CyberWire Daily - CISA Alert AA22-138A – Threat Actors Exploiting F5 BIG-IP CVE-2022-1388. [CISA Cybersecurity Alerts]
Episode Date: May 19, 2022CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC), are releasing this joint Cybersecurity Advisory in response to active exploitation of CVE-2022-1388. This vulnerability is a c...ritical iControl REST authentication bypass vulnerability affecting multiple versions of F5 Networks BIG-IP. AA22-138A Alert, Technical Details, and Mitigations F5 Security Advisory K23605346 and indicators of compromise F5 guidance K11438344 for remediating a compromise Emerging Threats suricata signatures Palo Alto Networks Unit 42 Threat Brief: CVE-2022-1388. This brief includes indicators of compromise. Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Threat Advisory: Critical F5 BIG-IP Vulnerability. This blog includes indicators of compromise. Note: due to the urgency to share this information, CISA and MS-ISAC have not yet validated this content. Randori’s bash script. This script can be used to identify vulnerable instances of BIG-IP. Note: MS-ISAC has verified this bash script identifies vulnerable instances of BIG-IP. All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. Original release date, May 18, 2022.
CISA and the Multi-State Information Sharing and Analysis Center, also called MS-ISAC, are releasing this joint cybersecurity advisory in response to active exploitation of CVE-2022-1388.
This vulnerability is a critical eye-control REST authentication bypass vulnerability affecting multiple versions of F5 network's BIG-IP.
This recently disclosed vulnerability enables an unauthenticated actor to gain control of affected systems through the management port or self-IP addresses.
An unauthenticated actor with network access to the BIG-IP system could exploit the vulnerability to execute arbitrary system commands, create or delete files, or disable services.
F5 released a patch for the CVE on May 4, 2022. Proof-of-concept exploits have since been publicly released, enabling less sophisticated actors to exploit the vulnerability.
Unpatched F5 Big IP devices are an attractive target. Organizations that have not applied the patch are vulnerable to cyber actors taking control of their systems.
There is active exploitation of this vulnerability in the wild,
and CISA expects to see widespread exploitation of unpatched F5 Big IP devices in both government and private sector networks.
CISA strongly urges users and administrators to use the recommendations in this advisory,
including upgrading their software to fixed versions, to help secure their organization's
systems against malicious cyber operations. CISA strongly encourages administrators to deploy the
signatures included in this advisory to help determine whether their systems have been
compromised. CISA and MS-ISAC especially encourage organizations who did not patch immediately
or whose F5 Big IP device management interface has been exposed to the internet to assume compromise
and hunt for malicious activity using the detection signatures in this advisory.
If potential compromise is detected, organizations should apply the incident
response recommendations included in this advisory. Links to these resources,
including indicators of compromise, threat signatures, mitigation actions, response recommendations included in this advisory. Links to these resources, including
indicators of compromise, threat signatures, mitigation actions, and remediation procedures,
are listed in the show notes. All organizations should report incidents and anomalous activity
to CISA's 24-7 Operations Center at central at cisa.dhs.gov or 888-282-0870, and to the FBI via your local FBI field office or the FBI's 24-7
PsyWatch at 855-292-3937 or PsyWatch at FBI.gov. This report was written by CISA,
the United States Cybersecurity and Infrastructure Security Agency,
and edited and adapted for audio by the Cyber Wire as a public service.
Please visit www.cisa.gov to read the full report,
which may include additional details, links, and illustrations. A link to this report can
be found in the show notes. This has been a CISA Cybersecurity Alert.