Malware targeting latest F5 vulnerability
Chris Hall and Jared Stroud - Cloud Security Researchers, Lacework
May 12, 2022
On May 9th, 2022 a remote code execution vulnerability in F5’s Big IP suite of appliances under CVE-2022-1388. Per the CVE, appliance versions prior to 22.214.171.124, 15.1.x, 14.1.x, 126.96.36.199, 13.1.x, 13.1.5, and all versions within the 12.1.x and 11.6.x are affected. Notably, versions that have reached the end of technical support are not evaluated, and may also be vulnerable to this CVE. Since the announcement of this vulnerability numerous Github repositories have been created showing proof-of-concept attacks which require nothing more than a POST request with an HTTP body of commands to execute on a victim host. Researchers industry-wide have reported opportunistic adversaries adopting this vulnerability to spread Cryptojacking (T1496), and DDoS bots (Mirai). Lacework Labs is also beginning to see payloads associated with this vulnerability within their honeypots. At this time, Shodan reports 23,494 publicly facing BIG IP machines on the internet at the time of this writing.
Hunting for Malware
Lacework Labs has identified from their honeypot data CVE-2022-1388 being exploited. Post-execution activity ranges from simply executing “id”, to downloading and executing a second-stage payload. From this data, Lacework Labs developed YARA rules to hunt for the unique URI targeted in the F5 vulnerability and associated ELF files. This resulted in numerous hits for Miria variants for various architectures demonstrating how quickly malware authors can adopt PoCs to distribute their malware. When analyzing the executable capabilities for exploiting other vulnerabilities aside from CVE-2022-1388 were discovered to include Log4J, ColdFusion, and various home router exploits. An example of this can be seen in the Ghidra pseudocode below highlighting a payload to take advantage of CVE-2022-1388.
Further examining the binary, a section of code with numerous XOR encoded strings were identified. Given that the Mirai source code was leaked years ago, cross-referencing the available source code gives further insight into changes an individual threat actor may have made for their Mirai variant. The code snippet below shows the entries discovered within the sample we analyzed on the left, and on the right shows the publicly available source code.
The “add_entry” function contains a decoding routine that leverages a single key of “0x22”. This allows us to easily decode said strings as shown in Figure 3. These strings are then used as credentials for brute force activity.
When executing, a crontab (T1053.003) entry is set to execute the binary every five minutes. Finally, during execution prctl is leveraged to rename the executing binary to a random set of characters before continuing brute force efforts.
Along with exploitation in the wild using Mirai, Lacework Labs also observed activity originating from Project Discovery. Project Discovery maintains a repo for a popular open source scanner dubbed Nuclei which is used for both traditional scanning and recon as well as more invasive tests using OAST. To enable scanning the Nuclei community curates configs for various exploits. The configuration for CVE-2022-1388 was committed to Project Discovery’s GitHub on May, 9th and Lacework has seen a moderate amount of related traffic from varied sources. For more info on Project discovery check out our recent blog here.