Critical F5 BIG-IP vulnerability now targeted in ongoing attacks

On Thursday, cybersecurity firm NCC Group said that it detected successful in the wild exploitation of a recently patched critical vulnerability in F5 BIG-IP and BIG-IQ networking devices.

The exploitation attempts have started earlier this week and have escalated during the last 24 hours, with mass scanning activity being detected by NCC Group and Bad Packets.

“Starting this week and especially in the last 24 hours (March 18th, 2021) we have observed multiple exploitation attempts against our honeypot infrastructure,” said NCC Group’s Rich Warren and Sander Laarhoven.

“This knowledge, combined with having reproduced the full exploit-chain we assess that a public exploit is likely to be available in the public domain soon.”

The security vulnerability these attackers attempt to exploit is an unauthenticated remote command execution (RCE) tracked as CVE-2021-22986, and it affects most F5 BIG-IP and BIG-IQ software versions.

Multiple security researchers have already shared proof-of-concept exploit code after reverse-engineering the BIG-IP patch.

Successful exploitation of this bug (with a severity rating of 9.8/10) could lead to full system compromise, including lateral movement to the internal network and interception of controller application traffic.

We are now seeing full chain exploitation of F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986 – IoCs in the updated blog – we will share more has we have - — NCC Group Research & Technology (@NCCGroupInfosec) March 19, 2021

Highly valuable targets

A similarly critical RCE vulnerability with a maximum 10/10 severity rating tracked as CVE-2020-5902 in F5 BIG-IP ADC appliances was also heavily exploited last year after being patched in July 2020.

Iranian-backed Pioneer Kitten hacking group started targeting enterprises with unpatched BIG-IP devices right after the flaw was disclosed.

Their attacks lined up with an August alert issued by the FBI and warning of Iranian state hackers attempting to exploit vulnerable Big-IP ADC devices starting with early July 2020.

CISA issued another advisory saying that China-backed hacking groups targeted government agencies by hunting down and trying to hack their vulnerable F5, Microsoft Exchange, Citrix, Pulse Secure devices and servers.

Organizations are advised to patch their F5 BIG-IP devices as soon as possible to defend against future attacks.

“We strongly encourage all customers to update their BIG-IP and BIG-IQ systems to a fixed version as soon as possible,” F5 said after releasing security updates to patch CVE-2021-22986 and three other critical security flaws affecting its products.

“To fully remediate the critical vulnerabilities, all BIG-IP customers will need to update to a fixed version.”

F5 provides info on upgrading BIG-IP appliances with details on multiple upgrade scenarios in this BIG-IP upgrade guide.

NCC Group also provides indicators of compromise, detection logic, and Suricata network rules to help admins detect and block incoming attacks.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s