CISA Alert AA22-138A – Threat Actors Exploiting F5 BIG-IP CVE-2022-1388.

This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack One Three Eight Alpha.

​​Original release date: May Eighteenth, twenty twenty two.

CISA and the Multi-State Information Sharing & Analysis Center, also called MS-ISAC, are releasing this joint Cybersecurity Advisory in response to active exploitation of CVE-2022-1388. This vulnerability is a critical iControl REST authentication bypass vulnerability affecting multiple versions of F5 Networks BIG-IP. 

This recently disclosed vulnerability enables an unauthenticated actor to gain control of affected systems through the management port or self-IP addresses. An unauthenticated actor with network access to the BIG-IP system could exploit the vulnerability to execute arbitrary system commands, create or delete files, or disable services.

F5 released a patch for the CVE on May 4th, 2022. Proof of concept exploits have since been publicly released, enabling less sophisticated actors to exploit the vulnerability. Unpatched F5 BIG-IP devices are an attractive target. Organizations that have not applied the patch are vulnerable to cyber actors taking control of their systems.

There is active exploitation of this vulnerability in the wild, and CISA expects to see widespread exploitation of unpatched F5 BIG-IP devices in both government and private sector networks. CISA strongly urges users and administrators to use the recommendations in this advisory—including upgrading their software to fixed versions—to help secure their organization’s systems against malicious cyber operations.

CISA strongly encourages administrators to deploy the signatures included in this advisory to help determine whether their systems have been compromised. CISA and MS-ISAC especially encourage organizations who did not patch immediately or whose F5 BIG-IP device management interface has been exposed to the internet to assume compromise and hunt for malicious activity using the detection signatures in this advisory. If potential compromise is detected, organizations should apply the incident response recommendations included in this advisory. Links to these resources, including indicators of compromise, threat signatures, mitigation actions, and remediation procedures are listed in the show notes.

All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.