Over 266,000 F5 BIG-IP Systems Vulnerable to Remote Hacks

A significant cybersecurity alert has emerged concerning F5 BIG-IP systems, with over 266,000 instances currently exposed online and vulnerable to remote attacks. This situation follows a security breach at F5, where nation-state hackers infiltrated the company’s network, making off with source code and details about undisclosed security flaws in BIG-IP products. While F5 has stated it found no evidence that these stolen vulnerabilities have been exploited or publicly leaked, the risk remains high for unpatched systems.

On Wednesday, F5 released patches addressing a total of 44 vulnerabilities, including those compromised during the breach. The company is urging all customers to install these updates immediately. Available updates cover BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients. F5 strongly advises updating BIG-IP software as soon as possible, even though they currently have no knowledge of any undisclosed critical or remote code execution vulnerabilities being actively abused.

According to a Bloomberg report from Thursday, F5 has privately linked the attack to China in advisories shared with customers, though this has not been officially confirmed in public statements. Additionally, F5 has distributed a threat-hunting guide to its clients that references Brickstorm malware, a Go-based backdoor first identified by Google in April 2024. This malware was observed during an investigation into operations by the UNC5291 threat group, which has ties to China. F5 also informed customers that the attackers maintained access inside their network for at least one year.

UNC5291 has a known history of exploiting Ivanti zero-day vulnerabilities in campaigns aimed at government agencies, deploying custom malware families such as Zipline and Spawnant. The Shadowserver Foundation is now monitoring 266,978 IP addresses with F5 BIG-IP fingerprints. Nearly half of these, over 142,000, are located in the United States, with an additional 100,000 spread across Europe and Asia. It remains unclear how many of these systems have been secured against potential attacks targeting the recently disclosed vulnerabilities.

This week, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive requiring U.S. federal agencies to secure F5OS, BIG-IP TMOS, BIG-IQ, and BNK/CNF products by applying the latest F5 security patches before October 22. For all other F5 hardware and software appliances on their networks, the deadline is October 31. CISA also mandated that agencies disconnect and decommission any internet-exposed F5 devices that have reached end-of-support status, as these will not receive future patches and present easy targets for attackers.

In its directive, CISA instructed Federal Civilian Executive Branch agencies to inventory all F5 BIG-IP products, determine whether their management interfaces are accessible from the public internet, and apply F5 updates promptly. In recent years, both nation-state actors and cybercriminal groups have repeatedly targeted BIG-IP vulnerabilities to map internal servers, hijack network devices, breach corporate environments, exfiltrate sensitive data, and deploy destructive malware, including wipers.

Once compromised, F5 BIG-IP appliances can provide threat actors with stolen credentials and API keys, enable lateral movement across a victim’s network, and help establish long-term persistence. F5, a Fortune 500 technology leader, delivers cybersecurity, application delivery networking, and related services to more than 23,000 customers globally, including 48 of the Fortune 50 companies.

(Source: Bleeping Computer)