Hackers target F5 products with dangerous malware

1 week ago 5

A hacking collective was stealing sensitive information from a company, using vulnerable F5 BIG-IP appliances to break in and achieve persistence.

A report from cybersecurity researchers Sygnia outlined how the group, which is suspected to be of Chinese origin, found multiple F5 BIG-IP endpoints running vulnerable OS versions.

They used the known vulnerabilities to deploy PlugX, a modular remote access Trojan (RAT) which is, apparently, the go-to solution for many Chinese threat actors. PlugX, available on the black market for roughly a decade now, is usually used to harvest, and exfiltrate, information from compromised endpoints.

Velvet Ant

Besides PlugX, the group used a whole slew of other malware, including PMCD (used for maintaining remote control), MCDP (ensures persistent network monitoring), SAMRID (AKA EarthWorm, a SOCKS proxy tunneler), and ESRDE, used for remote command control and persistence. Sygnia reports that despite extensive eradication efforts following the breach's discovery, the hackers re-deployed PlugX with new configurations to avoid detection, using compromised internal devices like the F5 appliances to retain access.

While Sygnia did not name the vulnerable organization (which is allegedly based in east Asia), it did say that removing malware from F5 BIG-IP instances was a challenge, and that the group redeployed PlugX as soon as the devices were cleaned.

That being said, the researchers now recommend vulnerable organizations take multiple steps, including restricting outbound connections, implementing strict controls over management ports, deploying robust EDR systems, enhancing security for edge devices, and ultimately - replacing legacy systems. After all, the targeted devices were running vulnerable versions of the operating system, and the attacks could have been avoided by simply keeping the devices updated.

The group is dubbed Velvet Ant.

Via BleepingComputer