CISA warns agencies to update F5 appliances after breach disclosure
Sources say China hacked classified UK systems for over a decade. Some think a secret US cybercrime-fighting group is behind the doxxing of a Russian ransomware kingpin. Microsoft is moving Surface manufacturing out of China. Pro-Palestine activists hacked four N. American PA systems, much more
Publishing notice: Although we established Tuesdays and Thursdays as the days when the bulk of Metacurity would be accessible only to paid subscribers, we are changing things up today, given the importance of today's news items to the broader cybersecurity community. Stay tuned for more paid subscriber-only content on a more flexible schedule where we aren't putting critical news items behind a paywall.
Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.
If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!
F5, a company that specializes in application security and delivery technology, disclosed in an 8-K filing to the SEC that it had been the target of what it’s calling a “highly sophisticated” cyberattack, which it attributes to a nation-state actor sources say is a Chinese state-backed hacking group that used a type of malware called Brickstorm.
The hackers behind Brickstorm are known for stealing source code from popular technology providers to hunt for software bugs, according to Mandiant, Google’s threat intelligence arm. They then use those bugs to break into the customers of the technology provider, according to a Mandiant report published earlier this year about the cyber campaign.
Mandiant described the hackers behind Brickstorm as “UNC5221,” and a “China-nexus espionage actor” that they have observed targeting organizations since 2023.
The announcement follows authorization from the US Department of Justice, which allowed F5 to delay public disclosure of the breach under Item 1.05(c) of Form 8-K due to ongoing law enforcement considerations.
Investigators discovered that the threat actor maintained prolonged access to parts of F5’s infrastructure. Systems affected included the BIG-IP product development environment and the company’s engineering knowledge management platform. The unauthorized access resulted in the exfiltration of files, some of which contained segments of BIG-IP source code and details regarding vulnerabilities that the company was actively addressing at the time. It also said the files taken were “configuration or implementation information for a small percentage of customers.”
F5 reported that independent reviews by incident response firms found no evidence that the attacker had modified the software supply chain, including source code or build and release pipelines. The company stated that it is not aware of any undisclosed critical or remote code execution vulnerabilities, nor any current exploitation linked to the breach. The company also stated that containment actions were implemented promptly and have so far been effective, with no evidence of new unauthorized activity since those efforts began.
According to the SEC form, no evidence was found of access to the company’s customer relationship management, financial, support case management, or iHealth systems. However, the company said a portion of the exfiltrated files included configuration or implementation details affecting a small percentage of customers. F5 is continuing to review these materials and is contacting customers as needed.
The US Cybersecurity and Infrastructure Agency (CISA) issued a warning and related emergency directive following the breach disclosure. It also issued security patches for a whopping 45 bugs.
The emergency directive requires all US federal agencies to take inventory and update instances of F5's BIG-IP hardware and software appliances by October 22. Both CISA and the UK's National Cyber Security Centre on Wednesday urged all F5 customers – not just government organizations – to apply patches immediately.
During a press call to discuss the emergency directive, CISA spokespeople became surprisingly and overtly political, touting the White House line about putting "CISA back on mission."
Under the Biden administration, "CISA was focused on things that were not core mission," including "censorship and branding activities and such," Nick Andersen, executive assistant director for cybersecurity at CISA, said. "This is really part of getting CISA back on mission."
When asked if government agencies have sufficient staff to manage the F5 security holes during the shutdown, Andersen blamed Congressional Democrats.
"I cannot speak for other departments and agencies. I'm unaware of their staffing levels as we continue to see the Democrats' refusal on the Hill to act," he told reporters. "The shutdown is forcing a lot of these folks to work without pay as nation states continue to intensify efforts to exploit Americans and our critical systems, and certainly think that that's an unacceptable and unnecessary strain on our nation's defenses." (Greg Otto / Cyberscoop, Margi Murphy, Patrick Howell O'Neill, and Jordan Robertson / Bloomberg, Jessica Lyons / The Register)
Related: SEC, CISA, CISA, Bleeping Computer, TechCrunch, NextGov/FCW, National Cyber Security Centre, The Record, The Hacker News, Cyber Security News, Help Net Security, SiliconANGLE, CSO, Reuters, Mandiant, The Stack, CBS News, Axios, Dark Reading, IT News, The Cyber Express, PC Mag, Security Affairs, Politico Pro, CyberScoop
Sources say Chinese hackers accessed classified UK computer systems for more than a decade as the British government published documents acknowledging that it considered Beijing’s spying a threat to the economy and local democratic institutions.
