Expert Reaction On Mirai Botnet Is Targeting RCE Vulnerability In F5 BIG-IP Software

It has been reported that the Mirai botnet is now trying to exploit a critical RCE bug in F5 BIG-IP software. It scans for exposed BIG-IP boxes and then exploit with malicious payload, The successful exploitation will enable the attacker to ” to create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network” reported by researcher.

Notify of

2 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Jonathan Knudsen
Jonathan Knudsen , Senior Security Strategist
InfoSec Expert
August 5, 2020 8:16 pm

It’s no surprise that the Mirai botnet now includes an exploit for CVE-2020-5902, and it is a good example of how known vulnerabilities get weaponized.

Outside observers can easily Monday-morning-quarterback by suggesting that all affected customers should immediately upgrade their F5 products to the latest software versions. Unfortunately, it’s not that easy. Making a change to any production deployment is a risk—if it ain’t broke, operations people are reluctant to fix it, for good reason.

Infrastructure upgrades are ideally made in a controlled fashion, with a defined, measured process for making upgrades in a test environment and performing extensive testing before rolling the upgrades out to production. Faced with a near-constant deluge of patches and upgrades, this process can get clogged.

While vulnerabilities and upgrades are an inevitable part of using software, when vendors follow a Secure Software Development LIfe Cycle (SSDLC), such disruptions are minimized. Thinking about security during every phase of the SSDLC means that the vendor locates and eliminates more vulnerabilities during product development, minimizing the downstream risk for their customers. More secure, safer products with fewer emergency patches are a competitive advantage.

Last edited 2 years ago by Jonathan Knudsen
Andrea Carcano
Andrea Carcano , Co-founder and CPO
InfoSec Expert
August 5, 2020 8:10 pm

As our H1 2020 OT/IoT Security Report states, the organisations behind IoT malware are very quick to capitalise on new remote exploits being available. Since they’ve the infrastructure and code base already available, plugging in a new propagation strategy can be a matter of few hours. This is the main reason why the patching time is very important for defenders, as well as having a more strategic solution in place that provides complete network visibility for instance.

One approach to blocking Bots from getting into industrial control systems for critical infrastructure is to leverage network segmentation designed for cybersecurity protection. Specifically, for industrial cybersecurity, following the IEC 62443 network segmentation guidelines which recommends grouping devices with similar security requirements behind a secure conduit like a firewall is the goal. This way only safe communications would get through to key areas of the control network, blocking DDOS attacks from Botnets from impacting ICS.

Last edited 2 years ago by Andrea Carcano
Information Security Buzz
Would love your thoughts, please comment.x