The FBI has issued a warning that Iranian-linked hackers are exploiting a critical vulnerability in F5 Networks’ BIG-IP devices to target both U.S. government and private-sector networks.
While the FBI’s advisory did not identify a specific threat actor by name, reporting from ZDNet indicates security researchers track the activity under names such as Fox Kitten or Parasite. The alert points to exploitation of CVE-2020-5902, a remote code execution vulnerability in BIG-IP products that was disclosed in July.
BIG-IP appliances are widely deployed in data centers and cloud environments to provide load balancing, application delivery, and security services. Because of their broad use and elevated network privileges, successful exploitation of CVE-2020-5902 can allow attackers to execute arbitrary commands or deploy malicious payloads across affected environments. Recent sightings show attackers incorporating this vulnerability into Mirai-style DDoS botnets, increasing the potential for disruptive attacks.
Geopolitical tensions between Washington and Tehran have risen over the past year, and cyber operations have become an increasingly visible front in that rivalry. For example, Iran recently simulated a U.S. aircraft carrier for target practice in a widely publicized demonstration that ended with the mock vessel’s accidental sinking.
Cyber conflict is now a primary domain of modern confrontation, and many experts argue that the strategic risks posed by cyber warfare rival other major global threats. Although Iranian cyber campaigns are often assessed as less technically advanced than those attributed to China or Russia, they remain persistent and capable of causing significant disruption.
In February, ClearSky released a report documenting a multi-year Iranian offensive campaign it labeled “Fox Kitten.” The report links the campaign to a range of intrusions against organizations primarily in the United States and Israel and highlights several commonly exploited vulnerabilities that enabled the operation.
ClearSky identified four primary vulnerabilities that Fox Kitten actors leveraged:
- Pulse Secure “Connect” enterprise VPNs — CVE-2019-11510
- Fortinet FortiOS VPN servers — CVE-2018-13379
- Palo Alto Networks GlobalProtect VPN — CVE-2019-1579
- Citrix ADC and Citrix Gateway appliances — CVE-2019-19781
The researchers called Fox Kitten one of Iran’s most persistent and comprehensive campaigns disclosed to date. They assessed a medium probability that multiple state-sponsored groups may be coordinating or sharing infrastructure to conduct these operations.
Security analysts point to the selection of targets—critical network infrastructure, remote access services, and enterprise gateways—as an indicator of state-directed objectives: these intrusions appear intended to disrupt operations, gather intelligence, or establish long-term access rather than to generate direct financial gain.
(Image Credit: FBI by Dave Newman under CC BY 2.0)
Note: Organizations using F5 BIG-IP devices, or the VPN and gateway products listed above, should prioritize patching known vulnerabilities, apply mitigations recommended by vendors and law enforcement, and review logs and network telemetry to detect potential indicators of compromise.