Clients place BIG-IP on the very fringe of their networks to be used as load balancers and firewalls, and for inspection and encryption of information passing into and out of networks. Given BIG-IP’s community place and its function in managing site visitors for internet servers, earlier compromises have allowed adversaries to develop their entry to different elements of an contaminated community.
F5 stated that investigations by two exterior intrusion-response companies have but to seek out any proof of supply-chain assaults. The corporate connected letters from companies IOActive and NCC Group testifying that analyses of supply code and construct pipeline uncovered no indicators {that a} “risk actor modified or launched any vulnerabilities into the in-scope gadgets.” The companies additionally stated they didn’t determine any proof of vital vulnerabilities within the system. Investigators, which additionally included Mandiant and CrowdStrike, discovered no proof that knowledge from its CRM, monetary, assist case administration, or well being techniques was accessed.
The corporate launched updates for its BIG-IP, F5OS, BIG-IQ, and APM merchandise. CVE designations and different particulars are right here. Two days in the past, F5 rotated BIG-IP signing certificates, although there was no quick affirmation that the transfer is in response to the breach.
The US Cybersecurity and Infrastructure Safety company has warned that federal companies that depend on the equipment face an “imminent risk” from the thefts, which “pose an unacceptable threat.” The company went on to direct federal companies beneath its management to take “emergency motion.” The UK’s Nationwide Cyber Safety Middle issued the same directive.
CISA has ordered all federal companies it oversees to instantly take stock of all BIG-IP units in networks they run or in networks that exterior suppliers run on their behalf. The company went on to direct companies to put in the updates and observe a threat-hunting information that F5 has additionally issued. BIG-IP customers in non-public business ought to do the identical.
