Risks to BIG-IP users include supply-chain attacks, credential loss, and vulnerability exploits:
Thousands of networks—many of them operated by the US government and Fortune 500 companies—face an "imminent threat" of being breached by a nation-state hacking group following the breach of a major maker of software, the federal government warned Wednesday.
F5, a Seattle-based maker of networking software, disclosed the breach on Wednesday. F5 said a "sophisticated" threat group working for an undisclosed nation-state government had surreptitiously and persistently dwelled in its network over a "long-term." Security researchers who have responded to similar intrusions in the past took the language to mean the hackers were inside the F5 network for years.
During that time, F5 said, the hackers took control of the network segment the company uses to create and distribute updates for BIG IP, a line of server appliances that F5 says is used by 48 of the world's top 50 corporations. Wednesday's disclosure went on to say the threat group downloaded proprietary BIG-IP source code information about vulnerabilities that had been privately discovered but not yet patched. The hackers also obtained configuration settings that some customers used inside their networks.
Control of the build system and access to the source code, customer configurations, and documentation of unpatched vulnerabilities has the potential to give the hackers unprecedented knowledge of weaknesses and the ability to exploit them in supply-chain attacks on thousands of networks, many of which are sensitive. The theft of customer configurations and other data further raises the risk that sensitive credentials can be abused, F5 and outside security experts said.
Customers position BIG-IP at the very edge of their networks for use as load balancers and firewalls, and for inspection and encryption of data passing into and out of networks. Given BIG-IP's network position and its role in managing traffic for web servers, previous compromises have allowed adversaries to expand their access to other parts of an infected network.
F5 said that investigations by two outside intrusion-response firms have yet to find any evidence of supply-chain attacks. The company attached letters from firms IOActive and NCC Group attesting that analyses of source code and build pipeline uncovered no signs that a "threat actor modified or introduced any vulnerabilities into the in-scope items." The firms also said they didn't identify any evidence of critical vulnerabilities in the system. Investigators, which also included Mandiant and CrowdStrike, found no evidence that data from its CRM, financial, support case management, or health systems was accessed.
[...] The US Cybersecurity and Infrastructure Security agency has warned that federal agencies that rely on the appliance face an "imminent threat" from the thefts, which "pose an unacceptable risk." The agency went on to direct federal agencies under its control to take "emergency action." The UK's National Cyber Security Center issued a similar directive.
(Score: 5, Insightful) by Anonymous Coward on Saturday October 18, @03:03PM (18 children)
How do companies like F5 exist? They claim their products enhance "security", but they can't keep their own networks safe? IMHO they need to be forced out of business, and all the company principals and managers need to be logged as never to be hired for any kind of IT work.
I've done some IT work for 30+ years and have never used anything like stuff F5 and others provide. IMHO more layers and "stuff" is more possible holes. Very few people write very good software. As has been written about here and elsewhere, the quality of software has been going down down down.
(Score: 4, Interesting) by Anonymous Coward on Saturday October 18, @03:05PM (1 child)
BTW, "Seattle-based" - hmmm, I wonder if any of their programmers and managers have any connection to another Seattle area company that also has horrific track records for security?
(Score: -1, Offtopic) by Anonymous Coward on Saturday October 18, @05:52PM
"troll" mod? found the triggered person
(Score: 5, Insightful) by Whoever on Saturday October 18, @03:36PM (6 children)
Because managers (typically those with MBAs) want someone else to carry the responsibility. That, plus the fact that many companies see "IT" as a none-core function that is a pure cost center.
(Score: 0) by Anonymous Coward on Saturday October 18, @04:28PM (1 child)
Yeah, I'll give you that on the micro level, but how in the long-run? My guess is they're very good at sales. Bamboozling non-technical buyers at potential customers. They talk about "cost savings" while mentioning "security" and morons buy it. Then it all becomes entrenched. Imagine the cost of getting out of large-scale managed IT software. Well, now imagine the cost of not getting out of managed IT.
