This time it is the vulnerability in BIG-IP, a line of server appliances that is sold by Seattle-based F5 Networks. BIG-IP servers are used by some customers to manage the traffic going in and out of some of the larger networks. Their tasks include DDoS mitigation, load balancing, and web application security.
It was only Last week that F5 had patched and disclosed the critical BIG-IP vulnerabilities that enable hackers to gain complete control and access of a server. Regardless of a severity rating of 9.8 out of 10, the loopholes in their security got overlooked by a different type of critical vulnerabilities Microsoft made public a week earlier while patching in Exchange server. Right after Microsoft' updated an emergency on its platform, thousands of Exchange servers in the US were had already been compromised within a few days.
A Day of Deep Reckoning:
Even before the security researchers became so occupied with the events that were unfolding the Exchange mass compromise, many of the professionals had already issued a warning that it was only a matter of merely time before the F5 vulnerabilities would also come under attack. Now, that day has finally come.
The giant security firm the NCC Group’s researchers on Friday said that they are witnessing a full chain exploitation of the CVE-2021-22986, a vulnerability enabling remote attackers that have no prior password or other such credentials to exploit the vulnerable BIG-IP devices of their choice.
Rich Warren the Principal Security Consultant of NCC Group and the co-author of the blog tweeted that "After witnessing various broken and failed exploits attempts, they finally saw the successful exploitation of the vulnerability, as of early this morning,"
After seeing lots of broken exploits and failed attempts, we are now seeing successful in the wild exploitation of this vulnerability, as of this morning https://t.co/Sqf55OFkzI
— Rich Warren (@buffaloverflow) March 19, 2021
In their blog post the NCC Group posted the screenshot of the exploit code that could successfully giveaway the very authenticated session token, that is a type of browser cookie enabling administrators to employ the web-based programming interface that remotely controls the BIG-IP hardware.
The security firm: NCC Group
The attackers are now targeting at various honeypots in several regions, signifying that there is no specific or singular target, Warren mentioned in his email. It is very likely that they are 'gushing' endeavors spread across the internet; with the hopes that they can further exploit vulnerabilities of various organizations before they get a chance to patch theme.
He further said that earlier attempts of these hackers casted off some incomplete driven from the limited information publicly available.
The Security firm known as Palo Alto Networks, in the meantime, said that the CVE-2021-22986 was being now targeted by the devices infested with the variant of the open-source Mirai malware. The firm’s tweet further said that the variant was "attempting to exploit" the existing vulnerability, but they weren’t sure if these were successful attempts.
“We are now observing the Mirai variant from https://t.co/ZDTVwtdYlq attempting to exploit CVE-2021-22986, an unauthenticated RCE in F5 BIG-IP & BIG-IQ products, and CVE-2020-28188.
IOCs for the new activity available at:https://t.co/bc0IySEAEk pic.twitter.com/ZsUqxq60XO
— Unit 42 (@Unit42_Intel) March 19, 2021”
Some other researchers also reported some Internet-wide scans intended to locate BIG-IP highly vulnerable servers.
