Hackers try to steal admin passwords from F5 BIG-IP gadgets


Hackers have began launching assaults towards F5 BIG-IP networking gadgets, ZDNet has realized.

Assaults have been noticed right this moment by Rich Warren, a safety researcher for the NCC Group.

In an interview earlier right this moment, Warren informed ZDNet the assaults are malicious in nature, and hackers try to steal administrator passwords from the hacked gadgets.

Abstract: BIG-IP and CVE-2020-5902

These assaults are concentrating on BIG-IP, a multi-purpose networking machine manufactured by F5 Networks. BIG-IP gadgets could be configured to work as site visitors shaping methods, load balancers, firewalls, entry gateways, price limiters, or SSL middleware.

These gadgets are a number of the hottest networking merchandise in use right this moment, and they’re used to underpin a number of the largest and delicate networks round.

BIG-IP gadgets are utilized in authorities networks, on the networks of web service suppliers, inside cloud computing information facilities, they usually’re broadly deployed throughout enterprise networks.

The gadgets are so highly effective and widespread that on its website, F5 claims that 48 of the 50 firms included within the Fortune 50 listing depend on BIG-IP methods.

On Wednesday, F5 Networks revealed patches and launched a security advisory a couple of “distant code execution” vulnerability in BIG-IP gadgets.

F5 stated the vulnerability, tracked as CVE-2020-5902, may enable attackers to take full management over unpatched methods which might be accessible on the web.

The vulnerability was deemed so harmful that it acquired a 10 severity score, the utmost on the CVSSv3 severity scale. This rating means the vulnerability is straightforward to use, automate, can be utilized over the web, and does not require legitimate credentials or superior coding expertise to make the most of.

Exploitation makes an attempt began after three days

The cyber-security neighborhood anticipated that this bug would come beneath lively assaults as quickly as hackers found out how they might exploit it.

Cyber-security specialists have been attempting to boost the alarm concerning the pressing have to patch this bug, with none delay, since Wednesday, when it turned public, as any profitable assaults would grant menace actors full entry to a number of the world’s most essential IT networks.

Their efforts to boost consideration to this situation have been helped by US Cyber Command, which, on Friday evening, simply hours earlier than July 4th, requested system directors to take the time to patch BIG-IP gadgets, additionally fearing the identical factor.

In response to Warren, these assaults started simply hours after the US Cyber Command tweet. Warren, who’s at present working BIG-IP honeypots — servers made to appear to be BIG-IP gadgets — stated he detected malicious assaults coming from 5 completely different IP addresses.

In logs shared with ZDNet, Warren identified the supply of these assaults and confirmed they have been malicious.

“The vulnerability lets you invoke .JSP information utilizing a traversal sequence,” Warren informed ZDNet earlier right this moment.

“This, in flip, lets you (ab)use performance of in any other case authenticated .JSP information to do issues like learn information or, ultimately, execute code.

“Up to now, what we have seen is an attacker studying varied completely different information from the honeypots and executing instructions through a built-in .JSP file. With this they have been capable of dump out the encrypted admin passwords, settings., and many others.,” Warren stated.

Pulse Safe, Citrix, and now… BIG-IP

The BIG-IP vulnerability is the kind of securit ybug that nation-state hacking teams and ransomware gangs have been exploiting for nearly a 12 months — however in different merchandise.

Since August, hacking teams have been exploiting related RCE bugs in Pulse Safe VPNs and Citrix networking gateways to achieve a foothold on company networks, after which plant backdoors, steal delicate information, or set up ransomware.

The Pulse Safe and Citrix bugs have been the bread and butter for ransomware gangs, particularly. In lots of instances, they did not even exploit the bugs immediately. They planted backdoors, after which got here again days, weeks, or months later to monetize their entry.

Ransomware gangs like REvil, Maze, or Netwalker have been identified to closely depend on all these bugs to assault a number of the world’s largest firms, and safety specialists say the BIG-IP vulnerability is simply the kind of bug that may gas their subsequent wave of assaults.


Please enter your comment!
Please enter your name here