1/10 F5 BIG-IP Vulnerability (CVE-2022-1388) Exploited by BlackTech blogs.jpcert.or.jp/en/2022/09/bigip-exploit.html 朝長 秀誠 (Shusei Tomonaga) September 15, 2022 BlackTech Email Around May 2022, JPCERT/CC confirmed an attack activity against Japanese organizations that exploited F5 BIG-IP vulnerability (CVE-2022-1388). The targeted organizations have confirmed that data in BIG-IP has been compromised. We consider that this attack is related to the activities by BlackTech attack group. This blog article describes the attack activities that exploit this BIG-IP vulnerability. Attack code that exploits the BIG-IP vulnerability Below is a part of the attack code used in the attack. This attack tool enables attackers to execute arbitrary commands on BIG-IP. https://blogs.jpcert.or.jp/en/2022/09/bigip-exploit.html https://blogs.jpcert.or.jp/en/shu_tom/ https://blogs.jpcert.or.jp/en/shu_tom/ https://blogs.jpcert.or.jp/en/tags/blacktech/ mailto:?subject=F5%20BIG-IP%20Vulnerability%20%28CVE-2022-1388%29%20Exploited%20by%20BlackTech&body=https%3A%2F%2Fblogs.jpcert.or.jp%2Fen%2F2022%2F09%2Fbigip-exploit.html 2/10 Figure 1: A part of the confirmed code that exploits the BIG-IP vulnerability Figure 1 (grayed-out part) shows that multiple domestic BIG-IP IP addresses were listed in the attack code and that they were the target of the attack. The attack code as well as malware such as TSCookie and Bifrose, which is used by BlackTech, were found on the server used by the attacker. https://blogs.jpcert.or.jp/en/.assets/bigip-exploit-fig1.png 3/10 Figure 2: Server where attack code was installed In addition to known malware, new unidentified malware was discovered on this server, which is described in the following section. Hipid This malware targets Linux OS, and two types have been identified: one with a CPU architecture compatible with ARM and the other with x64. It is unclear what type of device it was created to run on, but it is possibly intended for IoT devices. https://blogs.jpcert.or.jp/en/.assets/bigip-exploit-fig2.png 4/10 Figure 3: A part of malware code (left: ARM type, right: x64 type) This malware has a function to receive commands from the C2 server and execute arbitrary commands. It uses a host command, not a system call, to resolve host names. Figure 4: A part of the code to execute the host command There are also two types in terms of sending data: one of them sends data with RC4 encryption and the other sends data as it is. Some samples of the former have a unique behavior of sending the S-Box data used for encryption to the server. https://blogs.jpcert.or.jp/en/.assets/bigip-exploit-fig3.png https://blogs.jpcert.or.jp/en/.assets/bigip-exploit-fig4.png 5/10 Figure 5: A part of the code that sends S-Box data to the server Distribution of Hipid using malicious PyPI packages Although this is not directly related to the attack that exploits the BIG-IP vulnerability, JFrog reports that the same type of malware as the one described above was registered as a malicious PyPI package in the past[1]. Figure 6 shows the contents of the malicious package's setup.py . The attacker may not have taken control of the existing package but installed malware on PyPi to install the package on the compromised system. https://blogs.jpcert.or.jp/en/.assets/bigip-exploit-fig5.png 6/10 Figure 6: Contents of setup.py The malware itself was included in __init.py__ encoded in Base32 as shown in Figure 7. The malware is installed after decoding, overwriting /usr/sbin/syslogd . https://blogs.jpcert.or.jp/en/.assets/bigip-exploit-fig6.png 7/10 Figure 7: Base64-encoded malware In addition, the mount command is used for the malware process to run to hide the process, as shown in Figure 8. Figure 8: Process hiding using the mount command In closing https://blogs.jpcert.or.jp/en/.assets/bigip-exploit-fig7.png https://blogs.jpcert.or.jp/en/.assets/bigip-exploit-fig8.png 8/10 The incident described in this report is currently under control and is no longer influential in many environments. BlackTech has been observed in a number of cases in recent years in which vulnerabilities in externally accessible systems are exploited. In the case described here, the vulnerability was exploited shortly after it was disclosed, and thus patch management continues to be important. Shusei Tomonaga (Translated by Takumi Nakano) Acknowledgments We would like to thank JFrog Shachar Menashe for his assistance with this study. References [1] JFrog Discloses 3 Remote Access Trojans in PyPI   https://jfrog.com/blog/jfrog-discloses-3-remote-access-trojans-in-pypi/ Appendix A: C2 servers 139.180.201.6 108.160.138.235 108.160.132.108 naaakkk.wikaba.com ntstore.hosthampster.com blog.mysecuritycamera.com 139.162.112.74 Appendix B: Malware hash value 9603b62268c2bbb06da5c99572c3dc2ec988c49c86db2abc391acf53c1cccceb cb1a536e11ae1000c1b29233544377263732ca67cd679f3f6b20016fbd429817 3d18bb8b9a5af20ab10441c8cd40feff0aabdd3f4c669ad40111e3aa5e8c54b8 Email Author 朝長 秀誠 (Shusei Tomonaga) https://twitter.com/srmish https://jfrog.com/blog/jfrog-discloses-3-remote-access-trojans-in-pypi/ mailto:?subject=F5%20BIG-IP%20Vulnerability%20%28CVE-2022-1388%29%20Exploited%20by%20BlackTech&body=https%3A%2F%2Fblogs.jpcert.or.jp%2Fen%2F2022%2F09%2Fbigip-exploit.html https://blogs.jpcert.or.jp/en/shu_tom/ 9/10 Since December 2012, he has been engaged in malware analysis and forensics investigation, and is especially involved in analyzing incidents of targeted attacks. Prior to joining JPCERT/CC, he was engaged in security monitoring and analysis operations at a foreign-affiliated IT vendor. He presented at CODE BLUE, BsidesLV, BlackHat USA Arsenal, Botconf, PacSec and FIRST Conference. JSAC organizer. Was this page helpful? 0 people found this content helpful. If you wish to make comments or ask questions, please use this form. This form is for comments and inquiries. For any questions regarding specific commercial products, please contact the vendor. please change the setting of your browser to set JavaScript valid. Thank you! Related articles JPCERT/CC Releases URL Dataset of Confirmed Phishing Sites Trends of Reported Phishing Sites and Compromised Domains in 2021 https://blogs.jpcert.or.jp/en/2022/09/phishurl-list.html https://blogs.jpcert.or.jp/en/2022/05/phishing2021.html 10/10 Attack Exploiting XSS Vulnerability in E-commerce Websites PHP Malware Used in Lucky Visitor Scam Attacks Embedding XMRig on Compromised Servers Back Top https://blogs.jpcert.or.jp/en/2021/07/water_pamola.html https://blogs.jpcert.or.jp/en/2021/06/php_malware.html https://blogs.jpcert.or.jp/en/2021/05/xmrig.html https://blogs.jpcert.or.jp/en/2022/09/phishurl-list.html https://blogs.jpcert.or.jp/en/