Serious F5 Breach

This is bad:

F5, a Seattle-based maker of networking software, disclosed the breach on Wednesday. F5 said a “sophisticated” threat group working for an undisclosed nation-state government had surreptitiously and persistently dwelled in its network over a “long-term.” Security researchers who have responded to similar intrusions in the past took the language to mean the hackers were inside the F5 network for years.

During that time, F5 said, the hackers took control of the network segment the company uses to create and distribute updates for BIG IP, a line of server appliances that F5 says is used by 48 of the world’s top 50 corporations. Wednesday’s disclosure went on to say the threat group downloaded proprietary BIG-IP source code information about vulnerabilities that had been privately discovered but not yet patched. The hackers also obtained configuration settings that some customers used inside their networks.

Control of the build system and access to the source code, customer configurations, and documentation of unpatched vulnerabilities has the potential to give the hackers unprecedented knowledge of weaknesses and the ability to exploit them in supply-chain attacks on thousands of networks, many of which are sensitive. The theft of customer configurations and other data further raises the risk that sensitive credentials can be abused, F5 and outside security experts said.

F5 announcement.

Tags: , , ,

Posted on October 23, 2025 at 7:04 AM13 Comments

Comments

Clive Robinson October 23, 2025 8:34 AM

Is segregation the best defence?

There is an old truism on security that predates ICTsec by tens of thousands of years,

“If an enemy can not reach the defended position they can not attack it.”

It’s why we have “hill forts”, island forts, mounds, ditches, dykes and moats. And a skill set of building them that became “engineers”.

When ICT started Post WWII secrets were kept by separating them from people as with anything valuable in “strong rooms, vaults, safes and lock boxes.

I think people need to re-evaluate ICT and this centuries mania for interconnectivity “with everything”.

We need to in effect bring in the sappers and engineers and enforce strong segregation or separation to significantly reduce or prevent infiltration.

However this would mean decimating “Cloud Servicrs”, which might not be a bad thing for a whole manner of reasons.

JohnnyS October 23, 2025 11:16 AM

I entirely agree with Clive on this one. I don’t see any solution for security other than physical separation.

The cloud is someone else’s computer, and that someone else does not work for you. Firewall, network, and security software are all written by someone who does not work for you. Application software such as browsers or client software that access the Internet is not written by someone who works for you.

So all your efforts to secure your information and capabilities is dependent on a vast array of tech that was created by people who (1) don’t particularly care about your security, and (2) were the lowest bidders.

lurker October 23, 2025 1:44 PM

@JohnnyS

“The cloud is someone else’s computer,”
Yes, and my stuff on someone else’s computer was never a starter. Yet so many people have been convinced by the sales blurbs ..

“and that someone else does not work for you.”
But if I’m paying them for the service, surely the law of contracts applies. They should be obliged to look after my stuff, no? It takes a lot of lawyers to write the fine print in those contracts, and even more to read it ..

At least the bad guys have read it, and are targetting network software vendors. It says something about those vendors’ dedication to their task that we keep reading about them being the victims of the kind of attacks we expect their products to prevent.

@Dilbert

At least the insurancejournal knows that money likes the internet: the article immediately below this on their sidebar was:
“Why Remote Hires Can Be Your Agency’s Best Recruiting Solution”

tfb October 23, 2025 1:48 PM

How is this supposed ‘physical separation’ meant to work? Let’s say I am someone who makes things involving software which I may want to be able to create updates to for customers. I might also want to accept bug reports from customers.

Well, I could do this by cutting DVDs and posting them. That would have pretty good isolation (let’s not talk about how the customers verify that the DVD that just arrived is from me). But I now have no customers, so not so good, after all.

Well, I need to have some public part of my systems from where customers can download my software. May be I now internally copy things with DVDs so the networks are isolated. Now all my programmers have quit, because cutting CDs was really not what they signed up for. And to ensure the isolation is complete I certainly must not accept bug reports other than on paper. Damn, all my customers have gone, again.

Jon October 23, 2025 3:25 PM

@ Clive Robinson and JohnnyS

Oh, there is another way. Simply hold them legally and financially responsible.

But watch them scream as legislation to enable that works its way forwards. J.

TimH October 23, 2025 3:59 PM

@Jon: ” Simply hold them legally and financially responsible.” means that no company will disclose, because the cost of being caught (probably much later) will be lower than the cost of disclosure. Also, every web-facing company will simply include in their contracts a clause absolving any costs incurred by a breach by their customers.

