Internet security nonprofit Shadowserver Foundation has found more than 266,000 F5 BIG-IP instances exposed online after the security breach disclosed by cybersecurity company F5 this week.
The company revealed on Wednesday that nation-state hackers breached its network and stole source code and information on undisclosed BIG-IP security flaws, but found no evidence that the attackers had leaked or exploited the undisclosed vulnerabilities in attacks.
The same day, F5 also issued patches to address 44 vulnerabilities (including the ones stolen in the cyberattack) and urged customers to update their devices as soon as possible.
"Updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients are available now," the company said. "Though we have no knowledge of undisclosed critical or remote code execution vulnerabilities, we strongly advise updating your BIG-IP software as soon as possible,".
While it has yet to confirm it publicly, F5 has also linked the attack to China in private advisories shared with customers, according to a Thursday Bloomberg report,
F5 has also been sharing a threat-hunting guide with its customers that mentions the Brickstorm malware, a Go-based backdoor first spotted by Google in April 2024 during an investigation into attacks orchestrated by the UNC5291 China-nexus threat group. F5 also told customers that the threat actors were active in the company's network for at least a year.
UNC5291 was previously linked to exploiting Ivanti zero-days in attacks targeting government agencies, using custom malware such as Zipline and Spawnant.
The Shadowserver Internet watchdog group is now tracking 266,978 IP addresses with an F5 BIG-IP fingerprint, nearly half of them (over 142,000) in the United States and another 100,000 in Europe and Asia.
However, there is no information on how many of them have already been secured against attacks that could potentially exploit the BIG-IP vulnerabilities disclosed this week.
F5 devices exposed online (Shadowserver)
... continue reading