In destructive cyberattacks, a recently announced F5 BIG-IP vulnerability was used to attempt to delete a device’s file system and render the server useless. Last week, F5 reported CVE-2022-1388, a vulnerability that allows remote attackers to execute commands as ‘root’ on BIG-IP network devices without authentication. F5 advised administrators to deploy patches as soon as possible due to the bug’s serious nature.
Researchers began openly posting vulnerabilities on Twitter and GitHub a few days later, and threat actors quickly used them in strikes across the Internet. While most assaults drop web shells for initial network access, acquire SSH keys, and enumerate system information, the SANS Internet Storm Center detected two attacks that targeted BIG-IP devices significantly more maliciously.
SANS said that its honeypots detected two intrusions from IP address 177.54.127[.]111, which ran the command ‘rm -rf /*’ on the targeted BIG-IP device. When this command is used, it will attempt to delete all files on the Linux file system of the BIG-IP devices. Since the vulnerability grants attackers root access to the Linux operating systems that run BIG-IP devices, the rm -rf /* command may remove nearly any file, even configuration files essential for the device to function correctly.
Security analyst Kevin Beaumont confirmed that devices were being wiped this evening after the report was published. “Can confirm. Real world devices are being erased this evening, lots on Shodan have stopped responding,” tweeted Beaumont. Fortunately, these harmful attacks are not prevalent, as most threat actors are more interested in gaining access to the devices than in inflicting damage.
Bad Packets and GreyNoise, two cybersecurity threat intelligence organizations, said they had not detected any harmful cyberattacks on their honeypots. According to GreyNoise researcher Kimber, the attacks often drop web shells, exfiltrate configs, or run commands to create admin accounts on the devices.
While SANS’ damaging attacks are uncommon, they should be enough to motivate administrators to keep their devices up to speed with the latest patch levels. When contacted about the devastating attacks, F5 informed that they were in contact with SANS and strongly encouraged administrators not to expose the BIG-IP administration interface to the Internet. It’s worth noting that Beaumont discovered attacks may also affect devices on non-management ports if they’re misconfigured.
F5’s Security Incident Response Team is accessible 24 hours a day, seven days a week for anyone affected by attacks on their BIG-IP devices, and may be reached at (888) 882-7535, (800) 11-275-435, or online. Sandfly Security creator Craig Rowland is giving test licenses to F5 BIG-IP administrators who are afraid their devices have already been infected.
