June 17, 2024 at 01:41PM
The group Velvet Ant, believed to be Chinese cyberespionage actors, deployed custom malware on F5 BIG-IP appliances to establish persistent connections and steal data from a company undetected for nearly three years. Sygnia discovered the intrusion, outlining the attack methods and re-infection chain. They also provided defense recommendations to counter such attacks from sophisticated threat groups like Velvet Ant.
From the meeting notes, the key takeaways are:
– The suspected Chinese cyberespionage group ‘Velvet Ant’ has been deploying custom malware on F5 BIG-IP appliances to gain persistent connections to internal networks and steal sensitive data.
– The attackers used compromised F5 BIG-IP devices to stealthily steal sensitive customer and financial information for three years without being detected.
– The attackers installed various types of custom malware on the F5 BIG-IP appliances, including remote access Trojan (RAT), network monitoring tools, SOCKS proxy tunneler, and other malware for remote command control and persistence.
– Despite eradication efforts, the hackers redeployed the malware with new configurations to avoid detection, using compromised internal devices like the F5 appliances to retain access.
– Sygnia recommends a multi-layered and holistic security approach to counteract sophisticated and persistent threat groups like Velvet Ant, including measures such as restricting outbound connections, enhancing network segmentation, replacing legacy systems, deploying robust endpoint detection and response (EDR) systems, and enhancing security for edge devices through patch management, intrusion detection, and migration to cloud-based solutions.
Furthermore, the notes mention various incidents of cyberattacks involving the exploitation of vulnerabilities in network devices from different brands, such as Fortinet, SonicWall, Cisco, Barracuda, and Palo Alto Networks, by state-sponsored threat actors to install custom malware and steal data. These incidents serve as additional examples highlighting the importance of robust security measures and device patching to defend against such threats.
Let me know if you need any further details or if there is anything else I can assist you with.