Cybersecurity threats have evolved beyond traditional attack vectors. One such sophisticated campaign involves the exploitation of F5 BIG-IP appliances by a group known as ‘Velvet Ant.’ In this blog post, we delve into the details of this stealthy data theft operation, shedding light on the techniques employed and the implications for organizations worldwide.

According to a Sygnia report, which discovered the breach after being called in to investigate the cyberattack, Velvet Ant established multiple footholds across the network, including a legacy F5 BIG-IP appliance that served as an internal command and control (C2) server.

The ‘Velvet Ant’ Group

The ‘Velvet Ant’ group, suspected to have ties to Chinese state-sponsored actors, has been active since at least 2017. Their primary focus is on cyber espionage, targeting government entities, defense contractors, and critical infrastructure organizations. Their modus operandi involves gaining persistent access to internal networks, exfiltrating sensitive data, and maintaining long-term presence without detection.

F5 BIG-IP Appliances: A Prime Target

F5 BIG-IP appliances are widely used for load balancing, application delivery, and security functions. Unfortunately, their ubiquity also makes them an attractive target for threat actors. The ‘Velvet Ant’ group leverages vulnerabilities in these devices to achieve their objectives.

The Malware Campaign

• Initial Compromise: The group gains initial access through known vulnerabilities in F5 BIG-IP devices. These vulnerabilities allow them to bypass authentication and execute arbitrary code.
• Custom Malware Deployment: Once inside the network, the attackers deploy custom malware tailored for F5 BIG-IP appliances. This malware establishes a covert channel for communication, allowing the group to maintain persistence.
• Data Exfiltration: The malware exfiltrates sensitive data, including intellectual property, classified documents, and personally identifiable information (PII). The stealthy nature of the operation ensures that data theft remains undetected for extended periods.
• Lateral Movement: The ‘Velvet Ant’ group moves laterally within the network, escalating privileges and accessing additional resources. They carefully avoid triggering alarms or arousing suspicion.
• Long-Term Presence: Unlike traditional smash-and-grab attacks, this group aims for longevity. By maintaining a foothold, they can continuously monitor and extract valuable information.

Mitigation Strategies

• Patch Management: Regularly update F5 BIG-IP devices to address known vulnerabilities. Timely patching reduces the attack surface.
• Network Segmentation: Isolate critical systems from less secure segments to limit lateral movement.
• Behavioral Analytics: Implement solutions that detect anomalous behavior within the network. Unusual data flows or unauthorized access attempts should trigger alerts.
• Threat Intelligence Sharing: Collaborate with industry peers and share threat intelligence. Early detection of emerging threats is crucial.