Why did the F5 hack pose an “imminent threat” to thousands of networks?

Thousands of networks – many Among them – run by the US government and Fortune 500 companies – they face an “imminent threat” of being breached by a national government hacker group following a breach at a major software maker, the federal government warned Wednesday.

Seattle-based networking software maker F5 disclosed the breach on Wednesday. F5 said a “sophisticated” threat group working for an undisclosed national government had been secretly and persistently inhabiting its network for a “prolonged period”. Security researchers who have responded to similar breaches in the past take this language to mean that the hackers have been inside the F5 network for years.

unprecedented

At the time, hackers took control of the network segment the company uses to create and distribute updates for BIG IP, a line of server appliances that F5 says is used by 48 of the world’s top 50 companies, according to F5. The threat group downloaded proprietary BIG-IP source code information about vulnerabilities that had been privately discovered but not yet patched, Wednesday’s disclosure continued. Hackers also obtained configuration settings that some customers used inside their network.

Control of the build system and access to source code, customer configurations and documentation of unpatched vulnerabilities has the potential to give hackers unprecedented knowledge of vulnerabilities and the ability to exploit them in supply chain attacks against thousands of networks, many of them sensitive. According to F5 security experts, the theft of client configurations and other data increases the risk of sensitive credentials being misused.

Customers place BIG-IP at the edge of their networks to be used as load balancers and firewalls to inspect and encrypt data sent in and out of the network. Given the location of the BIG-IP network and its role in managing traffic for web servers, previous compromises have allowed adversaries to extend their access to other parts of the infected network.

F5 said investigations by two foreign intrusion response firms have yet to find any evidence of supply chain attacks. The company attached letters from IOActive and NCC Group confirming that analysis of the source code and build pipeline showed no indication that a threat actor modified or introduced the vulnerability into in-scope items. The companies also said they had not identified any evidence of critical vulnerabilities in the system. The investigators, which included Mandiant and CrowdStrike, found no evidence of access to data from its CRM, financial, support case management or health systems.

The company released updates for its BIG-IP, F5OS, BIG-IQ and APM products. CVE designations and other details are here. Two days ago, F5 turned over BIG-IP’s signing certificates, though there was no immediate confirmation that the move was in response to the breach.