Two sentences: Researchers observed a rapid exploit campaign against F5 BIG-IP CVE-2022-1388, deploying web shells and Mirai-era malware within days. The events highlight the danger of exposed devices and the need for secure configurations and timely patching. #CVE-2022-1388 #Mirai
Keypoints
- CVE-2022-1388 is a F5 BIG-IP remote code execution vulnerability that was exploited publicly and widely, with exploitation described as “trivial once the exploit became known.”
- The initial probe used POST /mgmt/tm/util/bash to run commands and identify targets, signaling a rapid, automated exploitation window.
- Attackers dropped web shells and backdoors, with base64-encoded payloads decoding to a simple webshell and subsequent upload of webshell tools.
- Multiple IPs were observed in the campaign, indicating the same actor controlled several sources (e.g., 185.239.226.177 and 93.120.118.131 among others).
- Attackers attempted standard discovery and credential collection, including commands like id, whoami, and attempting to extract users and password hashes.
- There were demonstrations of destructive attempts (rm -rf /*) on honeypots, though BIG-IP mounts /usr read-only, limiting impact but not preventing continued exploitation.
- Mirai was detected in association with the activity, including a sample discussed on VirusTotal, underscoring continued botnet reuse of BIG-IP exploits.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Exploitation of CVE-2022-1388 to gain remote code execution. “Exploitation was trivial once the exploit became known and easily implemented using existing tools.”
- [T1059.004] Unix Shell – Command execution via webshell, including using /bin/bash to run commands. “POST /mgmt/tm/util/bash … {“command”: “run”, “utilCmdArgs”: “-c whoami”}”
- [T1505.003] Web Shell – Use of webshells and backdoors to maintain access. “mixed in with a few webshells, backdoors, and the usual fare.”
- [T1083] File and Directory Discovery – Discovery of files and directories via commands like ls /etc and ls /run. “ls /etc/;
ls /run” - [T1082] System Information Discovery – Gathering system details via hostname, hosts, passwd, etc. “cat /etc/hostname; cat /etc/hosts; cat /etc/passwd; cat /etc/shadow”
- [T1003] Credential Dumping – Attempt to extract users and password hashes. “to extract users and password hashes”
- [T1105] Ingress Tool Transfer? – Not explicitly; observed delivery and use of payloads via web interfaces, followed by tool use to expand access. (Context: use of base64-encoded payloads that drop a webshell and tools.)
Indicators of Compromise
- [IP Address] attack sources – 185.239.226.177, 93.120.118.131, and 6 more IPs (e.g., 45.72.32.11, 178.159.74.190, 192.67.160.144, 216.74.110.226, 64.43.114.53, 177.54.127.111) observed contacting honeypots and attempting exploitation
- [File Hash] malware sample linked to Mirai/CVE-2022-1388 – ccb5b33ad8ae136180aea84c0ef88e5e969039bd3cd6e1ba0b58e19e09a717aa
Read more: https://isc.sans.edu/diary/rss/28644