Following the recent discovery of a very high-severity vulnerability affecting F5’s BIG-IP endpoints, experts have now discovered that some threat actors are already exploiting the flaws to try to wipe out affected devices completely, adding thus more credibility to their warnings.
Security researchers from the SANS Internet Storm Center said their honeypots received two attacks from a single IP address, both trying to run the command “rm -rf /*” on the target device.
This command erases all files found on the system, including the configuration files necessary for the proper functioning of the device.
These findings were also confirmed by a third party after security researcher Kevin Beaumont took to Twitter to say, “I can confirm. Real world devices are being wiped tonight, many on Shodan have ceased respond.”
While it probably won’t be very comforting, the attacks don’t seem to be that widespread. Instead, the majority of threat actors are more interested in benefiting from this vulnerability, rather than wreaking havoc.
Other cybersecurity companies, such as Bad Packets or GreyNoise, told the publication that most attacks entering their honeypots are webshell drops, configuration exfiltrations or attempts to create administrator accounts. on the target terminal.
F5 is aware of the attacks, confirmed the post, and urged administrators not to expose BIG-IP management interfaces to the internet.
The flaw is identified as CVE-2022-1388 and carries a severity rating of 9.8/10. The affected devices are used by 48 members of the Fortune 50 group of companies, with approximately 16,000 devices discoverable online. As these devices are used to handle web server traffic, they can often see the decrypted content of HTTPS-protected traffic, which adds an additional level of threat.
The flaw in question concerns how administrators confirm their identity when connecting to iControl REST, a programming interface used to manage BIG-IP devices. In other words, users can impersonate an administrator, allowing them to run commands on different endpoints.
Fixes, as well as workarounds, are already available.