Executive Summary
On Wednesday, 10 March, F5 released security updates for its BIG-IP & BIG-IQ product lines that addressed several vulnerabilities, including one unauthenticated remote code execution (RCE) vulnerability tracked as CVE-2021-22986.
Following this disclosure, several security researchers reverse-engineered the F5 patch to develop and publish proof-of-concept (PoC) exploit code, which is now being leveraged by threat actors in the wild to launch attacks on F5 servers.
At this time, Arctic Wolf is aware of at least one widespread Mirai Botnet campaign exploiting CVE-2021-22986 to infect vulnerable F5 BIG-IP servers with the Mirai malware and connect them to its botnet. Arctic Wolf is now monitoring to detect attacks exploiting CVE-2021-22986, as well as the Mirai malware which is used by threat actors known to exploit this vulnerability. We continually update detections around known IOCs and TTPs associated with this threat.
As seen most recently with the Microsoft Exchange ProxyLogon vulnerabilities, when PoC exploit code is made publicly available, multiple threat groups move rapidly to craft malicious exploits to use in a variety of attacks. Arctic Wolf assesses with high confidence that attacks exploiting CVE-2021-22986 will continue to increase and be adopted by other threat groups in their campaigns.
Impact
CVE-2021-22986 impacts F5 devices that include F5 iControl REST, a management API interface used in multiple F5 products to allow system administrators to change device features and settings remotely. By exploiting this vulnerability, a remote, unauthenticated attacker can execute malicious code on vulnerable F5 BIG-IP or BIG-IQ appliances with root privileges.
The attack scenario with the greatest risk is where a vulnerable F5 appliance is exposed to the public internet. This is especially dangerous because there is no user interaction required to launch and successfully execute an exploit.
Recommendations
Customers running vulnerable versions of F5 products listed above with the F5 iControl REST interface exposed externally should apply security updates to their appliances as soon as possible. To apply one of the patched versions below to an F5 appliance, follow the instructions in this F5 KB on using its software downloads page.
