Overview
- The U.S. Cybersecurity and Infrastructure Security Agency issued an emergency directive calling the threat an imminent risk to federal networks and set an October 22 deadline for agencies to identify F5 devices and apply updates.
- F5 says the intruders maintained long-term access and exfiltrated portions of BIG-IP source code, internal research on undisclosed flaws, and configuration or implementation details for a small percentage of customers, who are being notified.
- The company reports no evidence to date of software supply-chain tampering or exploitation of the undisclosed vulnerabilities, citing reviews by NCC Group and IOActive, and says CRM, financial, support case management, iHealth, NGINX, Distributed Cloud, and Silverline systems were not accessed.
- F5 released updates for BIG-IP, F5OS, BIG-IQ, BIG-IP Next for Kubernetes, and APM clients and implemented containment and hardening measures, including credential rotations, tighter access controls, and enhanced monitoring.
- Attribution remains unconfirmed by F5, though some media have linked the activity to a China-associated group using 'Brickstorm' malware, and F5 shares fell about 12% following the disclosure.