"F5 Exposed to Nation-State Breach - F5 disclosed that unidentified threat actors broke into its systems and stole files containing some of BIG-IP's source code and information related to undisclosed vulnerabilities in the product. The company said it learned of the incident on August 9, 2025, although it's believed that the attackers were in its network for at least 12 months."
"GreyNoise said it observed elevated scanning activity targeting BIG-IP in three waves on September 23, October 14, and October 15, 2025, but emphasized the anomalies may not necessarily relate to the hack. Censys said it identified over 680,000 F5 BIG-IP load balancers and application gateways visible on the public internet, with the majority of hosts located in the U.S., followed by Germany, France, Japan, and China."
Long-term, silent breaches are increasingly common, with attackers residing in networks for months before discovery. F5 experienced a breach in which threat actors stole BIG-IP source code and information about undisclosed vulnerabilities. Attackers reportedly used BRICKSTORM malware, linked to a China-nexus espionage group dubbed UNC5221. GreyNoise observed elevated scanning targeting BIG-IP on several dates, while Censys identified over 680,000 F5 BIG-IP devices visible on the public internet. Not all exposed devices are necessarily vulnerable, but each publicly accessible interface requires inventorying, access restrictions, and proactive patching. Defenders should prioritize continuous visibility, threat hunting, and alertness to unexpected activity.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]