CISA shares guidance to block ongoing F5 BIG-IP attacks

In a joint advisory issued today, CISA and the Multi-State Information Sharing and Analysis Center (MS-ISAC) warned admins of active attacks targeting a critical F5 BIG-IP network security vulnerability (CVE-2022-1388).

"CISA and MS-ISAC expect to see widespread exploitation of unpatched F5 BIG-IP devices (mostly with publicly exposed management ports or self IPs) in both government and private sector networks," the advisory reads.

"CISA encourages users and administrators to review the joint advisory for detection methods and mitigations, which include updating F5 BIG-IP software, or, if unable to immediately update, applying temporary workarounds," the cybersecurity agency added.

Admins are urged to remove F5 BIG-IP management interfaces from the internet and enforce multi-factor authentication as soon as possible to block access to vulnerable devices.

Organizations are also advised to immediately upgrade F5 BIG-IP software to the latest versions that are now patched against CVE-2022-1388 exploits.

Those who cannot patch their systems today should implement the following temporary workarounds that will remove the attack vector:

• Block iControl REST access through the self IP address.
• Block iControl REST access through the management interface.
• Modify the BIG-IP httpd configuration.

The advisory also comes with Snort and Suricate signatures to detect compromised systems and detailed incident response recommendations in the event of a breach.

Organizations that did not apply patches immediately and those with F5 BIG-IP device management interface exposed online are encouraged to assume compromise and start hunting for malicious activity using the detection signatures included in today's joint advisory.

Critical bug allowing device takeover

The flaw (tracked as CVE-2022-1388) was found in the BIG-IP iControl REST authentication component, and it enables remote attackers to execute commands on unpatched BIG-IP network devices 'root' without authentication.

Attackers started exploiting this bug days after security researchers shared exploits online, on Twitter and GitHub.

Although most of these threat actors only dropped web shells on compromised devices initially, the SANS Internet Storm Center and security researcher Kevin Beaumont spotted attacks where the malicious actors wiped vulnerable BIG-IP devices' Linux file systems.

"We have been in contact with SANS and are investigating the issue. If customers have not already done so, we urge them to update to a fixed version of BIG-IP or implement one of the mitigations detailed in the security advisory," F5 said when BleepingComputer reached out for more info on these destructive attacks.

"We strongly advise customers never to expose their BIG-IP management interface (TMUI) to the public internet and to ensure the appropriate controls are in place to limit access."

Today's advisory follows the inclusion of the CVE-2022-1388 F5 BIG-IP bug on CISA's list of actively exploited bugs a week ago.

The cybersecurity agency has given all Federal Civilian Executive Branch Agencies (FCEB) agencies until May 31st to patch the actively exploited vulnerability and block ongoing and, potentially, destructive exploitation attempts.