Hackers are scanning the web for exposed and unpatched networking devices that fall under F5 Networks’ BIG-IP family of hardware and software products to gain access to vulnerable corporate networks.
A fortnight ago, F5 warned users about seven remote code execution vulnerabilities in its BIG-IP products, including four that were rated ‘critical’. Although fixes were released, researchers with NCC Group have now found evidence that cyber criminals have deployed a full chain exploitation against one of these flaws, tracked as CVE-2021-22986.
The remote code execution flaw, rated 9.8 on the CVSS threat severity scale, lies in the iControl REST interface for the BIG-IP family, and also affects the firm’s BIG-IQ products. Attackers are exploiting the vulnerability to execute arbitrary commands, create and delete files as well as disable services without authentication.
This was the second most severe bug that F5 patched after the 9.9-rated CVE-2021-22987, which manifested in the traffic management user interface (TMUI) when running BIG-IP in Appliance Mode.
RELATED RESOURCE
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisation
“We strongly recommend that all customers update their BIG-IP and BIG-IQ deployments to a fixed version as soon as possible - this is the only way to fully address the vulnerabilities,” said F5 Networks’ SVP and GM for the Application Delivery Controller (ADC) business unit, Kara Spraque.
“If you cannot update your systems immediately, we advise you to apply any additional mitigation recommendations detailed in the security advisories while developing a plan to complete the updates.”
This is the 16th actively-exploited vulnerability identified in 2021, joining an expanding list that includes three vulnerabilities in Google Chrome, as well as four Microsoft Exchange Server flaws that devastated a string of businesses.
The discovery of this full chain exploitation follows several proofs-of-concept for exploitation methods against the F5 Networks vulnerability.
Over the last few days, NCC Group has detected a rise in scanning activity, and multiple exploitation attempts against honeypot infrastructure that researchers had set up to monitor malicious activity. This knowledge has led them to believe that a public exploit is likely to be in the public domain very shortly.
Researchers with Unit 42, meanwhile, have seen evidence that a variant of the Mirai botnet has attempted to exploit CVE-2021-22986, as well as CVE-2020-28188, a remote code execution flaw in the TerraMaster operating system for storage appliances. This latter was discovered last year.
-
Get ready for the rise of 'vibe crime'News Trend Micro is warning of a boom in 'vibe crime' - the use of agentic AI to support fully-automated cyber criminal operations and accelerate attacks.
-
The hidden cost of MFT vulnerabilitiesIndustry Insights The channel can solve the fundamental fragility in how organizations handle their most sensitive data transfers
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
