"F5, a Seattle-based maker of networking software, disclosed the breach on Wednesday. F5 said a "sophisticated" threat group working for an undisclosed nation-state government had surreptitiously and persistently dwelled in its network over a "long-term." Security researchers who have responded to similar intrusions in the past took the language to mean the hackers were inside the F5 network for years."
"During that time, F5 said, the hackers took control of the network segment the company uses to create and distribute updates for BIG IP, a line of server appliances that F5 says is used by 48 of the world's top 50 corporations. Wednesday's disclosure went on to say the threat group downloaded proprietary BIG-IP source code information about vulnerabilities that had been privately discovered but not yet patched. The hackers also obtained configuration settings that some customers used inside their networks."
"Control of the build system and access to the source code, customer configurations, and documentation of unpatched vulnerabilities has the potential to give the hackers unprecedented knowledge of weaknesses and the ability to exploit them in supply-chain attacks on thousands of networks, many of which are sensitive. The theft of customer configurations and other data further raises the risk that sensitive credentials can be abused, F5 and outside security experts said."
F5 experienced a long-term intrusion by a sophisticated, nation-state-affiliated threat group that dwelled in its network for years. The attackers seized control of the network segment used to build and distribute BIG IP updates and downloaded proprietary BIG-IP source code and information on unpatched vulnerabilities. The attackers also obtained customer configuration settings used inside networks, increasing the risk of credential abuse. BIG-IP appliances sit at network edges as load balancers, firewalls, and for traffic inspection and encryption, making compromises powerful vectors for supply-chain attacks against thousands of networks, including many sensitive organizations.
Read at WIRED
Unable to calculate read time
Collection
[
|
...
]