Thousands of networks, many some of which are operated by the U.S. government and Fortune 500 companies — face an “imminent threat” of being breached by a nation-state hacking group following the breach of a major software maker, the federal government warned Wednesday.
F5, a Seattle-based networking software maker, disclosed the flaw on Wednesday. F5 said a “sophisticated” threat group working for the government of an undisclosed nation-state had surreptitiously and persistently resided in its network on a “long-term” basis. Security researchers who responded to similar intrusions in the past interpreted this language to mean that the hackers had been present in the F5 network for years.
Unprecedented
Meanwhile, F5 said, hackers took control of the network segment the company uses to create and distribute updates for BIG IP, a line of server appliances that F5 said is used by 48 of the world’s 50 largest companies. Wednesday’s disclosure added that the threat group uploaded proprietary BIG-IP source code information on vulnerabilities that had been privately discovered but had not yet been patched. The hackers also obtained configuration settings that some customers were using within their networks.
Control of the build system and access to source code, client configurations, and documentation of unpatched vulnerabilities has the potential to give hackers unprecedented knowledge of weaknesses and the ability to exploit them in supply chain attacks on thousands of networks, many of them sensitive. Theft of client configurations and other data further increases the risk of misuse of sensitive credentials, F5 and external security experts said.
Customers position BIG-IP at the edge of their networks for use as a load balancer and firewall, as well as for inspection and encryption of data entering and exiting networks. Given BIG-IP’s position on the network and its role in managing web server traffic, previous compromises have allowed adversaries to extend their access to other parts of an infected network.
F5 said investigations by two outside intrusion response firms have yet to find evidence of supply chain attacks. The company attached letters from IOActive and NCC Group attesting that analyzes of the source code and build pipeline revealed no signs that a “threat actor has modified or introduced vulnerabilities into the affected elements.” The companies also said they had not identified any evidence of critical vulnerabilities in the system. Investigators, which also included Mandiant and CrowdStrike, found no evidence that data from its CRM, financial, support case management or health systems was accessed.
The company has released updates for its BIG-IP, F5OS, BIG-IQ and APM products. CVE designations and other details are here. Two days ago, F5 rotated BIG-IP signing certificates, although there was no immediate confirmation that the move was a response to the breach.
