Chinese Hackers Compromised Large Organizationβs F5 BIG-IP Systems for 3 Years
Researchers that were called to investigate a cyberattack on a large organization in late 2023 have traced the activity to a sophisticated Chinese-linked threat actor group dubbed 'Velvet Ant,' based on tactics and infrastructure.
The investigation found that Velvet Ant infiltrated the companyβs network at least three years prior to the incident using the remote access trojan PlugX, which granted the threat actors access to sensitive systems across the enterprise environment.
Velvet Ant Campaign Used Evasive Tactics
Researchers from Sygnia disclosed that the attack began with the compromise of the organization's internet-facing F5 BIG-IP appliances, which were running on vulnerable OS versions. These appliances usually occupy a trusted position within network architecture, allowing potential attackers significant control over network traffic while evading most forms of detection. These appliances were used within the organization to manage its firewall, WAF (web application firewall), load balancing, and local traffic . [caption id="attachment_77649" align="alignnone" width="1802"] Source: sygnia.co[/caption] The attackers used known remote code execution flaws to install custom malware on the compromised F5 appliances. To obscure the execution chain, the attackers manipulated file-creation times and used three different files (βiviewers.exeβ, βiviewers.dllβ and βiviewers.dll.uiβ) for deployment of the PlugX malware on affected systems. Once installed, PlugX harvested credentials and executed reconnaissance commands to map the internal network. The hackers then used the open-source tool Impacket for lateral movement across the network. [caption id="attachment_77647" align="alignnone" width="1872"] Source: sygnia.co[/caption] During the initial compromise, the threat actor compromised both modern workstations and legacy Windows Server 2003 systems. On modern endpoints, the hackers routinely tampered with the installed antivirus prior to deploying additional tools. This careful targeting of security controls demonstrates Velvet Antβs operational maturity. However, the focus on legacy platforms ultimately assisted the hackers in evading detection. The researchers identified the placement of 4 additional malware programs on compromised F5 appliances:- VELVETSTING - This program was configured to connect to a remote server located in China to check for encoded commands on an hourly basis. Once commands were received, the program would execute them via a Unix shell.
- VELVETTAP - Malware seems to have been monitoring and capturing data from the F5 internal network interface.
- SAMRID - This software has been identified as a publicly available tunneling program that had previously been utilized by Chinese state-sponsored groups. While dormant during the researcher's investigation, it may have provided the attackers remote access.
- ESRDE - This backdoor works similarly to VELVETSTING, running commands delivered from an external server. It was also inactive at the time of analysis.