Security researchers from the SANS Internet Storm Center said BeepComputer that their honeypots received two attack attempts from a single IP address, both attempting to execute the “rm -rf /*” command on the targeted BIG-IP device.
Since the bug (CVE-2022-1388) grants attackers root privileges in the Linux OS powering BIG-IP devices, the “rm -rf /*” command erases all files found on the system, including configuration files required for the device. to function properly.
Security researcher Kevin Beaumont confirmed on Twitter that hackers were wiping devices using the bug.
Can confirm. Real world devices are wiped tonight, many on Shodan have stopped responding. https://t.co/Rb7cyD2cnR
— Kevin Beaumont (@GossiTheDog) May 10, 2022
F5 Networks patched the remote code execution (RCE) flaw affecting the company’s family of BIG-IP network devices/modules last week, although not all customers have installed the update yet. day.
“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or clean IP addresses to execute arbitrary system commands, create or delete files, or disable services,” the company said.
Found in the iControl REST authentication component of BIG-IP devices, the flaw has a CVSS Base Score of 9.8.
The vulnerability is easy to exploit; all it takes is two commands and some headers sent to an unpatched “bash” endpoint exposed to the internet to exploit the bug.
Fixing the flaw is particularly critical because BIG-IP equipment includes network gateways and firewalls that serve as the primary point of security for remote network connections.
Hundreds of BIG-IP systems are exposed on the Internet, which means an attacker could easily use the appliance to move laterally within a corporate network.
After F5 patched the bug, researchers began sharing exploits publicly on GitHub and Twitter, with threat actors quickly using them in attacks across the Internet.
The majority of attacks detected by SANS researchers were non-destructive (with the exception of two) and were used to steal SSH keys, drop webshells for initial network access, and enumerate system information.
Although SANS Internet Storm Center saw two attacks on its honeypot, two other companies – Bad Packets and GreyNois – said BeepComputer they had observed no destructive attacks on their own bait.
Although the file-wiping attacks observed by SANS are rare, the fact that malicious actors are carrying them out should encourage administrators to keep their devices up-to-date.
F5 said they have been in contact with SANS and are investigating the issue.
“If customers have not already done so, we urge them to update to a fixed version of BIG-IP or implement one of the mitigations detailed in the security advisory,” a said the company.
“We strongly advise customers never to expose their BIG-IP Management Interface (TMUI) to the public internet and ensure that appropriate controls are in place to limit access.”
On Tuesday, the US Cybersecurity and Infrastructure Security Agency (CISA) added the F5 BIG-IP flaw to its catalog of known exploited vulnerabilities.
The agency said, “These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose a significant risk to the federal enterprise.”