How ‘Velvet Ant’ Exploited F5 BIG-IP Appliances

Velvet Ant Chinese Hackers Group F5 BigIP

In a sophisticated cyberattack, a group of suspected Chinese cyberespionage actors known as ‘Velvet Ant‘ targeted F5 BIG-IP appliances to gain a persistent foothold within internal networks. Their stealthy approach allowed them to steal sensitive customer and financial data over a period of three years without detection.

Sygnia, a cybersecurity firm, discovered the intrusion when called in to investigate. Velvet Ant established multiple footholds across the victim organization’s network, including an outdated F5 BIG-IP appliance functioning as an internal command and control (C2) server.

The attackers exploited two exposed and vulnerable F5 BIG-IP appliances used for firewall, load balancing, and local traffic management. Known remote code execution flaws allowed them to install custom malware on these devices.

The attackers gained access to internal file servers and deployed PlugX, a modular remote access Trojan (RAT). PlugX has been used by various Chinese hackers for data collection and exfiltration for over a decade.

Beyond PlugX, the attackers deployed other malware on the compromised F5 BIG-IP appliance:

  • PMCD: Connects to the C&C server hourly, executing commands via ‘csh’ for remote control.
  • MCDP: Captures network packets, ensuring persistent network monitoring.
  • SAMRID (EarthWorm): An open-source SOCKS proxy tunneler for secure communication.
  • ESRDE: Similar to PMCD, it uses ‘bash’ for remote command execution and persistence.

By retaining access through the compromised F5 BIG-IP appliance, the attackers blended their traffic with legitimate network activity. This method bypassed corporate firewalls and outbound traffic restrictions, allowing them to steal data without raising alarms.

Despite eradication efforts, the hackers re-deployed PlugX with new configurations using compromised internal devices. To counter such threats:

  • Restrict outbound connections.
  • Control management ports and enhance network segmentation.
  • Prioritize replacing legacy systems and tightening security controls.
  • Deploy robust EDR systems with anti-tampering features.
  • Enhance security for edge devices through patch management and intrusion detection.

Similar incidents include China-linked hackers exploiting Fortinet zero-days, unpatched SonicWall SMA appliances targeted by Chinese hackers, and Russian APT28 deploying custom malware on Cisco IOS routers and Barracuda ESG devices.

In summary, the Velvet Ant breach underscores the need for vigilant security practices and multi-layered defenses to thwart persistent threat groups and protect critical data.

You may also like:

Related Posts

Leave a Reply