While monitoring SANS Storm Center's honeypots today, I came across the second F5 BIGIP CVE-2020-5902 vulnerability exploitation followed by a backdoor deployment attempt. The first one was seen by Johannes yesterday [1]. Running the backdoor binary (ELF) on a separate system, it was possible to verify that it establishes an SSL connection to the address web[.]vpnkerio.com (152[.]32.180.34:443). Looking for the web[.]vpnkerio.com at VirusTotal while writing this diary, I could find no AV detecting the network addresses or the binary hash as malicious. For persistence, it writes a line on "/etc/init.d/rc.local" file on an attempt to start on system boot. Examining the binary statically, it is possible to see the string' python -c 'import pty;pty.spawn("/bin/sh")’. It will require more analysis, but it may be used for the attacker to have an interactive terminal on the target system. A proper terminal is usually required for the attacker to run commands like 'su'. IOCs: Exploitation attempt source Backdoor URL: C2 communication The backdoor binary References [1] https://isc.sans.edu/forums/diary/Summary+of+CVE20205902+F5+BIGIP+RCE+Vulnerability+Exploits/26316/ -- |
Renato 61 Posts ISC Handler Jul 7th 2020 |
Thread locked Subscribe |
Jul 7th 2020 6 months ago |
the screenshot shows 152[.]32[.]180[.]34 as the C2 channel, but in your write up, you list the IoC as 52[.]32[.]180[.]34. I assume the screenshot is correct?
|
John 1 Posts |
Quote |
Jul 7th 2020 6 months ago |
Hello John, you are right.
The correct IP is 152[.]32.180.34. Just fixed in the diary. Thanks! |
Renato 61 Posts ISC Handler |
Quote |
Jul 7th 2020 6 months ago |
Sign Up for Free or Log In to start participating in the conversation!