Cybersecurity firm F5 has confirmed state-sponsored hackers have stolen source code and customer information following a cyber attack.
In an alert to customers, the company said threat actors maintained long-term, persistent access to its BIG-IP product development environment and engineering knowledge management systems.
As part of the attack, threat actors exfiltrated files containing some BIG-IP source code, along with information pertaining to undisclosed vulnerabilities that the company was in the process of remediating.
Notably, hackers don’t appear to have accessed data from its CRM, financial, support case management, or iHealth systems. Similarly, the company's software supply chain, including its source code and build and release pipelines, doesn't appear to have been modified.
"We have no knowledge of undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities," F5 said in its advisory.
"We have taken extensive actions to contain the threat actor. Since beginning these activities, we have not seen any new unauthorized activity, and we believe our containment efforts have been successful."
Some files from F5's knowledge management platform contained configuration or implementation information for a small percentage of customers. The firm said it was reviewing the files and contacting affected customers.
CISA, NCSC raise alarm over F5 security incident
Security agencies have issued an alert following the disclosure, with the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) urging organizations to remain vigilant.
In an emergency directive, CISA said the incident could enable threat actors to conduct “static and dynamic analysis for identification of logical flaws” in affected products.
"Successful exploitation of the impacted F5 products could enable a threat actor to access embedded credentials and Application Programming Interface (API) keys, move laterally within an organization’s network, exfiltrate data, and establish persistent system access,” the agency said.
“This could potentially lead to a full compromise of target information systems."
CISA has ordered federal networks to take immediate action, identifying all instances of F5 BIG-IP hardware devices and F5OS, BIG-IP TMOS, Virtual Edition, BIG-IP Next, BIG-IP IQ software, and BNK/CNF.
They must check whether physical or virtual BIG-IP devices exposed to the public internet give public access to the networked management interface.
Similarly, the agency urged organizations to apply the latest vendor updates for F5OS, BIG-IP TMOS, BIG-IQ, and BNK/CNF by 22 October, disconnect end-of-support devices, mitigate against cookie leakage, and report back on all this by 29 October.
F5 attack can’t be ignored, experts warn
Ryan Dewhurst, head of proactive threat intelligence at watchTowr, said the security incident should be taken seriously by customers and urged organizations to take immediate action.
"On October 13th, F5 quietly announced it had rotated its signing certificates and cryptographic keys, the ones used to prove that F5-produced software is legitimate and untampered. That’s not a routine update. Vendors only do that when something has gone very wrong," he said.
"Older software signed with the previous keys may now warrant closer scrutiny. For a vendor whose products sit deep in enterprise and government networks, this is a serious breach of trust," Dewhurst added.
"If those compromised keys were stolen, and F5 hasn’t ruled that out, malicious software updates signed by "F5" could be indistinguishable from the real thing."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Google CEO Sundar Pichai says vibe coding has made software development ‘exciting again’News Google CEO Sundar Pichai claims software development has become “exciting again” since the rise of vibe coding, but some devs are still on the fence about using AI to code.
-
15-year-old revealed as key player in Scattered LAPSUS$ HuntersNews 'Rey' says he's trying to leave Scattered LAPSUS$ Hunters and is prepared to cooperate with law enforcement
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up callNews CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises globally.
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaignNews Researchers believe that Operation WrtHug is being carried out by Chinese state-sponsored hackers
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
