The FBI warned organisations last week that an Iranian hacking group has been targeting vulnerable networking devices for a month.
They are again advising organisations to bolster their defences, this time against a group of hackers supposedly working for the Iranian government, that have been targeting networking equipment.
Says reports, an FBI notification was sent to organisations in the US private sector last week, warning that hackers were actively attempting to exploit a vulnerability revealed earlier this summer, affecting F5 BIG-IP application delivery controller (ADC) devices used by firms.
The networking services facilitate rate shaping, SSL offloading, & can act as a web application firewall. Initially ADCs were designed to tackle load balancing; now they can mitigate security threats & streamline how data moves through a data centre & the cloud.
These devices are popular; on its website, F5 says 48 of the US Fortune 50 companies rely on its services.
The vulnerability the FBI is warning about was made public at the beginning of July, shortly after the company patched a critical remote code-execution flaw in the services, CVE-2020-5902, at the end of June.
Attacks targeting the vulnerability have been increasing since early July.
The bug,1st found & reported to the company by Mikhail Klyuchnikov, a Security Researcher at Positive Technologies, exists in BIG-IP’s management interface, TMUI.
Reports claim the Iranian group is known by codenames ‘Fox Kitten’ & ‘Parisite’.
The FBI claims the group is also behind attacks that have targeted VPN devices & appliances like Pulse Secure (CVE 2019-11510, CVE 2019-11539) & Citrix ADC/Gateway (CVE 2019-19781). Vulnerabilities in those networking devices date back to 2019 & are some of the most exploited vulnerabilities the US government has seen so far in 2020.
The FBI is one of the last govt. groups to proactively push patching the vulnerability.
US Cyber Command
The US Cyber Command insisted admins patch CVE-2020-5902 & the less critical vulnerability CVE-2020-5903 on the spot, on July 3, after F5 pushed out its CVE-2020-5903 patch.
The US Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) issued a warning in late July explaining that groups were exploiting CVE-2020-5902 & confirming that 2 organisations were attacked.
“Unpatched F5 BIG-IP devices are an attractive target for malicious players. Affected organisations that have not applied the patch to fix this critical remote code execution (RCE) vulnerability risk an attacker exploiting CVE-2020-5902 to take control of their system,” CISA warned, adding “Note: F5’s security advisory for CVE-2020-5902 states that there is a high probability that any remaining unpatched devices are likely already compromised.”
Arbitrary System Commands
In its advisory, F5 has warned that hackers could execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code & that the vulnerability could result in complete system compromise.