FYSA
The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State
Information Sharing & Analysis Center (MS-ISAC) are releasing a joint
Cybersecurity Advisory (CSA)<https://go.usa.gov/xuzMa> in response to active
exploitation of CVE-2022-1388. This recently disclosed vulnerability in certain
versions of F5 Networks, Inc., (F5) BIG-IP enables an unauthenticated actor to
gain control of affected systems via the management port or self-IP addresses.
Due to previous exploitation of F5 BIG-IP vulnerabilities, CISA and MS-ISAC
assess that unpatched F5 BIG-IP devices are an attractive target and that
organizations that have not applied the patch are vulnerable to actors taking
control of their systems.
According to public reporting, there is active exploitation of this
vulnerability, and CISA and MS-ISAC expect to see widespread exploitation of
unpatched F5 BIG-IP devices (mostly with publicly exposed management ports or
self IPs) in both government and private sector networks.
To mitigate this threat, CISA and MS-ISAC recommend organizations upgrade F5
BIG-IP software to fixed versions. Additionally, organizations using versions
12.1.x and 11.6.x should upgrade to supported versions. If unable to
immediately patch, organizations should implement F5's temporary workarounds
outlined in the joint advisory. Other actions administrators can take include
not exposing management interfaces to the internet, enforcing multi-factor
authentication (MFA), and consider using CISA's Cyber Hygiene Services.
If potential compromise is detected, organizations should apply the incident
response recommendations included in this CSA, Threat Actors Exploiting F5
BIG-IP (CVE-2022-1388), such as:
* quarantine or take offline potentially affected hosts,
* reimage compromised hosts,
* provision new account credentials,
* limit access to the management interface, and
* collect and review artifacts.
Organizations are encouraged to review the advisory for complete details. Also,
organizations are also reminded to report the compromise or any anomalous
activity to CISA via CISA's 24/7 Operations Center
(report@xxxxxxxx<mailto:report@xxxxxxxx> or 888-282-0870). State, local,
tribal, or territorial (SLTT) government entities can also report to MS-ISAC
(SOC@xxxxxxxxxxxxxx<mailto:SOC@xxxxxxxxxxxxxx> or 866-787-4722).
Your support to amplify this advisory through your communications and social
media channels is appreciated. And as always, thank you for your continued
collaboration.
Theresa A. Masse
Cyber Security Advisor, Region 10 (Oregon)
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Phone: (503) 930-5671
Email: theresa.masse@xxxxxxxxxxxx<mailto:theresa.masse@xxxxxxxxxxxx>
[cid:image002.png@01D86A7F.ECDB5E60]