Threat actors start attacking F5 devices using recent vulnerability
Multiple hacking groups have started attacking F5 networking devices after the publication of proof-of-concept exploit code online for a recent critical vulnerability the vendor patched last week.
Tracked as CVE-2021-22986, the vulnerability impacts F5 devices that include F5 iControl REST, a management API interface [PDF] included across multiple F5 products to allow system administrators to change device features and settings remotely.
The CVE-2021-22986 vulnerability is what security researchers call an unauthenticated remote command execution vulnerability, meaning an attacker could execute code on an F5 device where the iControl REST API was present without needing to authenticate.
This basically means that any F5 iControl REST interface exposed online can be abused, and, hence, the reason why the bug received a 9.8 out of a maximum of 10 on the CVSSv3 vulnerability severity scale.
Details about the vulnerability were posted on the F5 website on March 10, and proof-of-concept (PoC) code to exploit the bug was shared on Rapid7's AttackerKB vulnerability assessment portal on Monday, March 15.
Uploaded a few of my notes and PoCs from investigating CVE-2021-22986 (F5 iControl REST) this past week. https://t.co/TGCLCR8CzR— wvu (@wvuuuuuuuuuuuuu) March 15, 2021
The PoC, although incomplete, allowed threat actors to craft their custom attack code. Starting March 18, mass-scans have been recorded, with threat actors looking to locate F5 devices with an iControl REST interface exposed online, security firm Bad Packets reported.
Today, security firm NCC Group said it saw actual attacks, with threat actors deploying full exploit chains on F5 devices in order to exploit the CVE-2021-22986 vulnerability, if the device hadn't been patched.
Hold on to your hats Internet... https://t.co/tJPsevZQia— Ollie Whitehouse (@ollieatnowhere) March 19, 2021
F5 devices are very popular with attackers
The vulnerability is expected to receive a lot of attention from attackers in the coming months. F5 devices are some of today's most attractive targets to threat actors. They are very popular networking devices used as load balancers and access gateways to control the traffic in and out of large corporate networks, government agencies, data centers, and across ISP infrastructure.
When in the summer of 2020, a similar major bug (CVE-2020-5902) was disclosed in F5's BIG-IP load balancer, it came under attack within a day. A week later, it was being exploited by Iranian state-sponsored hackers, and a month later, by China's state hackers, before making its way into the arsenal of ransomware gangs.
Something similar is now expected for CVE-2021-22986, a bug just as bad and attacker-friendly as CVE-2020-5902.
There is also the issue that this bug was disclosed in the frenzy of the Microsoft Exchange ProxyLogon disclosure and subsequent attacks, which might have led to many companies deprioritizing F5 patching for dealing with the ProxyLogon fixes first.
With attacks already happening, system administrators are now urged to focus their efforts on patching CVE-2021-22986 as soon as possible.
Because the iControl REST API is included across a wide range of F5 products, it is currently unclear how many devices are vulnerable, but the number is at least 10,000, based on simple BinaryEdge and Shodan searches.
To help defenders, the NCC Group team has published today a blog post with detection rules and log artifacts device owners should look to detect attacks against their systems.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.