Following the recent discovery of a super-high-severity vulnerability plaguing F5’s BIG-IP endpoints, experts have now discovered some threat actors are already abusing the flaws to try and completely wipe affected devices, adding further credence to their warnings.
Security researchers from SANS Internet Storm Center said that their honeypots received two attacks from a single IP address, both trying to execute the “rm -rf /*” command on the target endpoint.
This command erases all of the files found on the system, including configuration files needed for the device to function properly.
These findings were also confirmed by a third party after as security researcher Kevin Beaumont took to Twitter to say: “Can confirm. Real world devices are being erased this evening, lots on Shodan have stopped responding.”
Even though this probably won’t be much of a comfort, the attacks don’t seem to be that widespread. Instead, the majority of threat actors are more interested in the benefit they can extract from this vulnerability, rather than wreaking havoc.
Other cybersecurity firms, such as Bad Packets, or GreyNoise, told the publication that most attacks coming into their honeypots are webshells drops, config exfiltration, or attempts to create admin accounts on the target endpoint.
F5 knows about the attacks, the publication confirmed and urged admins not to expose BIG-IP management interfaces to the Internet.
The flaw is tracked as CVE-2022–1388 and carries a severity rating of 9.8/10. The affected devices are used by 48 members of the Fortune 50 group of companies, with around 16,000 endpoints able to be discovered online. As these devices are used to manage web server traffic, they can often see decrypted contents of HTTPS-protected traffic, adding an extra level of threat.
The flaw in question revolves around the way admins confirm their identities when logging into iControl REST, a programming interface used to manage BIG-IP gear. In other words, people can pretend to be an admin, allowing them to run commands on different endpoints.
Patches, as well as workarounds, are already available.