Patch/Configuration Management, Vulnerability Management

After F5 publishes proofs of concept, potential hackers get to work

After proofs of concept for vulnerabilities in F5's BIG-IP and BIG-IQ products were published March 18, several researchers have logged upticks in hacking attempts and mass vulnerability scans.

A set of four critical F5 BIG-IP and BIG-IQ vulnerabilities came to light March 10, with the company and CISA both immediately advising customers patch. These are a different set of vulnerabilities than ones that surfaced last summer.

Three proofs of concept for a remote code execution vulnerability CVE-2021-22986 were published March 17. The next day, Bad Packets started to notice mass scanning for vulnerability.

"The scanning activity increased in magnitude and started using a viable payload to check which servers are vulnerable," wrote Troy Mursch, Bad Packets chief research officer, via email.

Until then, there were fewer scans, either with no payload or using one that NCC Group deemed non-functional. Rich Warren, principal security consultant at NCC Group, wrote in an email that the early attempts at exploitation were based on limited information in the public domain that was not enough to launch an attack.

NCC Group has also noticed an uptick in activity after the publication of working proofs of concept.

"The activity appears opportunistic and non-targeted in nature. The attackers are hitting multiple honeypots in different regions, suggesting that there is no specific targeting. It is more likely that they are 'spraying' attempts across the internet, in the hope that they can exploit the vulnerability before organizations have a chance to patch it," Warren wrote.

Warren said NCC Group has seen attempts from multiple IP addresses with "all attempts [containing] some specific hallmarks which are consistent with the other attempts, suggesting it's likely the same underlying exploit." Mursch said Bad Packets had additionally found some use of the Tor network to disguise would-be hackers' tracks.

A representative from F5 said the firm was aware of the recent activity.

"As with all critical vulnerabilities, we advise customers update their systems as soon as possible,” he said.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.