Threat actors exploit F5 BIG-IP vulnerability to wipe devices

Threat actors are using a vulnerability to wipe endpoints' file systems and render them unusable.

Security researchers from SANS Internet Storm Center told BleepingComputer that their honeypots received two attempts at an attack from a single IP address, both trying to run the "rm -rf /*" command on the targeted BIG-IP device.

Because the bug (CVE-2022-1388) grants attackers root privileges in the Linux OS powering BIG-IP devices, the "rm -rf /*" command erases all of the files found on the system, including configuration files required for the device to work properly.

Security researcher Kevin Beaumont confirmed on Twitter that hackers were erasing devices using the bug.

F5 Networks patched the remote code execution (RCE) flaw that affects the firm's BIG-IP family of networking devices/modules last week, although not all customers have installed the update yet.

'This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services,' the company said.

Found within the iControl REST authentication component of BIG-IP devices, the flaw has CVSS base score of 9.8.

The vulnerability is easy to exploit; it only takes two commands and certain headers sent to an unpatched 'bash' endpoint exposed to the internet to exploit the bug.

Fixing the flaw is particularly critical because BIG-IP equipment include network gateways and firewalls that serve as the primary point of security for remote network connections.

Hundreds of BIG-IP systems are exposed on the internet, meaning that an attacker might easily use the appliance to move laterally within a corporate network.

After F5 patched the bug, researchers began publicly sharing exploits on GitHub and Twitter, with threat actors quickly using them in attacks across the Internet.

The majority of the attacks detected by SANS researchers were non-destructive (except for two) and were used to steal SSH keys, drop webshells for initial network access, and enumerate system information.

Although SANS Internet Storm Center saw two attacks on its honeypot, two other companies - Bad Packets and GreyNois - told BleepingComputer they hadn't observed any destructive attacks on their own bait.

While the file-wiping attacks observed by SANS are uncommon, the fact that threat actors are conducting them at all should encourage admins to keep their devices updated.

F5 said it has been in contact with SANS and is investigating the issue.

'If customers have not already done so, we urge them to update to a fixed version of BIG-IP or implement one of the mitigations detailed in the security advisory,' the company said.

'We strongly advise customers never to expose their BIG-IP management interface (TMUI) to the public internet and to ensure the appropriate controls are in place to limit access.'

On Tuesday, the US Cybersecurity and Infrastructure Security Agency (CISA) added the F5 BIG-IP flaw to its Known Exploited Vulnerabilities Catalog.

The agency said, 'These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.'