March 23, 2021
Twelve days ago, F5 announced several security vulnerabilities that went primarily overshadowed by the Exchange/Hafnium situation.
It's important to understand that some of these are critical, remote command execution level vulnerabilities that require nothing more than an attacker to connect to an F5 BIG-IP device.
For those devices, being positioned "in front of" web server clusters is standard, so they are often exposed to the Internet on purpose.
There are already indicators that various attackers are scanning for these devices and exploiting them once found. Other security researchers have seen attacks that resulted in the theft of authenticated session tokens, meaning that they could impersonate administrators and control or reconfigure the devices. Some existing malware has already been repurposed to act on these vulnerabilities.
Here are vulnerabilities as listed by F5: https://support.f5.com/csp/article/K02566623
The NCC Group, a team of security researchers, has published this information on the active exploitation they are seeing.
Palo Alto's Unit42 has also published details on the attacks along with Indicators of Compromise (IOCs) they've assembled.
Patches are available for those vulnerabilities and should be applied immediately. Recognize that you may have mitigating controls in place already, such as limiting access to the iControl REST APIs or UI of the systems to only trusted management networks, or blocking it completely if you are not leveraging that functionality.
Castra is actively searching your managed SIEM platform for these indicators, and we have added the known IOCs to this OTX Pulse.
We encourage all of our clients with F5 BIG-IP devices to please reach out to us as soon as possible so that we can better assist you with this situation. If you have any questions, please do not hesitate to contact us.