Skip to main content

Iranian Hackers Targeting Networking Devices

by Chris Brook on Tuesday August 11, 2020

Contact Us
Free Demo

The FBI warned organizations last week that an Iranian hacking group has been targeting vulnerable networking devices for a month.

The FBI is again advising organizations to fortify their defenses, this time against a group of hackers reportedly working for the Iranian government that have been targeting networking equipment.

According to reports, an FBI notification was sent to organizations in the US private sector last week, warning that hackers were actively attempting to exploit a vulnerability outlined earlier this summer, affecting F5 BIG-IP application delivery controller (ADC) devices used by firms.

The networking services facilitate rate shaping, SSL offloading, and can act as a web application firewall. Initially ADCs were designed to tackle load balancing; now they can mitigate security threats and streamline how data moves through a data center and the cloud.

The devices are popular; on its website, F5 says 48 of the Fortune 50 companies rely on its services.

The vulnerability the FBI is warning about first came to light at the beginning of July, shortly after the company patched a critical remote code-execution flaw in the services, CVE-2020-5902, at the end of June.

It should come as little surprise that attacks targeting the vulnerability been on the rise since that time frame - early July.

The bug, first found and reported to the company by Mikhail Klyuchnikov, a security researcher at Positive Technologies, exists in BIG-IP's management interface, TMUI.

Reports claim the Iranian group is known by codenames Fox Kitten and Parisite.

The FBI claims the group is also behind attacks that have targeted VPN devices and appliances like Pulse Secure (CVE 2019-11510, CVE 2019-11539) and Citrix ADC/Gateway (CVE 2019-19781). Vulnerabilities in those networking devices date back to 2019 and are some of the most exploited vulnerabilities the U.S. government has seen so far in 2020.

The FBI is one of the last government groups to proactively push patching the vulnerability.

The United States Cyber Command insisted admins patch CVE-2020-5902 and the less critical vulnerability CVE-2020-5903 on the spot, on July 3, after F5 pushed out its CVE-2020-5903 patch.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a warning in late July stressing that groups were exploiting CVE-2020-5902, confirming that two organizations were hit.

“Unpatched F5 BIG-IP devices are an attractive target for malicious actors. Affected organizations that have not applied the patch to fix this critical remote code execution (RCE) vulnerability risk an attacker exploiting CVE-2020-5902 to take control of their system,” CISA warned, adding “Note: F5’s security advisory for CVE-2020-5902 states that there is a high probability that any remaining unpatched devices are likely already compromised.”

In its advisory, F5 has warned that hackers could execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code and that the vulnerability could result in complete system compromise.

Tags:  Vulnerabilities

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.