China routinely accessed low- and medium-level classification information on UK government servers over at least 10 years, according to two former senior security officials and other government officials familiar with the matter. That included information marked “official-sensitive” and “secret,” as well as some material on the government’s secure IT networks, according to the people, who requested anonymity to discuss matters for national security.
The data accessed included confidential documents relating to the formulation of government policy, private communications, and some diplomatic cables, the people said. One described Chinese efforts to access British government systems as endless. Information and intelligence deemed top secret was not believed to have been compromised and is held securely, the people said, pushing back against a report in The Times newspaper.
One compromise related to a data center in London used to store some sensitive government information, which was sold to an entity aligned to China when the Conservatives were in power, flagging major security concerns, one of the people said, confirming a report in the Spectator. Ministers in the then government briefly proposed a plan to destroy the data center before it was made secure in a different way, they added.
However, in a BBC podcast, Ciaran Martin, the founder of the National Cyber Security Centre, says it is categorically untrue that the bespoke systems used to transmit the most sensitive government information were breached by China. (Alex Wickham / Bloomberg and BBC Audio)
Related: The Times, The Independent, Sky News, BBC News, Financial Times
A secret US cybercrime-fighting group unit called "Group 78" sought to persuade Russia to stop tolerating the cybercrime within its borders, and sure enough, on February 11, a group of files on the Russian extortion group Black Basta were leaked on Telegram, embarrassing the Kremlin by showing that the Russian government was covering up for the group's leader, Oleg Nefedov.
Investigating judges who attended a presentation at Europol by the FBI are convinced that the publication of the documents on Telegram was the work of US authorities. There is no evidence of this, only one clue: The leak does not contain any of the blackmail group's tools, nor any software that could be misused. (Kai Biermann / Die Zeit)
Related: Le Monde
Nikkei reports that Microsoft is aiming to move manufacturing of Surface devices and data center servers out of China “starting from 2026 at the earliest.”
The move will reportedly include components, parts, and product assembly for future Surface hardware and server products. The report claims Microsoft has already shifted some of its existing server production outside China, and is pushing to also produce more Xbox consoles outside of the country.
News of Microsoft’s potential manufacturing changes comes just days after President Trump threatened China with an additional 100 percent tariff and more export controls on software. The US and China have also started charging new port fees on each other’s ships in recent days, just a week after Beijing tightened export rules on rare earths. (Tom Warren / The Verge)
Related: The Information, Nikkei
Unauthorized pro-Palestinian political messages praising Hamas and attacking President Donald Trump and Israel’s prime minister were broadcast through public address systems in terminals at four airports in North America on Tuesday, disrupting operations and sparking investigations into the apparent hacks.
Videos posted by passengers on social media show the unauthorized recordings played at Harrisburg International Airport in Pennsylvania.
Incidents were also reported at Kelowna International Airport and Victoria International Airport in British Columbia, along with Windsor International Airport in Ontario, according to Transport Canada, which regulates airports in the country.
The pro-Hamas recordings and messages praise Hamas and, using expletives, are critical of the Trump administration and Israeli Prime Minister Benjamin Netanyahu.
“This is absolutely unacceptable and understandably scared travelers,” US Transportation Secretary Sean Duffy said on social media, adding the FAA is working with the Harrisburg airport “to help get to the bottom of this hack.” (Martin Goillandeau / CNN)
Related: Israel National News, News18, Castanet, CTV News, Economic Times, View from the Wing, Vancouver Sun, Global News, Juno News
The official Dota 2 YouTube channel was briefly compromised, with the account promoting a Solana-based token called dota2coin through what observers described as a fraudulent livestream.
There are no indications of user data being compromised beyond the fraudulent promotions. Decrypt independently confirmed the video’s existence through a notification history log.
