3rd Party Risk Management , Breach Notification , Cybercrime

Attackers Exploiting F5 Networks' BIG-IP Vulnerability

Flaw in Network Traffic Security Management Platform Ranked as Highly Critical
Attackers Exploiting F5 Networks' BIG-IP Vulnerability

Attackers are exploiting a critical remote code vulnerability in F5 Networks' BIG-IP platform, tracked as CVE-2021-22986, for which the company released patches on March 10.

See Also: Gartner Market Guide for DFIR Retainer Services

The vulnerability, which has a CVSS ranking of 9.8 out of 10 - highly critical - is a remote command execution flaw in BIG-IP, a network traffic security management appliance.

By exploiting the flaw, unauthenticated attackers can gain access to BIG-IP’s management interface and self IP addresses and execute arbitrary system commands, create or delete files, and disable services, F5 Networks says.

On Thursday, security firm NCC Group said attackers were chaining multiple BIG-IP vulnerabilities with CVE-2021-22986. NCC added that an exploit for the vulnerability is likely to be available in the public domain soon.

In another alert on Friday, security firm Palo Alto Networks said a Mirai botnet variant is chaining the BIG-IP with another flaw as part of an attack, although the company did not clarify if the Mirai attacks were successful.

NCC Alert

The NCC Group report notes the attacks exploiting the flaw unfold in two stages. In the first stage, the attackers leveraged the BIG-IP flaw to gain an authenticated session token; this was then used to interact with the application API endpoint.

Using the token, the attackers extract browser cookies that allow the threat actors to access a web-based interface, which then enables them to remotely control the application.

The second step of the attack occurs when the victim’s device calls the attacker-controlled API. The report further notes the attackers have been using this method to access honeypots set-up by the researchers.

"Starting this week and especially in the last 24 hours [March 18], we have observed multiple exploitation attempts against our honeypot infrastructure," the NCC report notes. "Fortunately, the attackers got the details of the exploit wrong and attempted a chain of events that could not possibly work."

Other Vulnerabilities

Researchers and government agencies have warned of several other significant vulnerabilities found in various popular products this month.

For example, Microsoft issued emergency software patches for four zero-day vulnerabilities in its Exchange email server (see: Microsoft Patches Four Zero-Day Flaws in Exchange).

Following the Microsoft alert, the U.S. Cybersecurity and Infrastructure Agency warned that scanning activity for the vulnerabilities had picked up in recent days. It stressed that federal agencies and private firms should apply patches or disconnect internet-facing systems until the bugs are fixed.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.