CSOs with equipment from F5 Networks in their environment should patch their devices immediately and be alert for suspicious activity after the company acknowledged in a regulatory filing today that an unnamed threat actor stole some source code for its BIG-IP products earlier this year, as well as information on undisclosed vulnerabilities and device configuration data for a “small percentage of customers.”
In response to the disclosure, the US Cybersecurity and Infrastructure Security Agency (CISA) today directed federal civilian agencies to evaluate whether their BIG-IP devices are accessible from the public internet, and to apply updates from F5.
“This cyber threat actor presents an imminent threat to federal networks using F5 devices and software,” says the CISA warning. “Successful exploitation of the impacted F5 products could enable a threat actor to access embedded credentials and Application Programming Interface (API) keys, move laterally within an organization’s network, exfiltrate data, and establish persistent system access. This could potentially lead to a full compromise of target information systems.”
F5 has released updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients. “We strongly advise updating to these new releases as soon as possible,” the company said.
F5, which is known for its application delivery and security products, including web gateways and access control management, turned down an interview request for more details, instead referring a reporter to its statement.
What was taken
In the statement, F5 said the threat actor exfiltrated files from the BIG-IP product development environment and engineering knowledge management platforms. “These files contained some of our BIG-IP source code and information about undisclosed vulnerabilities we were working on in BIG-IP. We have no knowledge of undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities.”
So far, it said, there is no evidence of access to, or exfiltration of, data from F5’s customer relationship management, financial, support case management, or iHealth systems.
“However,” the statement added, “some of the exfiltrated files from our knowledge management platform contained configuration or implementation information for a small percentage of customers. We are currently reviewing these files and will be communicating with affected customers directly as appropriate.”
It continued, “We have no evidence of modification to our software supply chain, including our source code and our build and release pipelines. This assessment has been validated through independent reviews by cybersecurity research firms NCC Group and IOActive. There is no evidence the threat actor accessed or modified the NGINX source code or product development environment. NGINX is an open source web server for reverse proxy, load balancing and caching nor is there evidence they accessed or modified the F5 Distributed Cloud Services or Silverline systems.”
F5 attributes the attack to a “highly sophisticated nation-state threat actor.” It did not reveal how long the hacker was active in its environment.
As to why the revelation of the attack is coming out today, in its disclosure to the U.S. Securities and Exchange Commission, F5 said that on September 12, the US Justice Department determined a delay in public disclosure was warranted. Critical network devices like firewalls, web gateways, email gateways and similar devices have long been targets for threat actors as entry points to IT networks, as illustrated by the recent disclosure by SonicWall that data from its MySonicWall cloud backup platform had been compromised, and last month’s CISA warning that threat actors were targeting Cisco Systems’ Adaptive Security Appliances (ASA) by exploiting zero-day vulnerabilities.
F5 mitigations
IT and security leaders should make sure F5 servers, software, and clients have the latest patches. In addition, F5 has added automated hardening checks to the F5 iHealth Diagnostics Tool, and also suggests admins refer to its threat hunting guide to strengthen monitoring, and its best practices guides for hardening F5 systems.
As a result of the attack, F5 said it has rotated credentials and strengthened access controls across its systems; deployed improved inventory and patch management automation, as well as additional tooling to better monitor, detect, and respond to threats; implemented enhancements to its network security architecture and hardened its product development environment, including strengthening security controls and monitoring of all software development platforms.
F5 will also provide all supported customers with a free subscription to CrowdStrike’s Falcon EDR endpoint protection service.
Stolen info could feed future attacks
“Based on the currently disclosed information about the scope of the incident and stolen data, there is no reason to panic,” commented Ilia Kolochenko, CEO of ImmuniWeb, in a statement. “Having said this, stolen source code can greatly simplify vulnerability research by the cybercriminals behind the breach and facilitate detection of 0day vulnerabilities in the affected F5 products, which may be exploited in subsequent APT attacks. Likewise, the reportedly small percentage of customers whose technical information was compromised should urgently assess their risks and continue working with F5 to better understand the impact of the incident.”
This attack is another reminder that the modern attack surface extends deep into the software development lifecycle, Will Baxter, field CISO at Team Cymru, said in a statement. “Threat groups targeting source code repositories and build environments are seeking long-term intelligence value—understanding how security controls operate from the inside,” he said. “Visibility into outbound connections, threat actor command-and-control infrastructure, and unusual data exfiltration patterns is key to identifying this activity early. Combining external threat intelligence with internal telemetry gives defenders the context needed to detect and contain these advanced intrusions.”
This wasn’t an opportunistic exploitation, he added. “It was about gaining insight into code and vulnerabilities before disclosure. State-sponsored groups increasingly view source repositories and engineering systems as strategic intelligence targets. Early detection depends on monitoring outbound connections, command-and-control traffic, and unusual data flows from developer and build environments. Combining external threat intelligence with internal telemetry gives defenders the context to identify and contain these campaigns before the stolen code is turned into zero-days.”
The F5 incident is serious due to the attacker’s extended access to the systems, Johannes Ullrich, dean of research at the SANS Institute, told CSO Online. “According to the statements made by F5, the amount of customer data leaked is very limited,” he noted. “However, it is not clear yet how far F5 is in their incident response, and how certain they are that they have accurately identified the attacker’s impact. Having lost source code and information about unpatched vulnerabilities could lead to an increase in attacks against F5 systems in the near future. Follow F5’s hardening advice and, just as a measure of caution, review and possibly change credentials.”
No Responses