Customers place BIG-IP at the very edge of their networks to serve as load balancers and firewalls, and to inspect and encrypt data flowing to and from networks. Considering the network position of BIG-IP and its role in managing web server traffic, previous compromises allowed attackers to expand their access to other parts of the infected network.
F5 said investigations by two third-party intrusion response firms had so far found no evidence of supply chain attacks. The company included letters from firms IOActive and NCC Group confirming that analysis of the source code and build pipeline showed no indication that “the attacker has modified or introduced any vulnerabilities in the in-scope items.” The firms also said they had not identified any evidence of critical vulnerabilities in the system. Investigators, who also included Mandiant and CrowdStrike, found no evidence that data from its CRM, financial system, support case management system or healthcare system was accessed.
The company has released updates for its BIG-IP, F5OS, BIG-IQ and APM products. CVE designations and other information are provided Here. Two days ago F5 rotated BIG-IP signing certificates, but there was no immediate confirmation that this move was a response to the hack.
US Cybersecurity and Infrastructure Security Agency warned that federal agencies relying on the device face an “imminent threat” of thefts that “pose an unacceptable risk.” The agency further directed federal agencies under its control to take “extraordinary measures.” UK National Cyber Security Center published similar directive.
CISA has ordered all federal agencies it oversees to immediately inventory all BIG-IP devices on networks they manage or on networks managed on their behalf by third-party providers. The agency also directed agencies to install updates and follow threat hunting guidance that F5 also released. BIG-IP users in the private sector should do the same.
