A notorious hacking collective, known as Velvet Ant, has recently made headlines for their sophisticated data heist operations targeting a company with a penchant for outdated F5 BIG-IP appliances. These vulnerable devices proved to be the group’s golden ticket, allowing them to breach and maintain persistent access within the company’s network.
According to cybersecurity researchers at Sygnia, Velvet Ant, believed to originate from China, capitalized on the known vulnerabilities in the F5 BIG-IP endpoints. Exploiting these security gaps, they employed PlugX, a versatile remote access Trojan (RAT) favored by many Chinese threat actors for over a decade. PlugX, available in the underground market, specializes in surreptitiously siphoning sensitive information from compromised systems.
However, Velvet Ant’s arsenal didn’t stop there. Alongside PlugX, they unleashed a barrage of other malware tools such as PMCD for remote control, MCDP for persistent network monitoring, SAMRID (also known as EarthWorm) for SOCKS proxy tunneling, and ESRDE for remote command and control operations. This diverse toolkit ensured they maintained a tight grip on the compromised network despite detection and mitigation efforts by the targeted organization.
Sygnia’s report underscored the challenges faced in eradicating the malware from the F5 BIG-IP instances. Despite extensive cleanup attempts, Velvet Ant swiftly redeployed PlugX with new configurations, exploiting compromised internal devices like the vulnerable F5 appliances to persistently evade detection.
While the targeted organization in East Asia remains unnamed, Sygnia stressed the importance of proactive cybersecurity measures. They recommended stringent controls over outbound connections, robust Endpoint Detection and Response (EDR) systems, enhanced security protocols for edge devices, and crucially, retiring legacy systems. Updating the vulnerable F5 BIG-IP appliances with the latest patches could have mitigated the attacks altogether.
In conclusion, Velvet Ant’s operations serve as a stark reminder of the cybersecurity risks posed by outdated infrastructure and the critical need for organizations to stay ahead of evolving threats. As the saga unfolds, one thing is clear: in the world of cybersecurity, neglecting updates and security best practices can leave the door wide open for adversaries like Velvet Ant to wreak havoc unchecked.
