[CDP-development] CISA and MS-ISAC Publish Joint Cybersecurity Advisory on Threat Actors Exploiting F5 BIG-IP (CVE-2022-1388)

Masse, Theresa theresa.masse at cisa.dhs.gov
Wed May 18 06:24:53 PDT 2022 

FYSA

The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing a joint Cybersecurity Advisory (CSA)<https://go.usa.gov/xuzMa> in response to active exploitation of CVE-2022-1388. This recently disclosed vulnerability in certain versions of F5 Networks, Inc., (F5) BIG-IP enables an unauthenticated actor to gain control of affected systems via the management port or self-IP addresses.


Due to previous exploitation of F5 BIG-IP vulnerabilities, CISA and MS-ISAC assess that unpatched F5 BIG-IP devices are an attractive target and that organizations that have not applied the patch are vulnerable to actors taking control of their systems.

According to public reporting, there is active exploitation of this vulnerability, and CISA and MS-ISAC expect to see widespread exploitation of unpatched F5 BIG-IP devices (mostly with publicly exposed management ports or self IPs) in both government and private sector networks.



To mitigate this threat, CISA and MS-ISAC recommend organizations upgrade F5 BIG-IP software to fixed versions. Additionally, organizations using versions 12.1.x and 11.6.x should upgrade to supported versions. If unable to immediately patch, organizations should implement F5's temporary workarounds outlined in the joint advisory. Other actions administrators can take include not exposing management interfaces to the internet, enforcing multi-factor authentication (MFA), and consider using CISA's Cyber Hygiene Services.



If potential compromise is detected, organizations should apply the incident response recommendations included in this CSA, Threat Actors Exploiting F5 BIG-IP (CVE-2022-1388), such as:

  *   quarantine or take offline potentially affected hosts,
  *   reimage compromised hosts,
  *   provision new account credentials,
  *   limit access to the management interface, and
  *   collect and review artifacts.



Organizations are encouraged to review the advisory for complete details. Also, organizations are also reminded to report the compromise or any anomalous activity to CISA via CISA's 24/7 Operations Center (report at cisa.gov<mailto:report at cisa.gov> or 888-282-0870). State, local, tribal, or territorial (SLTT) government entities can also report to MS-ISAC (SOC at cisecurity.org<mailto:SOC at cisecurity.org> or 866-787-4722).



Your support to amplify this advisory through your communications and social media channels is appreciated. And as always, thank you for your continued collaboration.



Theresa A. Masse
Cyber Security Advisor, Region 10 (Oregon)
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Phone: (503) 930-5671
Email: theresa.masse at cisa.dhs.gov<mailto:theresa.masse at cisa.dhs.gov>

[cid:image002.png at 01D86A7F.ECDB5E60]



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20220518/35a150bb/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 16152 bytes
Desc: image002.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20220518/35a150bb/attachment-0001.png>

More information about the CDP-development mailing list