Hackers exploit critical F5 BIG-IP flaw to launch backdoors

0
416

[ad_1]

Threat actors have begun massively exploiting the critical vulnerability tracked as CVE-2022-1388, which affects multiple versions of all F5 BIG-IP modules, to launch malicious payloads.

Last week, F5 released patches for the security issue (severity rating 9.8), which affects the BIG-IP iControl REST authentication component.

The company warned that the vulnerability allows an unauthenticated attacker on the BIG-IP system to execute “arbitrary system commands, create or delete files, or disable services.”

There are thousands of BIG-IP systems exposed on the Internet right now, so attackers can remotely exploit the exploit to breach the corporate network.

Yesterday, several security researchers announced that they had created functional exploits and warned administrators to install the latest updates immediately.

Today, the bubble has burst and the exploits have become publicly available as the attacks require only two commands and some headers sent to an unpatched ‘bash’ endpoint exposed to the internet.

At the moment, Twitter is full of the exploit code for CVE-2022-1388 and reports that it is exploited in the wild to launch webshells for long backdoor access.

Actively exploited to drop projectiles

Cronup security researcher Germán Fernández observed threat actors placing PHP webshells in “/tmp/f5.sh” and installing them in “/usr/local/www/xui/common/css/”.

After installation, the payload is executed and then removed from the system:

Kevin Beaumont has also seen exploitation attempts in attacks that did not target the administration interface. The grades