Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Trustwave’s Action Response: F5 BIG-IP Vulnerability (CVE-2022-1388)

Trustwave SpiderLabs is tracking a new critical-rated vulnerability (CVE-2022-1388) affecting F5 BIG-IP network devices. Threat actors are reported to be actively exploiting this vulnerability in the wild. F5 disclosed and issued a patch for CVE-2022-1388 on May 4.

We are diligently watching over our clients for exposure and associated attacks and working closely with our clients to ensure that mitigations are in place. Trustwave SpiderLabs is continuing to monitor this developing threat and we will update this blog as necessary.

Threat Summary

Unauthenticated RCE F5 BIG-IP
CVE-2022-1388: CVSS 9.8 - Critical

The vulnerability allows an attacker to bypass authentication by manipulating the HTTP request header and the X-F5-Auth-Token value. The result is unauthenticated arbitrary commands can be passed to the local bash instance. Exploitation is trivial, with most PoC being a curl command or a one-line python implementation (sample PoC: https://github.com/alt3kx/CVE-2022-1388_PoC).

The vulnerability does require access to the management port (“Self IP” address), and the attack surface may be limited publicly as the management interface should not be publicly exposed to the Internet.

Affected F5 BIG-IP platforms

16.1.x versions prior to 16.1.2.2
15.1.x versions prior to 15.1.5.1
14.1.x versions prior to 14.1.4.6
13.1.x versions prior to 13.1.5

Those running firmware versions 11.x and 12.x will not receive security updates and should upgrade to a newer version as soon as possible.

Mitigation

If you cannot patch:

  • Block iControl REST access through the self IP address
  • Block iControl REST access through the management interface
  • Modify the BIG-IP httpd configuration

More details from F5: https://support.f5.com/csp/article/K23605346

The Latest Reported Wiper Attacks

Reports published on May 10 indicate that threat actors are using the vulnerability to wipe device’s file systems making the server unusable. Other attacks have dropped webshells to obtain initial access to networks, which is then used to steal SSH keys, and enumerate system information.

The motivation behind the wiper attacks is unknown at this time. This vulnerability is simple to execute. It’s a common and simple bash command (“rm -rf /*”) that causes maximum damage by wiping the file system from the root directory down. Right now, the attacks appear to be opportunistic and possibly done as a simple act of vandalism or perhaps just for bragging rights.

The attackers are likely conducting a blast spray to discover publicly accessible systems. So far, Trustwave SpiderLabs is not seeing any organizations being specifically targeted in the current campaign. The attacks do appear widespread, which is another piece of evidence suggesting that this action is opportunistic and not specifically targeted.

CISA Alert

Due to the active exploitation of CVE-2022-1388, the Cybersecurity and Infrastructure Security Agency (CISA) has added the CVE to CISA’s Known Exploited Vulnerabilities Catalog. This action makes it mandatory for Federal Civilian Executive Branch Agencies (FCEB) agencies to secure their systems against attacks that would abuse security flaws added to CISA's KEV catalog. CISA also recommends that all organizations prioritize remediating this issue.

Trustwave Product Protections

  • Trustwave has developed two IDS rules covering this CVE, which will be available May 13.
  • The Trustwave Vulnerability Assessment Team (VAT) team has developed a Carrier check, which will be available May 13.
  • The ModSecurity commercial ruleset has released out of band updates with coverage for this CVE.

Resources

Latest SpiderLabs Blogs

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising

During an Advanced Continual Threat Hunt (ACTH) investigation that took place in early December 2023, Trustwave SpiderLabs discovered Ov3r_Stealer, an infostealer distributed using Facebook...

Read More