Malware Campaign Targets F5 BIG-IP Appliances To Steal Data For Years

Researchers discovered a malware campaign targeting F5 BIG-IP appliances that could remain hidden for years. The threat actors behind the malware aim to steal data while evading detection, which can severely impact victim organizations.

Outdated F5 BIG-IP Appliances Could Remain Under Malware Attack Undetected For Years

According to a recent post from Sygnia, their researchers detected malware intrusion on an organization following a cyber attack. Investigating the matter made them unveil a sneaky malware campaign that remained undetected for a couple of years.

Specifically, the malware campaign linked back to a China-nexus threat actor “Velvet Ant” that managed to infiltrate the target network by compromising F5 BIG-IP appliances. Using this custom malware allowed the attackers to evade detection for at least two years before catching Sygnia’s attention.

As observed, the victim organization had two vulnerable F5 BIG-IP appliances on its network for firewall, WAF, load balancing, and local traffic management services. Moreover, both devices remained exposed to the internet instead of being protected via the company firewall. Consequently, the threat actors possibly exploited known vulnerabilities in those devices, gaining remote access to the network.

After establishing persistence, the threat actors deployed various binaries on the network to execute malicious activities and steal data.

The researchers have shared a detailed technical analysis of the entire malware attack in their post. However, how exactly the threat actors compromised the vulnerable devices remains unclear.

While the researchers have described the single event in detail, they suspect this might be a part of a widespread cyberespionage campaign from the threat actors. Therefore, they advise organizations to implement robust security measures to prevent threats.

Some key steps that firms should deploy on their networks include limiting outbound internet traffic and deploying firewalls to protect internet-facing devices, limiting traffic over management ports to prevent lateral movement, replacing legacy systems, and deploying Endpoint Detection and Response (EDR) systems for adequate monitoring.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients