F5: Attacker Accessed BIG-IP Source Code, Bug Data

F5 has disclosed a serious security incident in which a nation-state threat actor gained access to, and downloaded files from, some key F5 systems, including the company's BIG-IP product development environment and engineering knowledge management platforms.

The company discovered the intrusion in August but did not say when the attackers first gained access to F5’s systems or how long they had access, only that it was “long-term, persistent access”. Among the information the attackers accessed was data about private vulnerabilities in BIG-IP, F5’s app delivery and security platform. BIG-IP is a very widely used enterprise platform that’s used across many industries. 

“We have confirmed that the threat actor exfiltrated files from our BIG-IP product development environment and engineering knowledge management platforms. These files contained some of our BIG-IP source code and information about undisclosed vulnerabilities we were working on in BIG-IP. We have no knowledge of undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities,” the company said in a statement on Oct. 15. 

CISA has issued an emergency directive regarding the F5 incident, too.

F5 said there is no evidence that the attackers stole data from the company’s CRM or financial systems, but “some of the exfiltrated files from our knowledge management platform contained configuration or implementation information for a small percentage of customers.” 

The company has filed an 8-K with the Securities and Exchange Commission about the incident, as well, and said that the intrusion has not had a material impact on F5’s operations as of yet. 

“The Company believes its containment actions have been successful and, since the initiation of its containment efforts, has not observed any evidence of new unauthorized activity. The investigation, monitoring, and related activities are ongoing,” the SEC filing says.

In a separate advisory, F5 also said that it has rotated the signing certificates and keys used to sign F5 digital objects.

What Happened

• Exfiltrated Data: Files containing some BIG-IP source code and information about undisclosed vulnerabilities in BIG-IP were exfiltrated from the product development environment and engineering knowledge management platforms.
• No Critical Vulnerabilities or Active Exploitation: F5 said it has no knowledge of undisclosed critical or remote code vulnerabilities and is not aware of active exploitation of any undisclosed F5 vulnerabilities.
• Customer Data Impact: Some exfiltrated files from the knowledge management platform contained configuration or implementation information for a small percentage of customers. F5 is reviewing these files and will communicate directly with affected customers.
• Software Supply Chain Intact: F5 brought in both NCC Group and IOActive for independent security reviews, and neither company found evidence of modification to F5's software supply chain, including source code and build and release pipelines.

What To Do Now

F5 has released updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients. The company strongly advises customers to update to these new releases as soon as possible.