My point is: we've been seeing this vicious cycle for years and years. When will people learn?
(Score: 2, Insightful) by anubi on Saturday October 18, @11:39PM
They won't.
The people who make the decisions have no experience or intuition in actually doing this.
Their skill is in prestidigitation of people and finances into apparitions that induce investors to pony up funds.
These people, masters of psychology, reading others "like a book" have gotten into nearly all organizational structures as surely as hackers have gotten into their networks.
Each doing what they know how to do.
I don't believe MBA and technical people can coexist as their goals are too divergent. The technical people follow the means of making something work right; the executive class is bound by meeting economic demands of shareholders. Both parties are committed to violating the other's goals in order to accomplish their own goal.
Now, the MBA is usually considered more valuable by a company ( money - the main reason to have a company ), so if techie puts his goals above the MBA, that techie is dismissed. Technical Enshittification follows.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 1, Insightful) by Anonymous Coward on Saturday October 18, @05:48PM (3 children)
The prevailing attitude is that IT is something to be "outsourced". Move it to the cloud they say.
(Score: 4, Insightful) by anubi on Saturday October 18, @11:52PM (2 children)
Grandpa taught me all about this over 60 years ago.
Something about "having all your eggs in one basket".
Now it's even worse.
Not only are all my eggs in one basket...it's not my basket!!!
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2, Insightful) by khallow on Friday October 31, @01:45AM (1 child)
I'm starting to wonder if maybe they're not your eggs either.
(Score: 2, Interesting) by anubi on Friday October 31, @02:49AM
Newer eggs, uh, no. Like beer. Only rented.
The only things I own are some tools, parts, and various bits of cloth. If I fail to submit accounting for and pay assessed tax on the other stuff, the real owner takes it all back or renders it useless.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 4, Insightful) by bzipitidoo on Saturday October 18, @04:27PM
Yes, this story just screams of corporate recklessness and corner cutting. I think they get away with it because all other corporations behave similarly.
Either it is possible to communicate securely, or it is not possible. With our current knowledge and technology, yes, secure communication is possible. Therefore, anyone who is not communicating securely messed up.
Could be an inside job, or worse, the equivalent of leaving a door unlocked. A weak password, perhaps. Stupid bugs created by bad programmers pressured to crank out code quick, quick, quick.
(Score: 5, Interesting) by JoeMerchant on Saturday October 18, @06:14PM (2 children)
> IMHO more layers and "stuff" is more possible holes.
Agreed.
> Very few people write very good software.
Very much agree.
> the quality of software has been going down down down.
Most software, yes. Though, just yesterday afternoon my corporate overlords granted me access to analyze their IP (my code) using AI tools - Claude Sonnet 4.5 via Cursor in this case. In a matter of a few minutes, I had a withering, but fair, objective evaluation of the quality of some code I had produced for internal use as a proof of concept. I stand by the level of effort I invested in this code: minimal. My time is valuable and spending endless weeks polishing proof of concept code is not in my nature. However, in addition to critique, claude also presented an action plan to address the many readability, maintainability and other issues present in my code. The time estimates given along with that plan feel about right, if I were doing the job myself - 12-20 weeks to polish a project I whipped out in 2-3 weeks. However, I have a side project I have been building with claude for the past few weeks, and actual implementation time for those type of 12-20 week estimated implementation time changes is more on the order of 1 to 2 hours when AI is doing the grunt work.
Review is essential, whether the source of the code is AI or human. Understanding of what the code is supposed to be doing is critical for the human, AI will "get it wrong" too often if it's not monitored. However, with this kind of dropping cost of implementation, I am hopeful that quality of code may actually be improving through use of these new tools.
Any tool can, and will, be misused. However, I would estimate that the project I worked on from 1991 through 1997, which a cocky investment group estimated 2-3 months to port from one API to another - but actually took them closer to a year do do the port... Given the specifications of what we wanted that six year development project to do, I believe someone who knows proper modern software development practices with AI assistance could re-implement that project in the space of 2-3 months, with only black-box access to the old running code and users' manual, and that the newly developed code could be (with a firm hand on the AI coder) of good, human developer friendly, maintainable quality.
