More information has come to light on the cyberattack disclosed on Wednesday by security and application delivery solutions provider F5.
F5 blamed the attack on an unspecified nation-state threat actor. Immediately after the news broke, SecurityWeek reported that the attack profile points to China as the potential threat actor.
Chinese hackers are known to target BIG-IP appliances. In addition, Google reported recently that Chinese cyberspies had targeted SaaS and technology companies in an effort to obtain valuable data, including source code that could be analyzed in search for zero-day vulnerabilities. The attack involved a piece of malware named Brickstorm.
Although it has not publicly said so, F5 also believes China is behind the attack, according to a report by Bloomberg. The publication also reported that F5 has been providing customers a threat hunting guide focusing on the Brickstorm malware.
F5 customers have been told that the hackers dwelled in the company’s network for at least 12 months, which is in line with Google’s recent Brickstorm report, which stated that the Chinese cyberspies had lurked in victims’ networks, on average, for nearly 400 days.
Google Threat Intelligence Group and Mandiant linked the Brickstorm attack to a threat actor tracked as UNC5221.
Mandiant and CrowdStrike have been called in to assist F5 with investigating the incident and securing its systems.
F5 said the hackers, whose presence was discovered on its systems on August 9, had accessed and exfiltrated some files, including source code of its BIG-IP flagship platform and information on undisclosed vulnerabilities.
The vendor said it’s not aware of any undisclosed critical or remote code execution vulnerabilities that could be exploited by the attacker, and there is no evidence that non-public flaws have been exploited in attacks.
However, the company recently announced rotating its signing certificates and keys used to cryptographically sign BIG-IP products. In addition, F5 announced on Wednesday the availability of patches for a big batch of vulnerabilities affecting BIG-IP and other products.
More than two dozen of the patched vulnerabilities have been assigned a ‘high severity’ rating. They can be exploited to bypass security mechanisms, escalate privileges, and cause a denial of service (DoS) condition.
A vast majority of the flaws can be exploited for DoS attacks and only these types of vulnerabilities can be exploited remotely without authentication, while the rest require authentication and in some cases elevated privileges.
F5 said the attackers also stole files from an engineering knowledge management platform, which included configuration or implementation data for a small percentage of customers.
However, the company has not found evidence of supply chain tampering, including source code or build/release pipeline modifications. In addition, there is no indication of data theft from other systems.
“We have no evidence that the threat actor accessed or modified the NGINX source code or product development environment, nor do we have evidence they accessed or modified our F5 Distributed Cloud Services or Silverline systems,” F5 said.
Nevertheless, the incident could pose a risk to organizations using F5 products. Cybersecurity agencies in the United States and the United Kingdom have issued alerts to warn government and other organizations about the potential threat.
In the US, CISA warned that the theft of source code and vulnerability information “poses an imminent threat to federal networks using F5 devices and software”.
The agency issued an emergency directive instructing government organizations to inventory BIG-IP hardware and software, install available patches as soon as possible (no later than October 31), harden internet-facing appliances, and disconnect devices that have reached end of support. In addition, some agencies may be notified by CISA of a BIG-IP cookie leakage vulnerability.
“The threat actor’s access to F5’s proprietary source code could provide that threat actor with a technical advantage to exploit F5 devices and software,” CISA said. “The threat actor’s access could enable the ability to conduct static and dynamic analysis for identification of logical flaws and zero-day vulnerabilities as well as the ability to develop targeted exploits.”
The UK’s National Cyber Security Centre (NCSC) issued similar recommendations, noting, “Successful exploitation of the impacted F5 products could enable a threat actor to access embedded credentials and API keys, move laterally within an organisation’s network, exfiltrate data, and establish persistent system access.”
Related: Harvard Is First Confirmed Victim of Oracle EBS Zero-Day Hack
Related: High-Severity Vulnerabilities Patched by Fortinet and Ivanti
