Threat actors are exploiting critical vulnerability in F5 products to destroy firewalls and network devices completely

Cybercriminal groups have been exploiting a critical vulnerability in F5 BIG-IP solutions to erase file systems on affected devices, rendering servers completely useless. Tracked as CVE-2022-1388, successful exploitation of the flaw would allow remote threat actors to execute commands on BIG-IP network devices with root user privileges, making it a critical security risk.

The company released the necessary fixes in mid-April, and just a few days later various groups of researchers published proof of concept (PoC) exploits, which made it easier for malicious hackers to start exploiting the vulnerability in real-world scenarios.

Researchers at SANS Internet Storm Center have identified at least two attacks targeting BIG-IP devices far more devastating than other hacking variants; Using their honeypots, the researchers identified that these attacks came from the IP address 177.54.127.111 and are based on the execution of the command ‘rm -rf /*’ in the affected implementations in an attempt to delete all files in the Linux file system when starting the execution of the devices.

Because the attack grants root privileges, running this command could remove almost all the contents of the file system, including the configuration files necessary for the proper functioning of BIG-IP devices. Just a few hours ago, security specialist Kevin Beaumont confirmed that threat actors were deploying these attacks:

The good news is that the attacks do not appear to be widespread, limiting themselves to a few cases detected so far. Other security firms, such as Bad Packets and GreyNoise, report failing to detect attack attempts in their honeypots.

F5 is now aware of the report and posted a message about it: “We have been in contact with SANS and are investigating the issue. If customers have not already done so, we urge them to upgrade to a fixed version of BIG-IP or implement one of the recommended mitigations.”

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.