Iran (Fox Kitten/Parisite): A Private Industry Notification (PIN) released by the FBI last week and shared publicly by ZDNet reporters warned that an Iranian threat actor was utilizing CVE-2020-5902 to target F5 Networks BIG-IP devices. CVE-2020-5902 was disclosed in early July and allows for remote code execution with no user authentication. The exploit is simple, and proof-of-concept code is widely available. The FBI warned that the focus of this campaign is broad and that any organization utilizing BIG-IP devices is likely to be targeted. In their PIN, the FBI listed two specific steps that should be taken to defend against attacks on BIG-IP devices. First and foremost, organizations should ensure that their devices are patched with the latest security updates. Secondly, the FBI provided the guidelines below for detecting an intrusion via the BIG-IP vulnerability:
“Following successful compromise of the VPN server, the actors obtain legitimate credentials and establish persistence on the server through webshells. The actors conduct internal reconnaissance post-exploitation using tools such as NMAP and Angry IP scanner. The actors deploy Mimikatz to capture credentials while on the network, and Juicy Potato for privilege escalation. The actors create new users while on the network; the FBI observed one account known to be created by the actors is “Sqladmin$“.
The actors use several applications for command and control (C2) while exploiting victim networks, including Chisel (C2 tunnel), ngrok, Plink, and SSHNET (reverse SSH shell). When tracking suspected C2 activity, the FBI advises that C2 activity with ngrok may be with external infrastructure associated with ngrok.”
Analyst Notes
Binary Defense analysts collaborated with security researchers from many companies to identify vulnerable F5 BIG-IP devices over the 4th of July weekend and notified representatives at many large enterprises, critical utilities, universities, and even a US federal government agency about devices that were publicly exposed. Many of the vulnerable devices could not be identified with the company that operated them based on the IP address alone. Most of the devices were patched within a day or two, but some remained vulnerable for much longer. While the FBI did not specifically name the threat actor as Fox Kitten/Parisite, they did outline previous attacks carried out by the threat actor behind this current campaign. The previous activity mentioned by the FBI in the PIN included attacks against Pulse Secure VPN and Citrix gateways. It was also mentioned that once the group establishes a foothold on networks, they are likely to provide this access to other Iranian groups. Fox Kitten/Parisite is commonly referred to as the “tip of the spear” for Iran’s cyber-attacks as they will routinely carry out the initial intrusion on a network prior to handing off access to other Iranian groups. This alert comes on the heels of two different confirmed intrusions on US companies. Within two days of the Proof-Of-Concept (POC) of CVE-2020-5902 being released, attackers were seen exploiting the vulnerability. This is not an uncommon occurrence following a POC for attackers to be seen leveraging a vulnerability which is why it is vitally important to install patches as soon as possible following their release. More information on this incident can be found at: https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/
