Article Details
Scrape Timestamp (UTC): 2023-11-01 14:56:26.571
Original Article Text
Click to Toggle View
Hackers exploit recent F5 BIG-IP flaws in stealthy attacks. F5 is warning BIG-IP admins that devices are being breached by "skilled" hackers exploiting two recently disclosed vulnerabilities to erase signs of their access and achieve stealthy code execution. F5 BIG-IP is a suite of products and services offering load balancing, security, and performance management for networked applications. The platform has been widely adopted by large enterprises and government organizations, making any flaws in the product a significant concern. Last week, F5 urged admins to apply available security updates for two newly discovered vulnerabilities: On October 30, the software vendor updated the bulletins for CVE-2023-46747 and CVE-2023-46748 to alert about active exploitation in the wild. "This information is based on the evidence F5 has seen on compromised devices, which appear to be reliable indicators," reads the update on the bulletin. "It is important to note that not all exploited systems may show the same indicators, and, indeed, a skilled attacker may be able to remove traces of their work." "It is not possible to prove a device has not been compromised; when there is any uncertainty, you should consider the device compromised." CISA (Cybersecurity & Infrastructure Security Agency) has added the two vulnerabilities to its KEV (Known Exploited Vulnerabilities) catalog, urging federal government agencies to apply the available updates until November 21, 2023. Impacted and fixed versions are given below: F5 has also published a script that helps mitigate the RCE flaw, the usage instructions for which can be found here. F5 has observed threat actors using the two flaws in combination, so even applying the mitigation for CVE-2023-46747 could be enough to stop most attacks. For guidance on how to look for indicators of compromise (IoCs) on BIG-IP and how to recover compromised systems, check out this webpage. IoCs concerning CVE-2023-46748 specifically are entries in the /var/log/tomcat/catalina.out file that have the following form: {...} java.sql.SQLException: Column not found: 0. {...) sh: no job control in this shell sh-4.2$ <EXECUTED SHELL COMMAND> sh-4.2$ exit. Given that attackers can erase their tracks using these flaws, BIG-IP endpoints that haven't been patched until now should be treated as compromised. Out of an abundance of caution, admins of exposed BIG-IP devices should proceed straight to the clean-up and restoration phase.
Daily Brief Summary
Hackers are exploiting two recent vulnerabilities in F5 BIG-IP products to stealthily gain access and erase signs of intrusion.
F5 BIG-IP is a suite of services used for load balancing, security, and managing the performance of networked applications. It is used widely by government organizations and large enterprises.
The vulnerabilities, known as CVE-2023-46747 and CVE-2023-46748, have prompted F5 to urge admins to apply necessary security updates due to active exploitation.
These vulnerabilities allow skilled attackers to erase traces of their activities, making it impossible to prove if a device has not been compromised.
The Cybersecurity & Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities catalog, recommending that federal agencies apply the updates by November 21, 2023.
F5 has also released a mitigation script for the RCE flaw and is encouraging admins of exposed BIG-IP devices to move directly to the clean-up and restoration phase.