F5 disclosed that a sophisticated nation-state actor gained persistent access to development systems, exfiltrating portions of BIG-IP source code and information on undisclosed vulnerabilities. F5 reports no evidence of modified code, active exploitation, or leaked critical/RCE vulnerabilities, and agencies are urged to inventory and patch F5 products. #BIG-IP #F5
Keypoints
- F5 discovered on August 9 that a “highly sophisticated nation-state threat actor” had long-term access to certain internal systems including BIG-IP product development and engineering knowledge management platforms.
- The threat actor exfiltrated portions of BIG-IP source code and information about undisclosed BIG-IP vulnerabilities F5 was working on.
- F5 reports no evidence of modified source code, no impact to their software supply chain, no leaked undisclosed critical or RCE vulnerabilities, and no evidence of Zero-Day exploitation to date.
- Containment began after discovery; F5 has not seen returning or new unauthorized access since containment was initiated.
- The public disclosure was delayed until October 15 at the request of the U.S. Department of Justice; CISA issued an emergency directive for agencies to inventory F5 products and network access.
- F5 users are urged to apply all current updates, remove public Internet accessibility for F5 devices, and monitor for any emergence of exploit or proof-of-concept code.
- Recommended defensive actions include inventorying and patching F5 products, revisiting incident response plans, setting up news/keyword alerts for F5 exploit mentions, and logging/monitoring F5 product access for anomalies.
MITRE Techniques
- [T1078] Valid Accounts – Threat actor maintained long-term persistent access to F5 systems, indicating use of credentials or otherwise sustained authorized access (“long-term, persistent access to certain F5 systems”).
- [T1537] Transfer Data to Cloud Account – Exfiltration of portions of BIG-IP source code and vulnerability information from development environments (“exfiltration of portions of F5’s BIG-IP source code as well as information about undisclosed BIG-IP vulnerabilities F5 was working on”).
- [T1213] Data from Information Repositories – Accessed engineering knowledge management platform and product development environment to obtain source code and vulnerability details (“included the BIG-IP product development environment and engineering knowledge management platform”).
- [T1486] Data Encrypted for Impact (mitigated/absent) – F5 reports no evidence of modified source code or supply chain tampering, suggesting destructive/impact techniques were not observed (“There is no evidence of modified source code or to their software supply chain”).
- [T1608] Stage Capabilities – The actor’s retention of source code could enable future development of exploits if vulnerabilities are discovered and weaponized (“Exploitation would require the threat actors to discover a vulnerability in the source code, weaponize it, and then exploit it”).
Indicators of Compromise
- [Files/Source Code] Exfiltrated source code and vulnerability information – portions of BIG-IP source code, undisclosed vulnerability details (no file hashes provided).
- [Systems/Platforms] Compromised systems – BIG-IP product development environment, engineering knowledge management platform.
- [Notifications/Directives] Organizational actions – U.S. DOJ requested disclosure delay; CISA emergency directive for agencies to inventory F5 products (no network IOC values provided).
Read more: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-f5-big-ip-source-code-breach/