Mirai botnet is targeting RCE vulnerability in F5 BIG-IP software

The bug could enable an attacker to create or delete files, intercept information and otherwise compromise the system

The Mirai botnet is now trying to exploit a critical RCE bug in F5 BIG-IP software that researchers identified last month.

That's according to the researchers from cyber security firm Trend Micro, who said they have uncovered an IoT Mirai botnet downloader that can be added to new malware variants. The tool scans for exposed BIG-IP boxes and delivers a malicious payload to vulnerable systems affected by CVE-2020-5902.

CVE-2020-5902 is a remote code execution (RCE) flaw existing in the Traffic Management User Interface (TMUI) of BIG-IP devices. To exploit the vulnerability, an attacker needs to send a specially crafted HTTP request to the server hosting the TMUI utility for BIG-IP configuration.

Mikhail Klyuchnikov, a researcher at Positive Technologies, discovered the bug, and FT Networks patched it on the 30th June.

According to researchers, successfully exploiting the flaw could enable an attacker "to create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network."

Because many big enterprises and government networks use F5 devices, the researchers warned that it is vital to quickly patch CVE-2020-5902.

In an alert published last month, the US Cybersecurity and Infrastructure Security Agency (CISA) said it had responded to two cyber incidents that exploited CVE-2020-5902 to target US government and private-sector organisations.

Trend Micro researchers said they had analysed CVE-2020-5902 in detail and found a possible way to exploit the bug, involving an HTTP GET request containing a semicolon character in the URL.

"In a Linux command line, a semicolon signals to the interpreter that a command line has finished, and it is a character the vulnerability needs to be triggered," the researchers said in an online post.

The Trend Micro team also examined the x86 sample of the Mirai botnet and noticed that it attempts to exploit vulnerable BIG-IP boxes, as "it sends a GET request to the victim port 443/TCP (HTTPS).

"Given the severity of the flaw, a simple GET request with a 'command' parameter to tmshCmd.jsp would be enough to remotely execute a command in an infected device if the ID path is correctly prepended to it," they continued.

Researchers have also seen the botnet trying to exploit several other recently disclosed vulnerabilities, such as CVE-2020-1956, CVE-2020-10173, CVE-2020-7209 and CVE-2020-10987, in randomly generated targets.

To mitigate potential risks associated with CVE-2020-5902, the researchers advise system admins to constantly monitor manufacturers' releases to ensure their IoT devices' firmware runs on the latest versions.

Admins should also consider employing network segmentation to restrict the spread of infections. A multi-layered protection system must also be installed, which is able to block and prevent threats such as brute-force attacks that attempt to abuse security flaws for entry.