A critical vulnerability in F5 data centre and enterprise network products that was revealed on July 1 this year is being actively exploited remotely, security researchers have observed.
Security vendor NCCGroup’s Research and Intelligence Fusion Team (RIFT) has monitored the exploits since July 3 when it saw the first attacks,
Threat actors are dropping Monero crypto-currency miner malware, webshells that can be used as remote attack platforms, and other more complex payloads.
If administrators were slow to patch, it is likely that their devices have already been hacked.
A patch against the vulnerability is available but NCCGroup advised that F5 customers that patched after July 4 US time should “assume compromise and conduct a forensic examination of the server.”
The same goes for sites that applied mitigations after July 4 US time; these should check for signs of exploitation before log files are rotated and the data in them is overwritten.
The flaw lies in the Traffic Management User Interface configuration utility which does not properly implement access controls.
Just days after security vendor Positive Technologies discovered the flaw, a simple, one-line exploit for it was made public and did the rounds on social media.