Chinese Hackers Leveraged Legacy F5 BIG-IP Appliance for Persistence

Chinese Hackers Leveraged Legacy F5 BIG-IP Appliance for Persistence

June 18, 2024 at 12:36PM

A state-sponsored threat actor, Velvet Ant, maintained persistent access to a victim organization’s network for three years using a legacy F5 BIG-IP appliance, deploying various tools and techniques to compromise critical systems and access sensitive data. The cybersecurity firm Sygnia believes they are a China-based threat actor with sophisticated OPSEC and advanced hacking capabilities.

From the meeting notes, it is evident that the cybersecurity firm Sygnia discovered a state-sponsored threat actor, named Velvet Ant, who maintained persistent access to a victim organization’s network for three years. Velvet Ant achieved this through various mechanisms, including the use of legacy F5 BIG-IP appliances and deploying dormant persistence mechanisms in unmonitored systems. The threat actor utilized tools such as PlugX remote access trojan (RAT), DLL search order hijacking, DLL sideloading, Impacket for lateral transfer, and more to compromise critical systems and access sensitive data.

Furthermore, Velvet Ant demonstrated a high level of operational security (OPSEC) awareness by evading security software and employing techniques to avoid detection. After being eliminated from the victim’s network, Sygnia observed Velvet Ant infecting new machines and maintained access to the legacy file server through F5 BIG-IP appliances.

Sygnia believes that Velvet Ant is a state-sponsored threat actor operating out of China, based on the targeted organization, the use of ShadowPad and PlugX malware, and the use of DLL sideloading techniques. This highlights the sophisticated nature of the threat actor’s activities and the need for strong cybersecurity measures to combat such threats.

Full Article