Top Middle East Cyber Threat- 19 August 2019

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cyber security threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, we share the top cyber security threat our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
1) Big Flaw in Big-IP Load Balancers
An F-secure researcher recently discovered a security flaw in F5 Networks’ BIG-IP load balancer. The use of certain coding practices allows attackers to inject arbitrary Tool Command Lanugage (Tcl) commands, which could be executed in the security content of the target Tcl script.
Attackers who successful exploit this vulnerability could use the compromised load balancing device to launch more attacks, putting the target organization at risk of a data breach. As more than 300,000 organizations use BIG-IP, the scope of this attack is large.
Attack Description:
A security issue is present in the iRule feature which is created using the Tool command language.
A successful exploit can misuse the compromised BIG-IP device, allowing the attacker to use it as a beachhead to launch more attacks. This includes stealing data from the organization, intercepting and manipulating web traffic to expose sensitive information, and attacking individuals attempting to use services provided by the compromised BIG-IP device. Furthermore, attackers could cover their tracks and eliminate any evidence that an attack took place on the device by deleting logs that contain evidence of post-exploit activity.
To overcome this challenge, you can perform any one of the following methods to verify whether your device has been compromised by the attack:
Method 1:

1. Generate the qkview and upload it to https://ihealth.f5.com.
2. Under diagnostic – Importance select critical, high, medium and low. Status issues found and pass.

If your device is not affected, then you will observe that the issue is passed.
Method 2:
The following command can be run on BIG-IP iHealth Diagnostic Tool:
# tmsh load sys config verify
Example:
/Common/irule_PROXY:26: warning: [use curly braces to avoid double substitution][[string length ${servername}]]
More details about the same can be found in the following article: https://support.f5.com/csp/article/K57410758
Recommendations
Given below are a few recommendations to detect and defend against the iRule injection:

• Create an inventory of active iRule scripts and establish a version control repository for each script and their dependencies.
• Convert scripts to pure Tcl and run tclscan.tcl to establish easy to detect vulnerabilities (download the code at https://github.com/kugg/tclscan).
• Run iruledetector.py in Burpsuite to test if any user action can lead to iRule injections.
• Test the logic of iRule script.

As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cyber security needs.