The livestreamed video titled “Dota 2 Launch Official Meme Coin | Hurry Up,” was accompanied by a link to a PumpFun token. The coin's description, in return, included a link to the official YouTube channel.
It also comes amid reports of some users experiencing playback errors across YouTube's platform, with some unable to watch videos at all. (Vince Dioquino / Decrypt)
Related: Cryptopolitan, Bitget
According to a new investigation, criminals behind a hack on the decentralized commodity market language Bittensor laundered some money with anime NFTs.
This was only a small portion of the total stolen money, but it didn't prove easy to track. Although it has a few drawbacks, this technique could frustrate crypto’s best sleuths. A former Opentensor engineer may have been involved in the scheme, but crypto sleuth ZachXBT isn’t certain.
The Bittensor hack took place in mid-2024, causing a lot of trouble for the decentralized AI development firm. The company, for its part, has been rebuilding quite well in the intervening time, yet the hackers remained at large. Apparently, part of this is because of their new laundering techniques.
The sleuth had more than enough difficulty de-anonymizing classical laundering techniques like Railgun and other privacy tumblers. However, the perpetrators of this hack spent over $100,000 on anime NFTs, making the trail even colder. (Landon Manning / BeInCrypto)
Related: OneSafe, Bitget, Protos
Researchers at Kaspersky report that a cyberespionage group they call Mysterious Elephant, which initially relied on malware code from other hacking outfits, has evolved into a sophisticated threat operation wielding its own arsenal of custom tools, targeting government agencies and diplomatic entities across South Asia.
They observed a tactical shift in a campaign beginning early this year, with the attackers deploying proprietary malware and new techniques to steal sensitive data, including documents, images, and files from WhatsApp communications.
Mysterious Elephant's targets so far have included entities in Pakistan, Bangladesh, Sri Lanka, and, to a smaller extent, Afghanistan, Nepal, and Sri Lanka.
While Kaspersky stopped short of linking the group to any specific government, its report highlighted several advances that Mysterious Elephant has made to its toolkit and tactics. (Jai Vijayan / Dark Reading)
Related: Securelist, Kaspersky
German Green MEP Daniel Freund and German NGO the Society for Civil Rights named “Viktor Orbán and unknown” in a criminal complaint against Hungarian Prime Minister Viktor Orbán following a failed attempt to hack his email account using spyware in the run-up to the European Parliament elections.
They requested that the state prosecutor in the western German city of Krefeld and cybercrime authorities launch an investigation. “There are indications that the Hungarian secret service is behind the attack,” Freund and the NGO said in a joint statement.
The complaint gives details about an email that someone claiming to be a Ukrainian student sent to Freund’s parliamentary email address at the end of May 2024. The message asked the MEP to write a short message in which he would share his “beliefs concerning the accession of Ukraine to the European Union,” as well as a link. Freund did not click on the link.
The complaint said that Parliament warned Freund that the link contained spyware likely made by the Israeli company Candiru, which was blacklisted by the US government in 2021 for human rights violations. (Nette Nöstlinger / Politico EU)
Related: Hungarian Conservative, The Times, Heise Online
Spanish-headquartered fashion retailer Mango has reported a data breach after one of its external marketing service providers experienced unauthorized access to customer information.
In an email to customers issued on October 15, the company said that the compromised data was limited to contact details used in marketing campaigns, including customers’ first names, country, postal code, email address, and phone number.
Mango stated that no financial information, passwords, or identification details were affected. (Darshana Gupta / Inside Retail)
Related: Teiss, Herald Sun, Security Affairs
Best Thing of the Day: Caught In An Infinite AI Do Loop
An attorney in a New York Supreme Court commercial case got caught using AI in his filings, and then got caught using AI again in the brief where he had to explain why he used AI.
Worst Thing of the Day: Public Wi-Fi Does Carry Risks
A man in Perth, Australia, blames using public Wi-Fi for hackers gaining access to his Google, Facebook, and Instagram accounts, along with his emails and private photos, which most experts generally consider safe if encrypted, but does pose risks.
Closing Thought
