Chinese Hackers Exploiting F5 Load Balancers for Over Two Years – Your Network Could Be Next!

A sophisticated state-sponsored threat actor, likely a China-nexus, infiltrated a large organization’s network for three years, where attackers exploited a legacy internet-facing F5 BIG-IP appliance for internal command and control, achieving persistence by establishing footholds throughout the environment. 

The fact that they were able to quickly switch to different footholds after being discovered is illustrative of the importance of having strong defenses against threats that are sponsored by foreign governments. 

A holistic approach combining continuous monitoring, threat hunts, stringent traffic controls, and system hardening for both legacy and public-facing devices is crucial to deter and counter such persistent actors. 

Sygnia’s Velocity XDR system, showing the three files that were created by the malware on an infected system. 

The attackers used DLL search order hijacking to load a malicious DLL from a legitimate application, leveraging this DLL to inject code into Svchost processes. By analyzing memory dumps of the injected processes, investigators were able to identify stolen credentials and internal network scanning activities. 

They also used Impacket to move laterally and tamper with EDR products, while the investigation also revealed a PlugX C&C server and a local firewall rule created by the malware.

Snippet from a memory dump of an injected ‘Svchost’ process, showing credential harvesting.

Hackers compromised F5 BIG-IP appliances, which were directly connected to the internet. By exploiting vulnerabilities in the outdated operating system, they gained remote access, created a reverse SSH tunnel to a C&C server, and then used the F5 appliances as a pivot point to infect a file server with PlugX malware. 

PlugX on the file server acted as an internal C&C server, allowing hackers to move laterally through the network by enumerating active connections, listing directories, and transferring additional PlugX variants using WmiExec over SMB. 

As a result of the fact that this traffic was not encrypted, the hackers’ tactics, techniques, and procedures (TTPs) were revealed through SMB communication.  

showing how the F5 appliance was leveraged by the threat actor as a persistent beachhead, utilized to move laterally and execute remote commands on different servers. 

Forensic analysis of F5 appliances by Sygnia revealed four malicious binaries. VELVETSTING, a tool connecting to the attacker’s C&C server every hour to receive commands encoded with a passphrase, was executed via csh.

 VELVETTAP captured network packets on the management interface, as both were added to /etc/rc.local for persistence. SAMRID, an open-source SOCKS proxy used by Chinese threat actors, was identified but not running, while ESRDE, similar to VELVETSTING using bash, was also found inactive.  

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here