F5 reports a cyberattack in which hackers breached the development environment. Customer data are believed to be unaffected.
F5 has confirmed that an “advanced cyber attacker” had unauthorized access for months to internal systems, including the BIG-IP development environment. Sensitive files were also exfiltrated. According to F5, this was dthe work of a state-sponsored actor.
The intruder had prolonged access to the BIG-IP development environment and internal knowledge platforms. Among the stolen data were parts of the BIG-IP source code and information about unreleased vulnerabilities. F5 says these vulnerabilities are not currently being actively exploited and do not include critical issues or remote code execution.
No Customer Data
The IT vendor emphasizes that there is no evidence customer data, CRM systems, or financial systems were compromised. That offers no guarantee the same will be true a week from now. A few exfiltrated files did contain configuration or deployment information for a limited number of customers. F5 will notify affected customers directly.
No access was found to NGINX source code or systems, nor to F5 Distributed Cloud Services or Silverline. Independent security firms have confirmed that F5’s software supply chain remains intact.
Precaution
In response to the incident, F5 has released security updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients. The company strongly urges customers to install these updates as soon as possible. Additional security measures have also been implemented in the development environment, such as tighter access controls, improved network security, and monitoring tools.
F5 is working with external parties such as CrowdStrike and Mandiant and is also offering customers practical tools. For example, a threat-hunting guide is available, the F5 iHealth tool has been expanded with hardening checks, and guides have been published for SIEM integration and monitoring suspicious logins. Customer support is available for those with questions or concerns about the incident. The IT vendor continues to investigate the affected systems.