Iran (Fox Kitten/Parisite): A Private Industry Notification (PIN) released by the FBI last week and shared publicly by ZDNet reporters warned that an Iranian threat actor was utilizing CVE-2020-5902 to target F5 Networks BIG-IP devices. CVE-2020-5902 was disclosed in early July and allows for remote code execution with no user authentication. The exploit is simple, and proof-of-concept code is widely available. The FBI warned that the focus of this campaign is broad and that any organization utilizing BIG-IP devices is likely to be targeted. In their PIN, the FBI listed two specific steps that should be taken to defend against attacks on BIG-IP devices. First and foremost, organizations should ensure that their devices are patched with the latest security updates. Secondly, the FBI provided the guidelines below for detecting an intrusion via the BIG-IP vulnerability:
“Following successful compromise of the VPN server, the actors obtain legitimate credentials and establish persistence on the server through webshells. The actors conduct internal reconnaissance post-exploitation using tools such as NMAP and Angry IP scanner. The actors deploy Mimikatz to capture credentials while on the network, and Juicy Potato for privilege escalation. The actors create new users while on the network; the FBI observed one account known to be created by the actors is “Sqladmin$“.
The actors use several applications for command and control (C2) while exploiting victim networks, including Chisel (C2 tunnel), ngrok, Plink, and SSHNET (reverse SSH shell). When tracking suspected C2 activity, the FBI advises that C2 activity with ngrok may be with external infrastructure associated with ngrok.”