Attempts to hack networks via vulnerability in F5 BIG-IP rising as exploit code was published

Cybersecurity specialists report that cybercriminals are exploiting a critical flaw in F5 Networks devices to take control of vulnerable systems. Tracked as CVE-2021-22986, the flaw was described as an arbitrary command execution error in the F5 BIG-IP and BIG-IQ network infrastructure, and although it was recently patched there are still multiple implementations operating without patches.

The flaw received a score of 9.8/10 on the Common Vulnerability Scoring System (CVSS) scale, and was corrected in early March, allowing multiple members of the cybersecurity community to begin revealing a proof of concept (PoC) code after reverse engineering of the security patch issued by the company.

After performing a massive scan, the researchers confirmed the detection of some cases of active exploitation, even in some honeypots of security firms such as NCC Group.

In this regard, the US Cybersecurity and Infrastructure Security Agency (CISA) requests organizations using BIG-IP and BIG-IQ to install the patches required for this flaw and for CVE-2021-22987, a remote code execution flaw that affects the traffic management user interface.

Installing these security patches is urgent, as F5 provides enterprise networking infrastructure to many of the world’s leading technology companies, including Facebook, Oracle, and Microsoft: “BIG-IP is a very attractive target for cybercriminals because it can handle highly sensitive data,” cybersecurity specialist Craig Young says: “Threat actors who can take control of these devices could also take control of web applications linked to these services.”

About the cybercriminal groups that are exploiting this flaw, neither the affected company nor the groups of researchers close to these reports have mentioned any specific threat actors. Nor is it known whether a state actor is hiding behind these exploit campaigns.

For a few months now the cybersecurity community has started warning F5 Networks customers about some security risks related to their BIG-IP deployments. One of these flaws would have allowed cybercriminals to extract administrator credentials, launch malware attacks, among other risk scenarios; this flaw received a CVSS score of 10/10.

CISA also issued an alert in September 2020 regarding a Chinese hacking group that was exploiting multiple flaws in public and private organizations through F5 BIG-IP servers, so severing to operate with vulnerable software versions has become a priority for researchers and cybersecurity experts.