BIG-IP, a multi-purpose networking device manufactured by F5, is one of the most commonly used devices among sensitive networks and corporations around the world. On July 1st, F5 released patches for their BIG-IP devices that helped protect users against a remote code execution vulnerability found for the device. Three days after the initial release, attacks from various threat actors were identified, and the US Cyber Command issued a warning to not delay patching over the weekend. By exploiting the vulnerability, which is tracked as CVE-2020-5902, threat actors would be able to gain full control over unpatched BIG-IP systems that are accessible to the Internet. This would allow the attacker to steal any information on the network–including administrator passwords. The vulnerability received maximum severity rating of a 10 on the CVSS severity scale, which means it is easy to exploit, automate, and can be used over the Internet without any credentials or advanced coding skills. Exploit code is widely available on the Internet and has been added to the Metasploit Framework, making it easy for anyone to discover and exploit unpatched systems.
Analyst Notes
On their website, F5 states that its BIG-IP devices are used by 48 of the Fortune 50 companies. This statement alone gave attackers an initial target list they could use to start exploiting companies that had not patched their systems when the patch came out. With some of the most sensitive networks in the world relying on these devices, attackers have plenty of potential targets to go after. Binary Defense analysts worked over the weekend to identify vulnerable systems exposed on the Internet and coordinated efforts with other security researchers to send notifications warning the affected companies, critical infrastructure operators, and government agencies of the situation, regardless of whether they were Binary Defense clients or not. Patching systems promptly is extremely important for security professionals to protect their networks. The longer that device owners wait to update or block access to the F5 management user interface, the longer they are susceptible to attacks, and with a vulnerability such as severe as this one, threat actors will quickly exploit the companies that do not patch their systems to carry out attacks.
More can be read here: https://www.zdnet.com/article/hackers-are-trying-to-steal-admin-passwords-from-f5-big-ip-devices/
