{"id":5400,"date":"2025-10-15T20:16:23","date_gmt":"2025-10-15T20:16:23","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5400"},"modified":"2025-10-15T20:16:23","modified_gmt":"2025-10-15T20:16:23","slug":"source-code-and-vulnerability-info-stolen-from-f5-networks","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5400","title":{"rendered":"Source code and vulnerability info stolen from F5 Networks"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>CSOs with equipment from F5 Networks in their environment should patch their devices immediately and be alert for suspicious activity after <a href=\"https:\/\/www.sec.gov\/Archives\/edgar\/data\/1048695\/000104869525000149\/ffiv-20251015.htm\" target=\"_blank\" rel=\"noopener\">the company acknowledged in a regulatory filing today<\/a> that an unnamed threat actor stole some source code for its BIG-IP products earlier this year, as well as information on undisclosed vulnerabilities and device configuration data for a \u201csmall percentage of customers.\u201d<\/p>\n<p>In response to the disclosure, the US Cybersecurity and Infrastructure Security Agency (CISA) <a href=\"https:\/\/www.cisa.gov\/news-events\/directives\/ed-26-01-mitigate-vulnerabilities-f5-devices\" target=\"_blank\" rel=\"noopener\">today directed <\/a>federal civilian agencies to evaluate whether their BIG-IP devices are accessible from the public internet, and to apply updates from F5. \u00a0<\/p>\n<p>\u201cThis cyber threat actor presents an imminent threat to federal networks using F5 devices and software,\u201d says the CISA warning. \u201cSuccessful exploitation of the impacted F5 products could enable a threat actor to access embedded credentials and Application Programming Interface (API) keys, move laterally within an organization\u2019s network, exfiltrate data, and establish persistent system access. This could potentially lead to a full compromise of target information systems.\u201d<\/p>\n<p><a href=\"https:\/\/my.f5.com\/manage\/s\/article\/K000154696\" target=\"_blank\" rel=\"noopener\">F5 has released updates<\/a> for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients. \u201cWe strongly advise updating to these new releases as soon as possible,\u201d the company said.<\/p>\n<p>F5, which is known for its application delivery and security products, including web gateways and access control management, turned down an interview request for more details, instead referring a reporter to <a href=\"https:\/\/my.f5.com\/manage\/s\/article\/K000154696\" target=\"_blank\" rel=\"noopener\">its statement<\/a>.<\/p>\n<h2 class=\"wp-block-heading\">What was taken<\/h2>\n<p>In the statement, F5 said the threat actor exfiltrated files from the BIG-IP product development environment and engineering knowledge management platforms. \u201cThese files contained some of our BIG-IP source code and information about undisclosed vulnerabilities we were working on in BIG-IP. We have no knowledge of undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities.\u201d<\/p>\n<p>So far, it said, there is no evidence of access to, or exfiltration of, data from F5\u2019s customer relationship management, financial, support case management, or iHealth systems.<\/p>\n<p>\u201cHowever,\u201d the statement added, \u201csome of the exfiltrated files from our knowledge management platform contained configuration or implementation information for a small percentage of customers. We are currently reviewing these files and will be communicating with affected customers directly as appropriate.\u201d<\/p>\n<p>It continued, \u201cWe have no evidence of modification to our software supply chain, including our source code and our build and release pipelines. This assessment has been validated through independent reviews by cybersecurity research firms NCC Group and IOActive. There is no evidence the threat actor accessed or modified the NGINX source code or product development environment. NGINX is an open source web server for reverse proxy, load balancing and caching\u00a0 nor is there evidence they accessed or modified the F5 Distributed Cloud Services or Silverline systems.\u201d<\/p>\n<p>F5 attributes the attack to a \u201chighly sophisticated nation-state threat actor.\u201d\u00a0It did not reveal how long the hacker was active in its environment.<\/p>\n<p>As to why the revelation of the attack is coming out today,\u00a0in its <a href=\"https:\/\/www.sec.gov\/Archives\/edgar\/data\/1048695\/000104869525000149\/ffiv-20251015.htm\" target=\"_blank\" rel=\"noopener\">disclosure to the U.S. Securities and Exchange Commission<\/a>, F5 said\u00a0that on September 12, the US Justice Department determined a delay in public disclosure was warranted. Critical network devices like firewalls, web gateways, email gateways and similar devices have long been targets for threat actors as entry points to IT networks, as illustrated by the recent disclosure by SonicWall that <a href=\"https:\/\/www.csoonline.com\/article\/4072194\/sonicwall-vpns-face-a-breach-of-their-own-after-the-september-cloud-backup-fallout.html\" target=\"_blank\" rel=\"noopener\">data from its MySonicWall cloud backup platform had been compromised<\/a>, and last month\u2019s\u00a0<a href=\"https:\/\/www.cisa.gov\/news-events\/directives\/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices\" target=\"_blank\" rel=\"noopener\">CISA warning<\/a>\u00a0that threat actors were targeting Cisco Systems\u2019 Adaptive Security Appliances (ASA) by exploiting zero-day vulnerabilities.