FBI: Iranian hackers trying to exploit critical F5 BIG-IP flaw

The FBI warns of Iranian hackers actively attempting to exploit an unauthenticated remote code execution flaw affecting F5 Big-IP application delivery controller (ADC) devices used by Fortune 500 firms, government agencies, and banks.

F5 Networks (F5) released security updates to fix the critical 10/10 CVSSv3 rating F5 Big-IP ADC vulnerability tracked as CVE-2020-5902 on July 3, 2020.

The U.S. domestic intelligence and security service says in a Private Industry Notification (PIN) issued earlier this week that the Iran-sponsored hacking group has been trying to compromise vulnerable Big-IP ADC devices since early July 2020.

Successful attacks could lead to ransomware deployment

CISA also issued a warning confirming the active exploitation of CVE-2020-5902 last month, confirming successful attacks against two organizations.

“As early as July 6, 2020, CISA has seen broad scanning activity for the presence of this vulnerability across federal departments and agencies—this activity is currently occurring as of the publication of this Alert,” CISA added.

The FBI says that after compromising an organization’s network, the Iranian state-backed threat actors may collect and steal sensitive information that could get into the hands of other hackers or of the Government of Iran.

Other outcomes of successful attacks coordinated include the deployment of ransomware on compromised networks and credential theft that can be leveraged to gain access to other network devices.

Previous activity linked to the same hacking group

The FBI PIN was issued due to the agency’s analysis of the group’s previous activity which points at future aggressive campaigns to exploit the CVE-2020-5902 vulnerability before organizations will be able to patch vulnerable F5 Big-IP ADC devices.

According to the FBI, the same nation-state actors were behind multiple campaigns targeting vulnerable VPN devices since August 2019 in attacks designed to exploit vulnerable VPN appliances, including but not limited to Pulse Secure (CVE 2019-11510, CVE 2019-11539) [1, 2] and Citrix ADC/Gateway (CVE 2019-19781).

This group’s attacks are known to have been targeting US organizations from a wide range of industry sectors including local government, defense, finance, healthcare, information tech, and media.

The FBI is also warning private industry orgs that once their networks get compromised by this group patching the devices is not sufficient to deny the hackers access to previously hacked devices since they also use web shells to create persistent backdoors and stolen credentials to regain access.

While on compromised networks, the threat actors will make use of post-exploitation tools such as Mimikatz, NMAP, and others for internal network reconnaissance, as well as add new users to hacked systems.

The FBI PIN also provides indicators of compromise (IOCs) and Tactics, Techniques and Procedures (TTPs) to allow private industry orgs to identify signs of related malicious activity on their networks.

Detection and recovery measures

Since according to F5’s security advisory, any remaining unpatched devices are probably already compromised, IT admins are advised to use F5’s CVE-2020-5902 IoC Detection Tool to scan for IOCs within their org’s environment.

CISA recommends all orgs to go through these steps while hunting for CVE-2020-5902 exploitation signs:

• Quarantine or take offline potentially affected systems

• Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections

• Deploy a CISA-created Snort signature to detect malicious activity (available in the alert under Detection Methods)

If evidence of CVE-2020-5902 exploitation is found, orgs are urged to promptly respond with recovery measures targeting all impacted devices by:

• Reimaging compromised hosts

• Provisioning new account credentials

• Limiting access to the management interface to the fullest extent possible

• Implementing network segmentation


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s