Thousands of customers in danger after nation-state trashes F5 network

Customers position BIG-IP at the edge of their networks for use as a load balancer and firewall, as well as for inspection and encryption of data entering and exiting networks. Given BIG-IP’s position on the network and its role in managing web server traffic, previous compromises have allowed adversaries to extend their access to other parts of an infected network.

F5 said investigations by two outside intrusion response firms have yet to find evidence of supply chain attacks. The company attached letters from IOActive and NCC Group attesting that analyzes of the source code and build pipeline revealed no signs that a “threat actor has modified or introduced vulnerabilities into the affected elements.” The companies also said they had not identified any evidence of critical vulnerabilities in the system. Investigators, which also included Mandiant and CrowdStrike, found no evidence that data from its CRM, financial, support case management or health systems was accessed.

The company has released updates for its BIG-IP, F5OS, BIG-IQ and APM products. CVE designations and other details are here. Two days ago, F5 rotated BIG-IP signing certificates, although there was no immediate confirmation that the move was a response to the breach.

The US Cybersecurity and Infrastructure Security Agency has warned that federal agencies that rely on the appliance face an “imminent threat” of theft, which “poses an unacceptable risk”. The agency then ordered federal agencies under its control to take “emergency measures.” The UK’s National Cyber ​​Security Center has issued a similar guideline.

CISA has ordered all federal agencies it oversees to immediately take inventory of all BIG-IP devices in the networks they manage or in the networks that external vendors manage on their behalf. The agency then asked agencies to install the updates and follow a threat hunting guide that F5 also published. BIG-IP users in the private sector should do the same.