Blackstone October 23, 2025 4:02 PM

@Jon et al

Imposing what you call legal responsibility by enacting statutory remedies will not outlaw bugs, mistakes, backdoors, and problems with existing technology and its implementation.

What it will certainly do is increase prices. With liability comes insurance, and insurance is a cost that most definitely will be passed on.

What’s more, the legislation could result in liability being imposed not only on whomever runs the hacked service, but also on whomever uploaded what was stolen from the hacked service.

Users like the idea of the service having to insure and pay out, but what if users were forced to insure and pay out.

Think about bailment as an analogy. If I hire a storage company and place some physical goods in one of their units/containers, the contact I have with the StorageCo will say certain things about liability. It will probably say something about me being responsible for insuring the contents of the unit/container I rent.

Now suppose parliament enacts a law that imposes liability for data breaches on SaaS providers. It could even include a clause that says that people cannot contract out of the application of the legislation.

What that won’t do is make it illegal for SaaS providers to say they require their users to have data-breach insurance.

It also won’t make it illegal to require their users to idemnify them in the event of losses from a data breach.

Legislation isn’t a blanket cure-all. It depends what the rules actually say, what they prevent, and what they enable.

So segregation may still be the more valid option because I can’t see the US Congress or the EU enacting anything about this anytime soon.

BCS October 24, 2025 1:13 AM

@tfb air gapped development is very much a thing. Basically decide what belongs were, set up each developer with two or more workstations and set up some very specific processes for moving stuff around. If you don’t release more then a few times a month (which is actually very fast for a lot of domains), DVDs are totally viable and wouldn’t even be a big enough hassle that anyone would quit over it.

I know of one company in my home town that does exactly that, and it’s not a very big town.

Clive Robinson October 24, 2025 6:23 AM

@ tfb,

With regards to your question,

“How is this supposed ‘physical separation’ meant to work?”

You are only considering “distribution” and “feedback” which is at the very end of the production chain.

These are systems that are not really of interest to the sorts of attacker given in the article of,

“F5 said a “sophisticated” threat group working for an undisclosed nation-state government had surreptitiously and persistently dwelled in its network over a “long-term.” “

For the most part the “business”, “design”, “development”, “test” and “pack” stages of the production chain do not need connection to external communications.

For the few developers who might need access to online resources they can use separate computers on a physically and electrically/radio segregated network, so that an accidental or deliberate “reconfigure” would not bridge the networks.

Banks and financial houses were doing things this way back in the mid and late 1990’s without issue[1].

As @BCS notes you have to,

“set up some very specific processes for moving stuff around.”

Whilst not intuitive, it’s not rocket science either.

The hard part is actually “beating down” certain personality types. Firstly the MBA types trained on neo-con mantra. Secondly those “new thing” developers that demand “access to the world” for “reasons the cannot sensibly articulate”.

The sooner people accept that the “Cloud” and more generally the “Internet” is not just very high risk business case wise (lock-in effect). But both a security and surveillance nightmare the better.

Then carving the “cloud”, “External AI” and “Internet swamp” out of the organisation except in the very few places that the risks can be mitigated effectively is in most cases the sensible way to go.

[1] I contracted in to this area in the “City of London” for a short while “between more interesting permie jobs” and to pull in some money before three entirely predictable things happened,

1, The expected madness that was Y2K”
2, The culling that would follow Y2K
3, What the UK Gov later called IR35 was put in place.

It was obvious back before the 1990’s that Y2K was going to cause a bubble of contracting and an exponential rise in hourly costs via self employed “Consultants” working through a Ltd company for tax reasons. And that after Y2K there would be a revenge “blood bath” / culling by businesses of such people. Because for “money reasons” businesses were not spending on Y2K even in the early 90’s and way way to many of them were leaving it, to past the last sensible minute. As per what we would now call “neo-con mantra”, but back then “blinkered outlook”, or “short term thinking”. With the obvious “supply and demand” sending hourly contracting rates sky high and those tardy businesses having to pay through the nose and any other accessible orifice.

So it was obvious they would want revenge after the turn of the century. But Also people can be idiots. All those little one man companies were doing the “Loads of Money” idiocy that the “City Boys” had done in the 80’s… and they were putting porch cars on business expenses and in other ways living “Rock Star lifestyles” and not paying any tax, National Insurance, or much of anything else. So at what was drummed up politically as “living on the tax payer” (even though it was exactly what larger businesses were doing and still do).

So I decided getting my feet under the table, and well settled in as a permie, in a company where my abilities would be appreciated long after Y2K and wait it out was the sensible way to go untill contracting became viable again.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.