More than 600,000 F5 network security devices running the company’s flagship BIG-IP software are sitting unpatched on the internet one day after the company revealed that nation-state hackers had accessed its networks and source code.
The figure, which Palo Alto Networks provided on Thursday, highlights how many organizations could be vulnerable to cyberattacks exploiting vulnerabilities that the unidentified hackers discovered while roaming through F5’s production environment and developer resources.
There are more than 130,000 F5 devices on the internet in the U.S., with Japan, China and Germany also accounting for more than 10,000 devices each, according to data from the Shadowserver Foundation. The U.S. accounts for nearly half of the internet-accessible F5 devices that Shadowserver identified.
F5, which said on Thursday that it believed it had kicked the hackers out of its networks, is working with government and private-sector cyber experts to further investigate the compromise. CISA ordered federal agencies to promptly patch their affected F5 products and disconnect the devices’ management interfaces from the internet.
“The potential impact of this compromise is unique due to the theft of confidential information regarding previously undisclosed vulnerabilities that F5 was actively in the process of patching,” Palo Alto Networks researchers wrote in their blog post. “This data potentially grants threat actors the capacity to exploit vulnerabilities for which no public patch currently exists, which could accelerate the creation of exploits.”
F5 said there was no evidence that the hackers had compromised its source code or software production processes, despite having access to those systems and data.
John Fokker, vice president of threat intelligence strategy at Trellix, said it was unsurprising to see government-backed hackers targeting an enterprise edge device maker.
“Over the years, we have seen nation-state interest in exploiting vulnerabilities in edge devices, recognizing their strategic position in global networks,” Fokker said in a statement. “Incidents like these remind us that strengthening collective resilience requires not only hardened technology but also open collaboration and intelligence sharing across the security community.”
Nearly all of the companies in the Fortune 50 use F5’s products, the company has said. The firm’s share price dropped 12% on Thursday after it announced the breach, although the company said in a regulatory filing that the incident “has not had a material impact on the Company’s operations.”
