"Security shop F5 today said "highly sophisticated nation-state" hackers broke into its network and stole BIG-IP source code, undisclosed vulnerability details, and customer configuration data belonging to a "small percentage" of its users. "The Company is currently reviewing the contents of these files and will communicate with affected customers directly as appropriate," F5 said in a US Securities and Exchange Commission filing."
"The company said that it discovered the network intruders in early August, and during its investigation determined that they had maintained long-term access to its BIG-IP product development and engineering platforms. "We are not aware of any undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities," the firm said. There's "no evidence" that the government-backed goons poisoned its software supply chain, including source code and build and release pipeline, it added."
F5 discovered network intrusions in early August and determined attackers maintained long-term access to BIG-IP product development and engineering platforms. Attackers stole BIG-IP source code, undisclosed vulnerability details, and customer configuration data for a small percentage of users. F5 is reviewing the stolen files and will notify affected customers directly. No evidence has emerged of supply-chain poisoning of source code or build pipelines, and F5 reported no awareness of undisclosed critical vulnerabilities or active exploitation. Third-party researchers NCC Group and IOActive corroborated those findings. The DOJ permitted a delayed public disclosure, and F5 engaged CrowdStrike and Mandiant for incident response.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]