Stealthy Cyber Attacks Exploiting Recent F5 BIG-IP Vulnerabilities
November 1, 2023
F5 has issued a warning to administrators of BIG-IP devices, indicating that skilled hackers are exploiting two recently disclosed vulnerabilities, CVE-2023-46747 and CVE-2023-46748, to achieve stealthy code execution and erase evidence of their access. BIG-IP is a suite of products and services from F5, widely used by large enterprises and government organizations for load balancing, security, and performance management of networked applications. Any vulnerabilities in the product are therefore a major concern.
F5 updated the bulletins for the two vulnerabilities on October 30, alerting about active exploitation in the wild. The company stated, 'This information is based on the evidence F5 has seen on compromised devices, which appear to be reliable indicators.' However, they also cautioned that not all exploited systems may show the same indicators and a skilled attacker could remove traces of their work. F5 further warned that it is not possible to definitively prove a device has not been compromised; in cases of uncertainty, the device should be considered compromised.
The Cybersecurity & Infrastructure Security Agency (CISA) has added the two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, urging federal government agencies to apply the available updates until November 21, 2023.
F5 has provided a script to help mitigate the Remote Code Execution (RCE) flaw and has observed threat actors using the two vulnerabilities in combination. Therefore, even applying the mitigation for CVE-2023-46747 could be enough to halt most attacks.
For administrators seeking guidance on how to identify indicators of compromise (IoCs) on BIG-IP and recover compromised systems, F5 has provided resources. IoCs related to CVE-2023-46748 are entries in the /var/log/tomcat/catalina.out file.
Given the ability of attackers to erase their tracks using these flaws, any BIG-IP endpoints that have not been patched should be considered compromised. Administrators of exposed BIG-IP devices are advised to proceed directly to the clean-up and restoration phase as a precautionary measure.
Related News
- Critical F5 BIG-IP Vulnerability Under Active Exploitation
- Critical Vulnerability in F5 BIG-IP Configuration Utility Allows Remote Code Execution Attacks
Latest News
- Atlassian Alerts Users of Critical Confluence Flaw Risking Data Loss
- Critical F5 BIG-IP Vulnerability Under Active Exploitation
- Proof of Concept Exploit Code Released for Critical Cisco IOS XE Vulnerability
- Critical Vulnerability in F5 BIG-IP Configuration Utility Allows Remote Code Execution Attacks
- Critical Vulnerability in Mirth Connect Threatens to Expose Sensitive Healthcare Data
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.