The Mirai Botnet is now targeting a flaw in the BIG-IP implementation, leading to the production of the CVE-2020-5902 advisory. This security vulnerability was identified in the first week of July 2020 and has been identified to be a critical bug.
BIG-IP Implementation Flawed: CVE-2020-5902 Advisory Issued: Targeted By The Mirai Botnet
The Mirai botnet is actively being used to intrude onto network appliances and hosts that have been identified to fall down to the CVE-2020-5902 vulnerability. This is a recent advisory which is being tracked by the security community and subsequently has been implemented by hackers in the Mirai botnet. The initial disclosure about the issue was posted in the first week of July this year – this has prompted network engineers and security administrators to audit their systems and see if they are vulnerable.
The posted advisory has allowed computer hackers to gain knowledge about the problem and include the relevant exploit code in the Mirai botnet infiltration module. In addition the flaw was added to the Shodan Search engine which allows anyone to scan for vulnerable networks and exposed network hosts.
By design the bug is categorized as a remote code execution flaw which is found in the BIG-IP network implementation. The weakness is part of the management interface of the suite – apparently a mitigation rule in the Apache web server configuration file allows remote attackers to exploit the service. This is done by inserting a semicolon request via the URL – the web server will interpret this as a command finished toggle. All of this means that by using a simple URL manipulation the hackers can issue commands to the remote host.
It is relatively simple to create working proof-of-concept code in popular programming languages – this allows malware users to easily send out network probe requests to potentially vulnerable networks. After a network scan affected hosts can also be discovered. Mirai botnet affected computers and network devices have been confirmed. This shows that the hackers have been successful in their attacks – as soon as the flaw has been identified have been quick to exploit the target networks.
A security investigation reveals how the Mirai Botnet has behaved on such systems. The botnet was used to exploit the systems and from there on the following sequence has been started:
- Following the intrusion the Mirai botnet will hacker-created files onto the compromised systems.
- These files can commanded to run on the host networks and depending on their configuration they can start brute-force attacks against working services or abuse other flaws.
- In most cases the files can launch a payload dropper function which will download other malware to the device.
- In almost all cases the compromised hosts can have their control overtaken by the criminals using a local engine that will connect to a hacker-controlled server.
As there are many infected devices available network device owners are advised to apply the latest security patches and firmware upgrades in order to guard their systems. Prevention of sensitive services from being accessed from the Internet can be done via the implementation of VPN services. As always security status monitoring at all times is recommended.