In a development feared by security professionals, attackers are actively targeting yet another set of critical server vulnerabilities that expose businesses and governments to serious network intrusions.
The vulnerability this time is in BIG-IP, a line of server equipment sold by Seattle-based F5 Networks. Customers use BIG-IP servers to manage traffic to and from major networks. Tasks include load balancing, DDoS mitigation, and web application security.
Last week, F5 revealed and patched critical BIG-IP vulnerabilities that allow hackers to take full control of a server. Despite a severity rating of 9.8 out of 10, the security flaws were overshadowed by another set of critical vulnerabilities that Microsoft revealed and patched on the Exchange server a week earlier. Within days of Microsoft’s emergency update, tens of thousands of Exchange servers in the US were compromised.
Day of reckoning
When security researchers weren’t preoccupied with Exchange’s unfolding mass compromise, many of them warned it was only a matter of time before the F5 vulnerabilities would also be attacked. Well, that day has come.
Researchers at security company NCC Group on Friday said they “see full chain exploitation” of CVE-2021-22986, a vulnerability that allows remote attackers to execute commands of their choice on vulnerable BIG-IP devices without a password or other credentials.
“After seeing many failed exploits and failed attempts, as of this morning we are now seeing success in the wild exploitation of this vulnerability,” wrote Rich Warren, chief security advisor at NCC Group and co-author of the blog.
After seeing many failed exploits and failed attempts, we are now seeing success in the wild exploitation of this vulnerability, as of this morning https://t.co/Sqf55OFkzI
— Rich Warren (@buffaloverflow) March 19, 2021
In a blog post, NCC Group posted a screenshot of exploit code that successfully steals an authenticated session token, a type of browser cookie that allows administrators to use a web-based programming interface to remotely control BIG-IP hardware.
NCC group
“The attackers hit multiple honeypots in different regions, suggesting no specific targeting,” Warren wrote in an email. “They’re more likely to ‘spray’ attempts across the internet, hoping they can exploit the vulnerability before organizations have a chance to patch it.”
He said previous attempts used incomplete exploits derived from the limited information that was publicly available.
Security firm Palo Alto Networks, meanwhile, said that CVE-2021-22986 was targeted by devices infected with a variant of the open source Mirai malware. The tweet said the variant “tried” to exploit the vulnerability, but it was not clear whether the attempts were successful.
other researchers reported Internet-wide scans designed to locate vulnerable BIG-IP servers.
CVE-2021-22986 is just one of many critical BIG-IP vulnerabilities that F5 disclosed and patched last week. The severity is in part because the vulnerabilities require limited skills to exploit. But more importantly, once attackers take control of a BIG-IP server, they are more or less within the security perimeter of the network using it. That means attackers can quickly gain access to other sensitive parts of the network.
As if administrators didn’t already have enough to do, patching vulnerable BIG-IP servers and looking for exploits should be a top priority. NCC Group has provided indicators of compromise in the link above and Palo Alto Networks has IOCs here.
Update 8:22 PM EDT: After this message went live, F5 issued a statement. It read, “We are aware of attacks targeting recent vulnerabilities published by F5. As with all critical vulnerabilities, we advise customers to update their systems as soon as possible.”
Meanwhile, Rich Warren of the NCC Group responded to questions I sent earlier. Here’s a partial Q&A:
What does “see full chain exploitation” mean? What did NCC Group see before and how does “full chain exploitation” change this?
What we mean is that we previously saw attackers trying to exploit the SSRF vulnerability in a way that couldn’t work because a significant part of the exploit was not widely known, which would cause the exploits to fail. Now attackers have discovered the full details needed to use the SSRF to bypass authentication and obtain authentication tokens. These authentication tokens can then be used to execute remote commands. So far we have seen the attackers a) obtain an authentication token and b) execute commands to dump credentials. We haven’t seen any web shells drop like we did with CVE-2020-5902.
Where exactly do you see the exploitation attempts? Is it in a honeypot, on production servers, somewhere else?
The attackers hit multiple honeypots in different regions, suggesting that there is no specific target. They are more likely to “spray” attempts across the internet in the hopes that they can exploit the vulnerability before organizations have a chance to patch it. Previous attempts we saw against our honeypot infrastructure showed that attackers used incomplete exploits based on limited information available in the public domain. This shows that attackers are clearly eager to exploit the vulnerability, even if some of them do not have the required knowledge to develop their own attack code.
Do you know if the exploits manage to compromise production servers? If so, what do attackers do after the exploit?
At this point, we cannot say whether the same attackers have been successful against others’ servers. With regard to post-exploitation activities, we have only seen dumping of references so far.
I read that several threat groups are exploiting the vulnerability. Do you know this is true? If so, how many different threat actors are there?
We didn’t say there are multiple attackers. While we’ve seen multiple successful exploit attempts from different IPs, all of the attempts contain some specifics that are consistent with the other attempts, suggesting it’s likely the same underlying exploit.