In a feared evolution by security professionals, attackers are actively targeting another set of critical server vulnerabilities that leave businesses and governments open to serious network breaches.
The vulnerability this time around is in BIG-IP, a line of server appliances sold by F5 Networks in Seattle. Customers use BIG-IP servers to manage traffic to and from large networks. Tasks include load balancing, DDoS mitigation, and web application security.
Last week, F5 uncovered and patched critical BIG-IP vulnerabilities that allow hackers to take complete control of a server. Despite a severity rating of 9.8 out of 10, the vulnerabilities were overshadowed by a number of critical vulnerabilities that Microsoft had reported and patched on the Exchange server a week earlier. Within a few days of Microsoft's emergency update, tens of thousands of Exchange servers in the United States were compromised.
day of reckoning
When security researchers were not busy addressing the looming mass compromise from Exchange, many warned that it was only a matter of time before the F5 vulnerabilities were also attacked. Now that day has come.
Researchers at security firm NCC Group said Friday that CVE-2021-22986, a vulnerability that could allow remote attackers without a password or other credentials to execute commands of their choice on vulnerable BIG-IP devices, is "fully exploited".
"After seeing many flawed exploits and failed attempts, we can successfully exploit this vulnerability starting this morning," wrote Rich Warren, Principal Security Consultant at the NCC Group and co-author of the blog.
After seeing many flawed exploits and failed attempts, we are now seeing successful wild use of this vulnerability, starting this morning https://t.co/Sqf55OFkzI
– Rich Warren (@buffaloverflow) March 19, 2021
In a blog post, the NCC Group published a screenshot with exploit code that successfully stole an authenticated session token. This is a type of browser cookie that allows administrators to use a web-based programming interface to remotely control BIG-IP hardware.
"The attackers hit multiple honeypots in different regions, suggesting that there is no specific targeting," Warren wrote in an email. "They are more likely to 'spray' attempts over the Internet in the hopes that they can exploit the vulnerability before companies have a chance to patch it."
He said previous attempts used incomplete exploits derived from the limited information that was publicly available.
Security firm Palo Alto Networks said that CVE-2021-22986 is being attacked from devices infected with a variant of open source Malai malware. The tweet said the variant "tried to exploit the vulnerability," but it was not clear whether the attempts were successful.
Other researchers reported Internet-wide scans aimed at finding vulnerable BIG-IP servers.
Opportunistic bulk scan activity detected by the following hosts looking for F5 iControl REST endpoints susceptible to remote command execution (CVE-2021-22986).
Manufacturer recommendation: https://t.co/MsZmXEtcTn #threatintel
– Bad Packets (@bad_packets) March 19, 2021
CVE-2021-22986 is just one of several critical BIG-IP vulnerabilities that F5 uncovered and patched last week. Part of the severity is because the vulnerabilities require limited skill to exploit. More importantly, once attackers have control of a BIG-IP server, they are more or less within the security perimeter of the network that is using it. This means that attackers can quickly access other sensitive parts of the network.
As if administrators weren't busy, patching vulnerable BIG-IP servers and looking for exploits should be top priorities. The NCC Group has indicated compromise indicators in the link above, and Palo Alto Networks has IOCs here.
Update: After this post went online, Rich Warren of the NCC Group was answering questions I had previously sent. Here is a partial question and answer:
What does "see full chain exploitation" mean? What has the NCC Group seen before and how does "Full Chain Exploitation" change this?
What we mean by this is that we have previously seen attackers attempting to abuse the SSRF vulnerability in a way that it could not work because an important part of the exploit was not publicly known and therefore the exploits would fail. Now attackers have figured out all the details required to bypass authentication using SSRF and obtain authentication tokens. These authentication tokens can then be used to execute commands remotely. So far we've seen the attackers a) receive an authentication token and b) run commands to secure credentials. We haven't yet dropped web shells like CVE-2020-5902.
Where exactly do you see the exploit attempts? Is it in a honeypot, on production servers, elsewhere?
The attackers hit multiple honeypots in different regions, suggesting that there is no specific targeting. They are more likely to "spray" attempts over the Internet in hopes that they can exploit the vulnerability before companies have a chance to patch it. Previous attempts against our honeypot infrastructure have shown attackers to use incomplete exploits based on limited information that was publicly available. This shows that an attacker is obviously interested in exploiting the vulnerability – even if some of them do not have the necessary knowledge to develop their own attack code.
Do you know if the exploits manage to compromise production servers? If so, what do attackers do after the exploitation?
At the moment we cannot judge whether the same attackers succeeded against other people's servers. In terms of post-exploitation activities, we have only seen credentials dumping so far.
I read that multiple threat groups were exploiting the vulnerability. Do you know this is true If so, how many different threat actors are there?
We did not state that there were multiple attackers. Although we have seen several successful exploitation attempts from different IPs, all of the attempts contained some specific characteristics that are consistent with the other attempts, suggesting that it is likely the same underlying exploit.