🌻🌻🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Saturday October 18, @07:41PM (1 child)
Hope for the future, thanks!
How is Claude and other AIs at finding security problems?
I've long envisioned "fuzzing"- long before it was a thing. Can AI do fuzzing? Especially on code that connects to a network?
(Score: 2) by JoeMerchant on Sunday October 19, @02:22AM
>How is Claude and other AIs at...
anything, it's getting better at a shockingly rapid pace at the moment.
It has really good pattern matching assessment, within its context window. Right now the tools are developing somewhat like human management systems: hierarchical documentation systems ensure that details don't get forgotten, attention focusing "roles and responsibilities" assigned to "agents" can be developed into systems which implement plans laid out in the documentation...
The interesting / slightly scary aspect of it is: it knows how to program itself to do these things, if you just focus its attention on developing the effective processes for what you are doing, you can turn it into a much more effective tool than the stand-alone "Hi, how can I help you today?" Google AI-mode chatbot.
So, about security... I'm not sure if my company would appreciate me using my Cursor subscription to search for zero day exploits of our systems or not? Maybe save that for next week. In the meantime, they do have pre-configured "security focus" agents and processes developed with security review in the workflow, just like our corporate procedures - and I suspect similarly effective.
🌻🌻🌻🌻 [google.com]
(Score: 5, Informative) by chucky on Saturday October 18, @09:35PM (4 children)
Well, dear AC, companies like F5 exist because they have a product which is easier to use or has more features than competitors’ products or the competitors have even worse reputation than F5.
I was once a “happy customer” of F5, until we got hacked thru a 10/10 vulnerability. It would not happen if there were not a forgotten open port on the external firewall. But it was left open and it resulted in a rebuild. The attack hit the F5 box, nothing deeper, as far as we could tell.
After that we were no longer happy, but still customers. But then again, what do you choose if competitors’ reputation is even worse? To be fair, F5’s reputation got a serious hit here, but in the end it will be choosing the lesser evil again.
(Score: 0) by Anonymous Coward on Saturday October 18, @10:11PM (1 child)
Was that port being left open really due to the F5? If the breach was not because of the wall, but someone opening a gate and leaving it open, why be unhappy about the wall?
(Score: 3, Informative) by chucky on Sunday October 19, @06:10AM
No, the port was left open by whoever used that internet facing network before. We didn't know. The external firewalls were managed by a major IT provider, one of the top 5. So, this was a combination of mismanaged outsourcing and one trivially exploitable bug on the F5.
(Score: 1, Insightful) by Anonymous Coward on Saturday October 18, @10:51PM (1 child)
Thank you, interesting. My wording wasn't good- I need to hire a writer. :)
What I wanted to ask: how do companies like F5 continue to exist?
I think the world could be much better if people (customers) would stop enabling the bad behavior and please stop buying from companies who have a proven track record of making faulty products. We all weigh pros and cons all the time, but some cons should be considered absolute deal-breakers.
Microsoft is a sadly huge example. In my perfect world they would be forced to completely fix (patch / update) their broken crap until all perceivable bugs are fixed.
Can't fix all those bugs? Don't allow them to sell a "New!" version until the old one is correct.
In my less than perfect, but still quite good world people would have stopped buying Microsoft OSes right around 30 years ago.
(Score: 2) by chucky on Sunday October 19, @06:39AM
If you stop buying from companies selling faulty products, you'll have to write all software yourself; welcome to FOSS. But producing bug free code is hard. Harder than many can imagine. It's also one of the reasons I don't do programming except for single purpose scripting, where I don't need to deal with error handling.
(Score: 1, Touché) by Anonymous Coward on Saturday October 18, @05:00PM (5 children)
In other words it's bullshit clickbait, as is any story that doesn't name the offender. And we all know that "nation-state" means Russia/China/Iran/NKorea, after all, these are the only people that would do this to us, right? The whole thing sounds like "AI" slop.
