Priya Patel
TLDR:
- A group of suspected Chinese cyberespionage actors named ‘Velvet Ant’ used F5 BIG-IP malware to steal data for years.
- The attackers compromised vulnerable F5 BIG-IP appliances, gaining persistent access to the internal network.
A group of suspected Chinese cyberespionage actors known as ‘Velvet Ant’ has been using custom malware on F5 BIG-IP appliances to stealthily steal data from a company for three years. The attackers established multiple footholds across the network, including a legacy F5 BIG-IP appliance used as an internal command and control server. Using compromised F5 BIG-IP devices, the threat actors managed to steal sensitive customer and financial information without detection.
The attack began by compromising outdated F5 BIG-IP appliances used for firewall, WAF, load balancing, and local traffic management. The attackers exploited known remote code execution flaws to install custom malware on the appliances. They then gained access to internal file servers and deployed various malware, including PlugX, a remote access Trojan used for data collection and exfiltration.
The attackers used a combination of malware, such as PMCD, MCDP, SAMRID, and ESRDE, to maintain control and persistence on the network. Despite eradication efforts, the hackers redeployed PlugX with new configurations to avoid detection, using compromised internal devices to retain access.
Defense recommendations include restricting outbound connections, enhancing network segmentation, replacing legacy systems, deploying robust EDR systems, and tightening security controls. As edge network devices are popular targets for threat actors, it is crucial to implement security measures like patch management and intrusion detection to prevent similar attacks.
Recent incidents of state-sponsored threat actors exploiting vulnerabilities in various network devices highlight the importance of a multi-layered security approach to mitigate cyber threats.
