F5 mitigations: IT and security leaders should make sure F5 servers, software, and clients have the latest patches. In addition, F5 has added automated hardening checks to the F5 iHealth Diagnostics Tool, and also suggests admins refer to its threat hunting guide to strengthen monitoring, and its best practices guides for hardening F5 systems.As a result of the attack, F5 said it has rotated credentials and strengthened access controls across its systems; deployed improved inventory and patch management automation, as well as additional tooling to better monitor, detect, and respond to threats; implemented enhancements to its network security architecture and hardened its product development environment, including strengthening security controls and monitoring of all software development platforms.F5 will also provide all supported customers with a free subscription to CrowdStrike’s Falcon EDR endpoint protection service.
Stolen info could feed future attacks: “Based on the currently disclosed information about the scope of the incident and stolen data, there is no reason to panic,” commented Ilia Kolochenko, CEO of ImmuniWeb, in a statement. “Having said this, stolen source code can greatly simplify vulnerability research by the cybercriminals behind the breach and facilitate detection of 0day vulnerabilities in the affected F5 products, which may be exploited in subsequent APT attacks. Likewise, the reportedly small percentage of customers whose technical information was compromised should urgently assess their risks and continue working with F5 to better understand the impact of the incident.”This attack is another reminder that the modern attack surface extends deep into the software development lifecycle, Will Baxter, field CISO at Team Cymru, said in a statement. “Threat groups targeting source code repositories and build environments are seeking long-term intelligence value”, understanding how security controls operate from the inside,” he said. “Visibility into outbound connections, threat actor command-and-control infrastructure, and unusual data exfiltration patterns is key to identifying this activity early. Combining external threat intelligence with internal telemetry gives defenders the context needed to detect and contain these advanced intrusions.”This wasn’t an opportunistic exploitation, he added. “It was about gaining insight into code and vulnerabilities before disclosure. State-sponsored groups increasingly view source repositories and engineering systems as strategic intelligence targets. Early detection depends on monitoring outbound connections, command-and-control traffic, and unusual data flows from developer and build environments. Combining external threat intelligence with internal telemetry gives defenders the context to identify and contain these campaigns before the stolen code is turned into zero-days.”The F5 incident is serious due to the attacker’s extended access to the systems, Johannes Ullrich, dean of research at the SANS Institute, told CSO Online. “According to the statements made by F5, the amount of customer data leaked is very limited,” he noted. “However, it is not clear yet how far F5 is in their incident response, and how certain they are that they have accurately identified the attacker’s impact. Having lost source code and information about unpatched vulnerabilities could lead to an increase in attacks against F5 systems in the near future. Follow F5’s hardening advice and, just as a measure of caution, review and possibly change credentials.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4073195/source-code-and-vulnerability-info-stolen-from-f5-networks.html