Too bad we don't send the company officers to prison for this. They probably sold the info through the backdoor, using the "breach" as an excuse
(Score: 1, Insightful) by Anonymous Coward on Saturday October 18, @05:15PM (4 children)
What good would come from revealing the "nation-state"?
(Score: 3, Insightful) by Anonymous Coward on Saturday October 18, @06:15PM (3 children)
Because it requires proof, and a chance for the accused to challenge the charges. This vague bullshit is to distract people from the involved corruption needed for this to happen, and sell aggressive action against perceived "enemies" to the public. In other words, an intentional provocation. Anybody who complains is a terrorist
(Score: 0) by Anonymous Coward on Saturday October 18, @07:51PM (2 children)
More Ivory Tower thinking, if you can call it thinking.
Ironically your answer conflicts with your criticism. Yes it requires proof, and that's a very good reason to not give out the suspects' names until you've gathered enough proof. I can envision many reasons to keep quiet about who they think did it until they've gathered enough irrefutable evidence.
However, I absolutely side with you on a personal level. Like, I think it's very wrong how many cops act, including "no knock" warrants. Absolutely in violation of the US Constitution.
I dunno- it depends on the amount and strength of the evidence.
(Score: 1, Touché) by Anonymous Coward on Saturday October 18, @08:31PM (1 child)
They seemed to have "proof" that it was a "nation-state". If so, they can name them. If not, then the culprit is just as likely a middle age psycho basement dweller in Toledo, Ohio. The way it is presented is to do nothing more than provoke violence against the usual suspects. It's a propaganda piece
(Score: 0) by Anonymous Coward on Saturday October 18, @10:54PM
"Proof" isn't a binary thing. (I guess that makes it non-binary!)
I see the article as responsible and a warning to all F5 users, and frankly anyone who uses similar software.
(Score: 4, Interesting) by corey on Saturday October 18, @11:13PM
The world really needs to move away from always-connected back to isolated offline networks, airgapped. For critical stuff like actual design files, manufacturing data, test results etc. It works for the defence world (airgapped class networks). It seems like it needs to be a government law to force companies to do because they done seem to care individually. But if a rep hit, with associated one off costs, then move on. Data lost but oh well. For governments, there’s more at stake because they have many companies under their watch, if a lot of them get hacked then the aggregate cost is high for the government (lost IP, actual cost etc).
(Score: 3, Touché) by Mojibake Tengu on Saturday October 18, @11:42PM
No one dares to ask, but I did.
Well, it's a corporate-grade MITM/backdoor, by design. Funny losing source of that.
Funnier to know 48/50 top corpos use the shit.
Rust programming language offends both my Intelligence and my Spirit.
(Score: 2) by sonamchauhan on Sunday October 19, @02:27AM (3 children)
Most organisation use one firewall and router vendor. Why not multiple vendors with totally different architectures -- even if the second 'vendor' is just a cluster of home-baked BSDs?
That way, the vulnerability of one vendor won't be present in the second.
(Score: 5, Informative) by jb on Sunday October 19, @07:11AM (2 children)
What do you mean "just"?
Even pf(4) and iked(8) on their own (let alone when coupled with the rest of the useful tools in OpenBSD's base system) when configured sensibly are likely to provide a far more secure environment than whatever proprietary rubbish the likes F5 are selling. And if you need some redundancy, carp(4) and pfsync(4) are readily at hand too. All for a total investment (hardware plus staff time) of at least a full order of magnitude less.
As someone else said above, the only reason F5 et al. manage to sell anything at all is that at lots of organisations the people making the buying decisions don't have the faintest clue about how the things they're buying work.
(Score: 2) by chucky on Sunday October 19, @07:32AM
Under the hood of F5 boxes is Linux, though patched heavily, plus their own software on top of it.
(Score: 2) by sonamchauhan on Monday October 20, @06:21AM
Haha! By "just" I was referring to the cost.