8 out of 10 – highly critical – is a remote command execution flaw in BIG-IP, a network traffic security management appliance.

By exploiting the flaw, unauthenticated attackers can gain access to BIG-IP’s management interface and self IP addresses and execute arbitrary system commands, create or delete files, and disable services, F5 Networks says.

On Thursday, security firm NCC Group said attackers were chaining multiple BIG-IP vulnerabilities with CVE-2021-22986. NCC added that an exploit for the vulnerability is likely to be available in the public domain soon.

In another alert on Friday, security firm Palo Alto Networks said a Mirai botnet variant is chaining the BIG-IP with another flaw as part of an attack, although the company did not clarify if the Mirai attacks were successful.

We are now observing the Mirai variant from https://t.co/ZDTVwtdYlq attempting to exploit CVE-2021-22986, an unauthenticated RCE in F5 BIG-IP & BIG-IQ products, and CVE-2020-28188.

IOCs for the new activity available at:https://t.co/bc0IySEAEk pic.twitter.com/ZsUqxq60XO

— Unit 42 (@Unit42_Intel) March 19, 2021

NCC Alert

The NCC Group report notes the attacks exploiting the flaw unfold in two stages. In the first stage, the attackers leveraged the BIG-IP flaw to gain an authenticated session token; this was then used to interact with the application API endpoint.

Using the token, the attackers extract browser cookies that allow the threat actors to access a web-based interface, which then enables them to remotely control the application.

The second step of the attack occurs when the victim’s device calls the attacker-controlled API. The report further notes the attackers have been using this method to access honeypots set-up by the researchers.

“Starting this week and especially in the last 24 hours [March 18], we have observed multiple exploitation attempts against our honeypot infrastructure,” the NCC report notes. “Fortunately, the attackers got the details of the exploit wrong and attempted a chain of events that could not possibly work.”

Other Vulnerabilities

Researchers and government agencies have warned of several other significant vulnerabilities found in various popular products this month.

For example, Microsoft issued emergency software patches for four zero-day vulnerabilities in its Exchange email server (see: Microsoft Patches Four Zero-Day Flaws in Exchange).

Following the Microsoft alert, the U.S. Cybersecurity and Infrastructure Agency warned that scanning activity for the vulnerabilities had picked up in recent days. It stressed that federal agencies and private firms should apply patches or disconnect internet-facing systems until the bugs are fixed.