Malware or malicious code has been around for over 40 years now, but its use to obtain control of a group of Internet-connected systems in something called a ‘botnet’ is a relatively new phenomenon. Botnets have been behind some of the most costly security incidents of the last 10 years and, consequently, companies around the world are going to great lengths to counter this threat.
An example of this type of threat is Mirai, the botnet responsible for one of the largest denial of service (DDoS) attacks ever seen, and which affected leading names such as Twitter, Netflix, Spotify, or PayPal. This malware infected and lay dormant in thousands of IoT devices before the creators activated it on October 21, 2016, to attack the DNS service provider Dyn. The company’s services and those of its customers were down or interrupted for several hours.
It initially seemed that the scope of Mirai attacks was limited to IoT devices, though this theory was dismissed when further cases were detected. Cybercriminals had begun to use Mirai to open a new flank, attacks on devices running Linux. Mirai botnets are now trying to exploit a critical RCE flaw in F5’s BIG-IP software.
The latest Mirai target: BIG-IP devices
BIG-IP devices are used on government networks and by Internet service providers (ISPs), as well as by banks around the world and on many business networks, including 48 companies in the Fortune 50.
The CVE-2020-5902 vulnerability could allow an adversary, even if not authenticated, with access to the TMUI (the configuration utility) through the BIG-IP management port and/or Self IPs, to run arbitrary commands on the system, create or delete files, disable services, and run Java script arbitrarily, which could completely compromise the system.
According to results from  Shodan, the current number of devices vulnerable to CVE-2020-5902 exceeds 8,400 mostly in the USA and China. In fact, given the severity of the vulnerability and the potential impact, the U.S. Cyber Command repeated the warning issued by the company and called for organizations to install the corresponding patch as soon as possible.
The downloader of the Mirai botnet can be added to new malware strains. The tool scans for vulnerable BIG-IPs and attacks systems with CVE-2020-5902. CVE-2020-5902 is a remote code execution vulnerability (RCE) on the Traffic Management User Interface (TMUI) on BIG-IP devices. To exploit the vulnerability, an attacker needs to send an HTTP request to the server hosting the TMUI for the BIG-IP settings. According to researchers, a successful exploit of this security issue could lead to a system being completely compromised and expose the internal network.
To protect against this type of cyberattack, businesses should take adequate measures to ensure the security of their digital resources:
- Control over network usage and the devices that connect is an important measure. 24-hour monitoring of network activity should be something that all companies keep in mind. This can be achieved with data collection tools, such as Panda Adaptive Defense, that detect anomalous behavior and block attempts to infiltrate systems. Because, by having visibility of all that happens on devices, it is possible to reduce attack vectors.
- Ensure systems are fully up-to-date with patches and updates, as many threats exploit existing vulnerabilities. To help prioritize, manage, and deploy patches, Panda offers Panda Patch Management. This module of Panda Adaptive Defense, which requires no additional deployments by customers, not only manages operating system patches and updates, but also those of third-party applications.
- Take care with email. Employees’ email accounts are a common point of entrywhen an attacker tries to use a single individual to infect other colleagues. That’s why all staff should be on the alert for anything suspicious (even emails that seem to come from the boss could be dangerous) and never download any attachment that gives cause for concern about its content or source.
- Be wary with downloads: Internet downloads are a typical infection vector for malware. Be careful in this regard and download only legitimate software from official sites. Take special care with P2P downloads, as they are often associated with such attacks.
And if there is one thing that characterizes botnet attacks it is their stealth, so prevention and countermeasures must also be proactive, monitoring all processes on a company’s systems to ensure all-round business cybersecurity.