Chinese Threat Actors Hacking F5 Load Balancers for Last Two Years

Hackers often focus on F5 Load Balancers for several reasons, as these are many enterprise networks’ vital parts that balance loads and manage traffic.

If these load balancers are put at risk, they can expose confidential information, disable functions, or be a medium for further hacking networks.

EHA

Cybersecurity researchers at Sygnia recently discovered that Chinese threat actors have been actively hacking the F5 load balancers for the last two years.

Threat Actors Hacking F5 Load Balancers

The Velvet Ant threat group entered the system of a certain organization for over two years, as Sygnia uncovered in late 2023.

They were so clever; they even knew everything about the complex structure.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

However, Sygnia tried to mitigate it. The slippery threat actor returned many times by exploiting latent persistence mechanisms on outdated servers and unpatched network appliances and engaging in a classic cat-and-mouse game.

At this point, Velvet Ant used execution flow hijacking methodologies, such as DLL search order hijacking, to regain access.

After the original remediation, the attackers switched their attention to legacy Windows Server 2003 systems without endpoint protection and continued their operations using previously deployed PlugX malware.

PlugX, a modular remote access trojan employed by Chinese groups, allows legitimate processes to be taken over through DLL side-loading.

Snippet from VMRay sandbox (Source – Sygnia)

Sygnia obtained memory dumps showing harvested credentials and stealthily executed commands on the unmonitored legacy servers, revealing elusive tactics of enduring adversaries subsequent to hardening efforts.

In this threat, targeting newer Windows systems, the attacker compromised the Endpoint Detection and Response (EDR) product before deploying PlugX malware with a very high level of operational security awareness.

Lateral movement was performed using Impacket, while remote command execution was done through WMI. After initial remediation, PlugX reappeared and reconfigured to use an internal file server as a covert Command-and-Control (C2) channel.

Exploitation of the F5 appliance (Source – Sygnia)

Sygnia traced this to a compromised legacy F5 load balancer with an outdated OS that tunneled traffic between the C2 server and the PlugX-infected file server that acted like an internal proxy for it.

Having obtained such an obscure foothold, persistent threat actors returned through it to perform reconnaissance and subsequently spread PlugX across older networks using SMB and WMI.

Threat actors deployed four binaries, and here below we have mentioned them:-

  • VELVETSTING
  • VELVETTAP
  • SAMRID
  • ESRDE

Despite repeated removal attempts, the threat actor remained rooted in the compromised network for about three years, showcasing the shared tools, infrastructure, and resources leveraged by Chinese intrusion sets. 

However, the limited visibility prevented definitive attribution and ruled out the possibility of a false-flag operation by another advanced persistent threat group.

Defense strategies

Here below we have mentioned all the defense strategies provided by the security analysts:-

  • Limit outbound internet traffic
  • Limit lateral movement throughout the network
  • Enhance security hardening of legacy servers
  • Mitigate credential harvesting
  • Protect public-facing devices

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.