Thousands of networks – many Those run by the U.S. government and Fortune 500 companies are at “imminent risk” of being hacked by a national hacking group after hacking a major software maker, the federal government warned Wednesday.
F5, a Seattle-based networking software maker, revealed the violation on Wednesday. F5 said a “sophisticated” threat group working for an undisclosed nation-state government had been secretly and persistently inhabiting its network for a “long-term period.” Security researchers who had responded to similar intrusions in the past understood that this language meant that the hackers were inside the F5 network. for many years.
Unprecedented
During this time, F5 says, hackers took control of a network segment that the company uses to create and distribute updates for BIG IP, a line of server devices that F5 speaks used by 48 of the world's 50 largest corporations. The report Wednesday said the threat group downloaded proprietary BIG-IP source code information about vulnerabilities that were privately discovered but not yet patched. The hackers also obtained configuration settings that some customers used inside their networks.
Control of the build system and access to source code, client configurations, and documentation of unpatched vulnerabilities can give hackers unprecedented knowledge of weaknesses and the ability to exploit them in attacks on thousands of networks, many of which are sensitive. The theft of client configurations and other data further increases the risk of sensitive credentials being abused, F5 and third-party security experts say.
Customers place BIG-IP at the very edge of their networks to serve as load balancers and firewalls, and to inspect and encrypt data flowing to and from networks. Considering the network position of BIG-IP and its role in managing web server traffic, previous compromises allowed attackers to expand their access to other parts of the infected network.
F5 said investigations by two third-party intrusion response firms had so far found no evidence of supply chain attacks. The company included letters from firms IOActive and NCC Group confirming that analysis of the source code and build pipeline showed no indication that “the attacker has modified or introduced any vulnerabilities in the in-scope items.” The firms also said they had not identified any evidence of critical vulnerabilities in the system. Investigators, who also included Mandiant and CrowdStrike, found no evidence that data from its CRM, financial system, support case management system or healthcare system was accessed.
The company has released updates for its BIG-IP, F5OS, BIG-IQ and APM products. CVE designations and other information are provided Here. Two days ago F5 rotated BIG-IP signing certificates, but there was no immediate confirmation that this move was a response to the hack.
