On Sunday, July 5, 2020, our honeypots detected opportunistic mass scanning activity originating from multiple hosts targeting F5 BIG-IP servers vulnerable to CVE-2020-5902. This critical vulnerability allows unauthenticated remote attackers to execute arbitrary commands on the targeted server.
Our latest CVE-2020-5902 scans have identified 3,012 vulnerable F5 hosts worldwide.
Bad Packets vulnerability scan results are freely available for authorized government CERT, CSIRT, and ISAC teams.
Submit request here: https://t.co/0eV9Go1Fsw https://t.co/Sh4lAHpQVn
— Bad Packets (@bad_packets) July 7, 2020
How many hosts are vulnerable to CVE-2020-5902?
Using data provided by BinaryEdge, we scanned 8,204 F5 BIG-IP servers to determine which were vulnerable. Our scans found a total of 3,012 unique IPv4 hosts worldwide vulnerable to CVE-2020-5902.
No sensitive information was disclosed or recorded during our scans as we only sent a HTTP HEAD request to confirm the vulnerability.
Where are the vulnerable servers located?
Hosts vulnerable to CVE-2020-5902 were found in 66 countries around the world.
This interactive map shows the total vulnerable hosts found per country. Overall, the most vulnerable F5 servers were located in the United States.
What type of organizations are affected by CVE-2020-5902?
635 unique autonomous systems (network providers) were found to have vulnerable F5 endpoints on their network. We’ve discovered this vulnerability currently affects:
- Government agencies
- Public universities and schools
- Hospitals and healthcare providers
- Major financial and banking institutions
- Fortune 500 companies
How is CVE-2020-5902 exploited and what is the risk?
The Traffic Management User Interface (TMUI), also known as the Configuration utility, used to manage F5 servers has a remote code execution (RCE) vulnerability. This vulnerability allows for unauthenticated attackers with network access to the vulnerable F5 server to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.
Further exploitation of this vulnerability can allow threat actors to gain a foothold inside the targeted networks and conduct malicious activity, such as spreading ransomware. Proof-of-concept (PoC) code demonstrating the exploit has been published publicly to GitHub, Twitter, and other platforms.
What are the suggested mitigation/remediation steps?
F5 has provided a list of products impacted by CVE-2020-5902 and how to obtain the corresponding updates. It’s recommended to upgrade to a fixed software version to fully mitigate this vulnerability.
Given the level of ongoing scanning activity targeting vulnerable F5 servers, system administrators need to update ASAP and review affected servers for signs of compromise.
Indicators of compromise (IOCs)
Bad Packets® CTI feed of hosts conducting CVE-2020-5092 related scans, exploit activity, and indicators of compromise is available for our Research and Enterprise CTI customers.
Query our API for “tags=CVE-2020-5902” to browse the latest activity observed by our honeypots.
Opportunistic mass scanning and exploit activity continues to target F5 BIG-IP servers vulnerable to CVE-2020-5902.
Query our API for "tags=CVE-2020-5902" for a full list of unique payloads and relevant indicators. #threatintel pic.twitter.com/Gem098SOa2
— Bad Packets (@bad_packets) July 7, 2020
Example DDoS malware payload targeting vulnerable F5 servers illustrated below.
Active DDoS malware payload detected:
http://panel.devilsden[.]net/iot.sh
http://185.172.111.233:999/sisi/*
(https://t.co/qmOnNTxywH)Exploit attempt source IP: 2.57.122.96 (🇷🇴)
Target: F5 BIG-IP TMUI RCE vulnerability CVE-2020-5902 (https://t.co/y5Uor8B0qi) #threatintel pic.twitter.com/oprQHizid7
— Bad Packets (@bad_packets) July 6, 2020
How to obtain our CVE-2020-5902 report
Our CVE-2020-5902 report is freely available for authorized government CERT, CSIRT, ISAC, and law enforcement teams to review. FIRST Team membership is preferred, but not required. Due to the sensitive nature of this vulnerability, the affected F5 servers detected by Bad Packets® CTI scans will not be shared publicly.
Commercial access to our CVE-2020-5902 report is also available, please fill out this form to request a copy.
We’ve shared our findings directly with US-CERT, MS-ISAC, and other U.S. federal law enforcement agencies for further investigation and remediation. Additionally, we notified these organizations: A-ISAC, CCCS, CERT-BDF, CERT.be, CERT.br, CERT-IL, CERT-In, CERT La Poste, CERT-PH, CERT NZ, CITC, DefCERT, E-ISAC, GovCERT.HK, H-ISAC, HKCERT, ID-SIRTII/CC, JPCERT/CC, KN-CERT, KrCERT/CC, MyCERT, NCIS (FLTCYBERCOM), NCIIPC, REN-ISAC, SingCERT, ThaiCERT, TT-CSIRT, TWCERT/CC, TWCSIRT, TWNCERT, and Z-CERT.
Bad Packets would like to thank the Cybersecurity and Infrastructure Security Agency (CISA) and Israel National Cyber Directorate (INCD) for providing assistance in notifying impacted organizations.
@CISAgov echoes this message. Thanks to @bad_packets for keeping an eye out and improving our ability to identify and notify! https://t.co/dpwBbl9k4l
— Chris Krebs (@CISAKrebs) July 9, 2020
About Bad Packets® CTI
Bad Packets provides critical vulnerability data to CERT teams and ISAC organizations worldwide. We monitor emerging cyber threats targeting enterprise networks, internet of things (IoT) devices, and cloud computing environments.
Bad Packets® CTI is continuously updated with the latest indicators as new threats are detected. A curated feed of exploit activity, malware payloads, and command-and-control (C2) servers used by threat actors is available via our RESTful API endpoint.
Follow us on Twitter for the latest updates.