\u00a0\u00a0<\/p>\n<h2 class=\"wp-block-heading\">F5 mitigations<\/h2>\n<p>IT and security leaders should make sure F5 servers, software, and clients have the latest patches. In addition, F5 has added automated hardening checks to the F5 iHealth Diagnostics Tool, and also suggests admins refer to its threat hunting guide to strengthen monitoring, and its best practices guides for hardening F5 systems.<\/p>\n<p>As a result of the attack, F5 said it has rotated credentials and strengthened access controls across its systems; deployed improved inventory and patch management automation, as well as additional tooling to better monitor, detect, and respond to threats; implemented enhancements to its network security architecture and hardened its product development environment, including strengthening security controls and monitoring of all software development platforms.<\/p>\n<p>F5 will also provide all supported customers with a free subscription to CrowdStrike\u2019s Falcon EDR endpoint protection service.<\/p>\n<h2 class=\"wp-block-heading\">Stolen info could feed future attacks<\/h2>\n<p><em>\u201c<\/em>Based on the currently disclosed information about the scope of the incident and stolen data, there is no reason to panic,\u201d commented <a href=\"https:\/\/www.immuniweb.com\/company\/leadership\/ilia-kolochenko\/\" target=\"_blank\" rel=\"noopener\">Ilia Kolochenko<\/a>, CEO of ImmuniWeb, in a statement. \u201cHaving said this, stolen source code can greatly simplify vulnerability research by the cybercriminals behind the breach and facilitate detection of 0day vulnerabilities in the affected F5 products, which may be exploited in subsequent APT attacks. Likewise, the reportedly small percentage of customers whose technical information was compromised should urgently assess their risks and continue working with F5 to better understand the impact of the incident.\u201d<\/p>\n<p>This attack is another reminder that the modern attack surface extends deep into the software development lifecycle, <a href=\"https:\/\/www.linkedin.com\/in\/will-baxter-1b350611\/\" target=\"_blank\" rel=\"noopener\">Will Baxter<\/a>, field CISO at Team Cymru, said in a statement. \u201cThreat groups targeting source code repositories and build environments are seeking long-term intelligence value\u2014understanding how security controls operate from the inside,\u201d he said. \u201cVisibility into outbound connections, threat actor command-and-control infrastructure, and unusual data exfiltration patterns is key to identifying this activity early. Combining external threat intelligence with internal telemetry gives defenders the context needed to detect and contain these advanced intrusions.\u201d<\/p>\n<p>This wasn\u2019t an opportunistic exploitation, he added. \u201cIt was about gaining insight into code and vulnerabilities before disclosure. State-sponsored groups increasingly view source repositories and engineering systems as strategic intelligence targets. Early detection depends on monitoring outbound connections, command-and-control traffic, and unusual data flows from developer and build environments. Combining external threat intelligence with internal telemetry gives defenders the context to identify and contain these campaigns before the stolen code is turned into zero-days.\u201d<\/p>\n<p>The F5 incident is serious due to the attacker\u2019s extended access to the systems,\u00a0<a href=\"https:\/\/www.sans.org\/profiles\/dr-johannes-ullrich\" target=\"_blank\" rel=\"noopener\">Johannes Ullrich<\/a>, dean of research at the SANS Institute, told <em>CSO<\/em> <em>Online<\/em>. \u201cAccording to the statements made by F5, the amount of customer data leaked is very limited,\u201d he noted. \u201cHowever, it is not clear yet how far F5 is in their incident response, and how certain they are that they have accurately identified the attacker\u2019s impact. Having lost source code and information about unpatched vulnerabilities could lead to an increase in attacks against F5 systems in the near future. Follow F5\u2019s hardening advice and, just as a measure of caution, review and possibly change credentials.\u201d<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>CSOs with equipment from F5 Networks in their environment should patch their devices immediately and be alert for suspicious activity after the company acknowledged in a regulatory filing today that an unnamed threat actor stole some source code for its BIG-IP products earlier this year, as well as information on undisclosed vulnerabilities and device configuration [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":5401,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5400","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5400"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5400"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5400\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5401"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5400"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5400"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5400"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}