Critical F5 BIG-IP Vulnerability Targeted by Destructive Attacks

A recently disclosed F5 BIG-IP vulnerability has been used in destructive attacks, attempting to wipe a device’s file system and render the server unusable.

Last week, F5 disclosed a vulnerability identified as CVE-2022-1388 that allows remote attackers to run commands on BIG-IP network devices as “root” without authentication. Due to the critical nature of the bug, F5 urged admins to apply updates as soon as possible.

A few days later, researchers began publicly posting exploits on Twitter and GitHub, with threat actors soon using them in attacks across the Internet.

While most attacks were used to drop webshells for initial access to networks, steal SSH keys and enumerate system information, SANS Internet Storm Center saw two attacks that targeted BIG-IP devices in a way much more harmful.

SANS told BleepingComputer that their honeypots saw two attacks originating from IP address 177.54.127[.]111 which runs the ‘rm -rf /*’ command on the targeted BIG-IP device.

Tweet by SANS

This command will attempt to erase all files from the Linux file system of BIG-IP devices when executed.

As the exploit gives attackers root privileges in Linux operating systems powering BIG-IP devices, the rm -rf /* command will be able to remove almost any file, including the configuration files needed for proper operation. operation of the device.

After posting our story, security researcher Kevin Beaumont confirmed that devices were being wiped tonight.

“Can confirm. Real world devices are being wiped tonight, many on Shodan have stopped responding,” tweeted Beaumont.

Fortunately, these destructive attacks don’t seem to be widespread, with most threat actors looking to profit from breaching devices rather than causing harm.

Cybersecurity threat intelligence firms Bad Packets and GreyNoise told BleepingComputer they haven’t seen any destructive attacks on their honeypots.

Researcher GreyNoise Kimber said they mainly saw exploits removing webshells, exfiltrating configurations, or running commands to create administrator accounts on devices.

While destructive attacks observed by SANS may be rare, the fact that they occur should be all the incentive an administrator needs to update their devices to the latest patch levels.

When we contacted F5 about these destructive attacks, they told BleepingComputer that they were in contact with SANS and strongly advised administrators against exposing the BIG-IP management interface to the internet.

“We have been in contact with SANS and are investigating the issue. If customers have not already done so, we urge them to update to a fixed version of BIG-IP or implement one of the mitigation detailed in the security advisory. We urge customers to never expose their BIG-IP Management Interface (TMUI) to the public internet and ensure that appropriate controls are in place to limit the access.” -F5

However, it is important to note that Beaumont has found that attacks also affect devices on non-management ports if they are misconfigured.

Tweet from Kevin Beaumont

For those affected by attacks on their BIG-IP devices, F5 told BleepingComputer that their security incident response team is available 24 hours a day, seven days a week, and can be reached at (888) 882- 7535, (800) 11-275-435, or online.

For F5 BIG-IP administrators concerned that their devices have already been compromised, Sandfly Security founder Craig Rowland is offer test licenses that they can use to verify their devices.

Update 5/10/22: Added confirmation from Kevin Beaumont.

Leave a Reply

Your email address will not be published.