Hackers target F5 products with dangerous malware

They used the known vulnerabilities to deploy PlugX, a modular remote access Trojan (RAT) which is, apparently, the go-to solution for many Chinese threat actors. PlugX, available on the black market for roughly a decade now, is usually used to harvest, and exfiltrate, information from compromised endpoints.

Velvet Ant

Besides PlugX, the group used a whole slew of other malware, including PMCD (used for maintaining remote control), MCDP (ensures persistent network monitoring), SAMRID (AKA EarthWorm, a SOCKS proxy tunneler), and ESRDE, used for remote command control and persistence. Sygnia reports that despite extensive eradication efforts following the breach's discovery, the hackers re-deployed PlugX with new configurations to avoid detection, using compromised internal devices like the F5 appliances to retain access.

While Sygnia did not name the vulnerable organization (which is allegedly based in east Asia), it did say that removing malware from F5 BIG-IP instances was a challenge, and that the group redeployed PlugX as soon as the devices were cleaned. 

That being said, the researchers now recommend vulnerable organizations take multiple steps, including restricting outbound connections, implementing strict controls over management ports, deploying robust EDR systems, enhancing security for edge devices, and ultimately - replacing legacy systems. After all, the targeted devices were running vulnerable versions of the operating system, and the attacks could have been avoided by simply keeping the devices updated. 

The group is dubbed Velvet Ant.

Via BleepingComputer

More from TechRadar Pro

• This devious malware hijacks key Google Chrome dev tools to steal data
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now