Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

BIG-IP Vulnerability Exploited to Deliver DDoS Malware

Hackers continue to exploit the recently patched BIG-IP security flaw and they have plenty of potential targets as researchers have identified thousands of vulnerable systems.

Hackers continue to exploit the recently patched BIG-IP security flaw and they have plenty of potential targets as researchers have identified thousands of vulnerable systems.

The vulnerability affecting F5 Networks’ BIG-IP application delivery controller (ADC) is tracked as CVE-2020-5902 and it was disclosed last week by the vendor and Positive Technologies, the cybersecurity company whose researchers identified the issue. F5 has released patches and organizations have been advised to apply them immediately.

The security hole has been described as a critical remote code execution vulnerability that can be exploited to take complete control of a system. The issue is related to the Traffic Management User Interface (TMUI) configuration utility. An attacker who has access to this utility can exploit the weakness to create or delete files, disable services, intercept data, and run arbitrary code or commands.

While there are roughly 8,000 BIG-IP servers exposed to the internet, threat intelligence company Bad Packets has determined that roughly 3,000 of them are vulnerable to attacks exploiting CVE-2020-5902. A majority are in the United States (1,200), followed by China (500), Taiwan (140), and several other Asian countries.

According to Bad Packets, there are 635 unique network providers hosting vulnerable BIG-IP endpoints, including government organizations, educational institutions, healthcare providers, financial institutions, and Fortune 500 companies.

Proof-of-concept (PoC) exploits and technical information were made public for CVE-2020-5902 shortly after its disclosure and the first exploitation attempts were observed soon after. The vulnerability is easy to exploit and experts have pointed out that the entire exploit fits in a tweet.

Hackers have been scanning for vulnerable systems, and some of the exploits attempted to obtain passwords from vulnerable devices. Bad Packets reported on Monday that it has also seen a piece of DDoS malware being delivered via CVE-2020-5902 from an IP address known to have been involved in malicious activities.

Chris Krebs, the director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), told organizations to assume that their systems have been compromised if the patch was not immediately installed.

Advertisement. Scroll to continue reading.

Unpatched BIG-IP systems should be assumed compromised

Related: “Ticketbleed” Flaw Exposes F5 Appliances to Remote Attacks

Related: Flaw in F5 Products Allows Recovery of Encrypted Data

Related: Hidden Injection Flaws Found in BIG-IP Load Balancers

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.