{"id":49224,"date":"2022-11-09T18:53:00","date_gmt":"2022-11-09T18:53:00","guid":{"rendered":"https:\/\/www.csoonline.com\/article\/3679628\/researchers-show-techniques-for-malware-persistence-on-f5-and-citrix-load-balancers.html#tk.rss_security"},"modified":"2022-11-09T18:53:00","modified_gmt":"2022-11-09T18:53:00","slug":"researchers-show-techniques-for-malware-persistence-on-f5-and-citrix-load-balancers","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/researchers-show-techniques-for-malware-persistence-on-f5-and-citrix-load-balancers\/","title":{"rendered":"Researchers show techniques for malware persistence on F5 and Citrix load balancers"},"content":{"rendered":"
<\/div>\n

Over the past several years, hackers have targeted public-facing network devices such as routers, VPN concentrators, and load balancers to gain a foothold into corporate networks. While finding remote code execution vulnerabilities in such devices is not uncommon, incidents where attackers were able to deploy malware on them that can survive restarts or firmware upgrades have been rare and generally attributed with sophisticated APT groups.<\/p>\n

Because they use flash memory that degrades over time if subjected to many write operations, embedded network devices typically store their firmware in read-only filesystems and load their contents into RAM at each restart. This means that all changes and files generated by the various running services during the device\u2019s normal operation are temporary because they only occur in RAM and are never saved to the file system, which is restored to its initial state when the device is restarted reboot.<\/p>\n

The exceptions are configuration files and scripts that are generated through the device administrative interface and are stored in a limited area of storage known as NVRAM (non-volatile RAM). From an attacker’s perspective, this limitation makes compromising networking devices in a persistent way much harder, which is why mass attacks against home routers, for example, involve automated botnets that periodically rescan and reinfect routers that have been restarted.<\/p>\n

However, in a targeted attack scenario against enterprise networks, attackers would prefer to remain stealthy and not attack the same device multiple times so they don\u2019t trigger any detections that might be put in place after a vulnerability becomes public. They would also prefer to have long-term access to such devices and use them as bridges into the internal networks, as well as pivot points from where they could perform lateral movement and expand their access to other non-public devices.<\/p>\n

Persistence opportunities in Citrix, F5 load balancers<\/h2>\n

Since 2019, there have been three critical vulnerabilities in Citrix and F5 load balancers (CVE-2019-19781<\/a>, CVE-2020-5902<\/a> and CVE-2022-1388<\/a>) that have been publicly documented and exploited in the wild, triggering warnings<\/a> from the US Cybersecurity and Infrastructure Security Agency (CISA) and other organizations. Because of this, researchers from firmware security firm Eclypsium recently investigated the persistence opportunities attackers would have on such devices. Their findings were released in a report<\/a> Wednesday.<\/p>\n

In May 2022, security firm Mandiant reported<\/a> that a cyberespionage threat actor \u2013 identified at the time as UNC3524 but since correlated with the Russian state-run APT29 (Cozy Bear) \u2013 compromised enterprise networks and remained undetected for long periods of time due to deploying backdoor implants on network appliances including load balancers that don\u2019t support running detection tools such as endpoint detection and response (EDR) on them and run older versions of CentOS and BSD. While Mandiant didn\u2019t name the appliances or their manufacturers, the Eclypsium researchers believe they were F5 and Citrix appliances, since F5 load balancers run CentOS and Citrix (formerly branded as Netscaler) runs FreeBSD.<\/p>\n