F5 BIG-IP devices used for years to steal corporate data
Jun 18, 2024
Attacks, In evidence, Malware, News, RSS
Velvet Ant, a group of Chinese attackers, has been exploiting it for years F5 BIG-IP to obtain persistence in corporate networks e steal sensitive data; Sygnia researchers discovered it: at the end of 2023 the team analyzed a large cyber attack against a large organization and revealed that the group of black-hat hackers remained on the company network for approximately three years without ever being discovered.
Pixabay
F5 BIG-IP is an appliance that offers advanced traffic management and security services such as load balancing, SSL/TLS offload, DNS and firewall to improve application availability and performance.
By compromising these devices, the group managed to exert significant control over network traffic without ever arousing suspicion. As companies generally pay more attention to application security, operating system logs are often ignored; For this reason, the F5 devices proved to be the perfect place to place the backdoor and allow the group to evade security controls.
“The compromised organization had two F5 BIG-IP appliances that provided services such as firewall, WAF, load balancing and local traffic management. These appliances were directly exposed to the Internet and were both compromised” say the researchers. Both devices were running outdated and vulnerable versions of the operating system, and attackers exploited one of the vulnerabilities to gain remote access to the devices.
After gaining access to the device files Velvet Ant ran PlugXa remote access Trojan used by Chinese state-sponsored groups since 2008. The basic version of the Trojan allows remote access to systems, but thanks to its modular system it can be enriched with additional functionality.
F5 BIG-IP devices affected by other malware
In addition to PlugX, using it to communicate with the C2 server, the group spread four other malware on the network. One of them is VELVETSTINGa tool that connects to the C2 server once an hour to receive any commands and execute them.
The other malware are VELVETTAPa tool capable of obtaining network packets; Samrid, also known as EarthWorm, an open-source tunneling tool; In the end ESRDEa tool similar to VELVETSTING that uses bash instead of csh.
Over the years the group has used various tools and techniques to infiltrate critical systems and access sensitive information. Sygnia researchers explain that the group was able to familiarize itself with the organization's complex network infrastructure and thus achieve persistence in numerous areas of the network.
The Sygnia team initially managed to eliminate the group's presence from the network, but after a few days Velvet Ant returned to the force, infecting new hosts.
To protect yourself from this type of attack, Sygnia researchers recommend limit outgoing connections to the web and carefully analyze internal traffic to reduce the risk of lateral movement. It is also fundamental keep systems up to date and decommission legacy servers as soon as possible; finally, it must be implemented EDR solutions to intercept any malicious actions and mitigate credential harvesting.
GIPHY App Key not set. Please check settings