Supplychain Attack on F5 BIG-IP May Impact Users

F5 claims that there is no evidence of exfiltration of data from their CRM, financial, support case management, or iHealth systems. However, some of the exfiltrated files from their knowledge management system contained configuration or implementation information for a small percentage of customers. The company further claims that they have no evidence of modification to their software supply-chain or source code.

On October 15 F5 announced a series of known security issues in the form of over 30 CVE ranging in severity from 7.7 to 8.7. The US cybersecurity agency CISA also published an emergency directive for users of F5 BIG-IP to fix these vulnerabilities. Successfully exploiting the affected F5 products could allow attackers to extract embedded credentials and API keys, navigate laterally across a network, steal sensitive data, and maintain long-term access. These actions may ultimately result in a complete compromise of the targeted information systems.

Assessment

The release of so many CVE shortly after F5 acknowledged the breach, suggests that these were vulnerabilities that were known to the developers but not yet patched. This means the threat actor that breached F5 likely found the information of the vulnerabilities. It’s possible that the time from the discovery until now has been used to create the updates to patch all these vulnerabilities and verify the patch.

We still don’t know all the details of this breach, but based on what we now know, it is likely that a foreign espionage group has breached F5 production development environment and used the access to find vulnerabilities in F5 BIG-IP software that allowed them to breach their customers.

The reference to national security concerns suggests that some US government functions had been impacted as a result of the breach of F5. The “implementation information for a small percentage of customers” mentioned likely refers to unique software implementation of BIG-IP for these government functions.

As usual in large breaches what is revealed to the public has likely been carefully written to not expose the company to possible liabilities, while still adhering to government requirements. This means that nothing revealed is likely to be untrue, but there are still a lot of things that can have been omitted. One missing information is how long the threat actor had access to the environment. F5 only reveals that they became aware of the problem on 25 August. Theoretically the threat actor could have been inside their environment for months or even longer.

Based on the above information, Truesec assesses that at least one state sponsored cyber espionage group, likely ether from Russia or China, has had access to information about vulnerabilities in F5 products and weaponized them to use zero-day exploits against F5 BIG-IP instances for an unknown time, but likely dating back several months or possibly even longer. It is likely that the threat actor has used these zero-days primarily for espionage against national security objectives. It is unlikely this vulnerability has been used for financial gain yet.

Recommendations

As these vulnerabilities has now been revealed it’s only a matter of days before these vulnerabilities will get exploited by cybercriminals too. Any organization that uses F5 BIG-IP should immediately apply the remedies recommended in the directive of CISA.

If your organization also hold data that could be of interest to state-sponsored espionage, Truesec recommends scoping threat hunting to try and locate any breach and potential additional persistence installed on your environment by the threat actor behind the breach of F5.

References

[1] https://my.f5.com/manage/s/article/K000154696

[2] https://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices