Why the F5 Hack Created an ‘Imminent Threat’ for Thousands of Networks

Thousands of networks – a lot The federal government warned Wednesday that several U.S. government-run companies and Fortune 500 companies face an “imminent threat” of being hacked by a state-affiliated hacking group after a major software maker was hacked.

F5, a Seattle-based networking software maker, disclosed the hack on Wednesday. F5 said a “sophisticated” threat group working for an undisclosed nation-state government had surreptitiously and persistently inhabited its network over the “long term.” Security researchers who have responded to similar intrusions in the past took the language to mean that the hackers had been inside the F5 network for years.

Unprecedented

During that period, F5 said, hackers took control of a network segment that the company uses to create and distribute updates for BIG IP, a line of server hardware that F5 says is used by 48 of the world’s 50 largest companies. The disclosure went on Wednesday to say that the threat group downloaded private BIG-IP source code information about vulnerabilities that were privately discovered but not yet patched. The hackers also obtained configuration settings used by some customers within their networks.

Control of the build system, access to source code and client configurations, and documentation of unpatched vulnerabilities has the potential to give hackers unprecedented knowledge of vulnerabilities and the ability to exploit them in supply chain attacks on thousands of networks, many of which are sensitive. F5 and outside security experts said the theft of client configurations and other data increases the risk of sensitive credentials being misused.

Customers place BIG-IP at the edge of their networks to use as load balancers and firewalls, and to inspect and encrypt data passing in and out of networks. Given the location of the BIG-IP network and its role in managing traffic to web servers, previous compromises have allowed adversaries to expand their access to other parts of the infected network.

F5 said investigations conducted by two third-party companies to respond to the intrusion have yet to find any evidence of supply chain attacks. The company attached letters from IOActive and NCC Group attesting that analyzes of the source code and build of the pipeline revealed no signs that “the threat actor modified or introduced any vulnerabilities to the elements in scope.” The companies also said they had not identified any evidence of critical vulnerabilities in the system. Investigators, including Mandiant and CrowdStrike, found no evidence that data was accessed from customer relationship management systems, financial systems, support case management, or health systems.

The company has released updates for its BIG-IP, F5OS, BIG-IQ, and APM products. CVE designations and other details are here. Two days ago, F5 rotated BIG-IP signing certificates, although there was no immediate confirmation that the move was in response to the hack.