Hackers target F5 products with dangerous malware

Vulnerable F5 appliances abused for at least three years

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A hacking collective was stealing sensitive information from a company, using vulnerable F5 BIG-IP appliances to break in and achieve persistence.

A report from cybersecurity researchers Sygnia outlined how the group, which is suspected to be of Chinese origin, found multiple F5 BIG-IP endpoints running vulnerable OS versions.

They used the known vulnerabilities to deploy PlugX, a modular remote access Trojan (RAT) which is, apparently, the go-to solution for many Chinese threat actors. PlugX, available on the black market for roughly a decade now, is usually used to harvest, and exfiltrate, information from compromised endpoints.

Velvet Ant

Besides PlugX, the group used a whole slew of othermalware, including PMCD (used for maintaining remote control), MCDP (ensures persistent network monitoring), SAMRID (AKA EarthWorm, a SOCKS proxy tunneler), and ESRDE, used for remote command control and persistence. Sygnia reports that despite extensive eradication efforts following the breach’s discovery, the hackers re-deployed PlugX with new configurations to avoid detection, using compromised internal devices like the F5 appliances to retain access.

While Sygnia did not name the vulnerable organization (which is allegedly based in east Asia), it did say that removing malware from F5 BIG-IP instances was a challenge, and that the group redeployed PlugX as soon as the devices were cleaned.

That being said, the researchers now recommend vulnerable organizations take multiple steps, including restricting outbound connections, implementing strict controls over management ports, deploying robust EDR systems, enhancing security for edge devices, and ultimately - replacing legacy systems. After all, the targeted devices were running vulnerable versions of theoperating system, and the attacks could have been avoided by simply keeping the devices updated.

The group is dubbed Velvet Ant.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

I’ve been a Firefox power user since it launched 20 years ago – here’s why it still beats Chrome and Safari