It has been reported that the Mirai botnet is now trying to exploit a critical RCE bug in F5 BIG-IP software. It scans for exposed BIG-IP boxes and then exploit with malicious payload, The successful exploitation will enable the attacker to ” to create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network” reported by researcher.
It’s no surprise that the Mirai botnet now includes an exploit for CVE-2020-5902, and it is a good example of how known vulnerabilities get weaponized.
Outside observers can easily Monday-morning-quarterback by suggesting that all affected customers should immediately upgrade their F5 products to the latest software versions. Unfortunately, it’s not that easy. Making a change to any production deployment is a risk—if it ain’t broke, operations people are reluctant to fix it, for good reason.
Infrastructure upgrades are ideally made in a controlled fashion, with a defined, measured process for making upgrades in a test environment and performing extensive testing before rolling the upgrades out to production. Faced with a near-constant deluge of patches and upgrades, this process can get clogged.
While vulnerabilities and upgrades are an inevitable part of using software, when vendors follow a Secure Software Development LIfe Cycle (SSDLC), such disruptions are minimized. Thinking about security during every phase of the SSDLC means that the vendor locates and eliminates more vulnerabilities during product development, minimizing the downstream risk for their customers. More secure, safer products with fewer emergency patches are a competitive advantage.
As our H1 2020 OT/IoT Security Report states, the organisations behind IoT malware are very quick to capitalise on new remote exploits being available. Since they’ve the infrastructure and code base already available, plugging in a new propagation strategy can be a matter of few hours. This is the main reason why the patching time is very important for defenders, as well as having a more strategic solution in place that provides complete network visibility for instance.
One approach to blocking Bots from getting into industrial control systems for critical infrastructure is to leverage network segmentation designed for cybersecurity protection. Specifically, for industrial cybersecurity, following the IEC 62443 network segmentation guidelines which recommends grouping devices with similar security requirements behind a secure conduit like a firewall is the goal. This way only safe communications would get through to key areas of the control network, blocking DDOS attacks from Botnets from impacting ICS.