Written by:

Find our original advisory from October 16th here.

 

Both mnemonic Threat Intelligence and our product support departments have received a wide range of follow-up questions and requests for clarification since the initial breach notification provided by F5 on October 15th.

mnemonic has been in continuous contact with F5 since the news first broke, and we have been working closely with them both to collect information requirements and provide answers to our customers' questions. This update contains details and assessments from this process.

Reduced risk

Technical contacts in the F5 organisation have been transparent in terms of timeline, breach vector and scope of the incident, and what technical capabilities they have relied on to perform their investigation. Based on our experience from similar situations, their conclusions so far are within the realm of possibility, and overall credible.

They have also communicated that at this point, they have some limitations on what information they are able to share publicly. We do not expect significant new details regarding the breach. F5 will however notify customers directly as soon as they are identified, based on the leaked "configuration or implementation information for a small percentage of customers" mentioned in their initial statement.

Overall, we have a solid impression of F5's approach to the current breach investigation. 

With the information shared from F5, we now consider there to be a reduced risk of:

  • Dramatic changes in the scope and impact of the breach
  • Undisclosed zero day vulnerabilities posing a threat to customers
  • F5 as an organisation being leveraged as an attack vector towards customers

mnemonic has received verification from F5 that the patches released on October 15th have no connections with the attack on F5 itself.

Confusion regarding Threat Hunting guide and the Indicators of Compromise

There has been some confusion regarding the Threat Hunting guide and the Indicators of Compromise shared by F5 with regards to relevance and intended usage.

These documents should be seen as general advice and information that you should apply to your infrastructure. The information is not specific to any F5 technology or platform.

In other words, they should be seen as standard guidance and an indicator set, to be included in your regular detection engineering and threat hunting that is applied to your whole environment.

Remaining concerns

Our remaining concerns in this situation are:

  • Source code exposure leading to future discovery of exploitable vulnerabilities
  • Customer organisations that for some reason have been unable to apply the recommended updates (remediating the already known vulnerabilities)

There have also been some questions regarding the nature of the CrowdStrike Falcon EDR service mentioned in K000154696. F5 has released more information on the topic, and based on the documentation, this involved installing and running the Falcon EDR sensor on the actual BIG-IP platform.

Resources

If you are a F5 customer and would like more information, please reach out and we will assist in facilitating a one-to-one session.

Please see the following knowledge base articles for more information: