Cybersecurity researchers at Sygnia have uncovered that Chinese threat actors have been exploiting F5 load balancers in targeted attacks over the past two years. These devices are essential in managing traffic across enterprise networks, and their compromise could lead to severe consequences such as the exposure of sensitive data and disruption of services. Sygnia’s investigation revealed the persistence and sophistication of the attackers, emphasizing the ongoing challenges in securing these critical infrastructures. Detailed analysis of the incident can be found here.
Threat Actors and Techniques
Sygnia identified that the Velvet Ant threat group had infiltrated an organization’s system for over two years, demonstrating a deep understanding of its complex architecture. The attackers employed execution flow hijacking methods, such as DLL search order hijacking, to regain access to the compromised systems. Despite initial remediation efforts, the attackers persisted by exploiting outdated servers and unpatched network appliances.
Further, the attackers shifted their focus to legacy Windows Server 2003 systems, deploying PlugX malware. PlugX, a modular remote access trojan, is known for its capability to hijack legitimate processes through DLL side-loading. This sophisticated approach allowed the attackers to maintain a foothold in the network by leveraging legacy vulnerabilities.
Persistent Intrusion and Countermeasures
Sygnia’s efforts revealed that after compromising newer Windows systems, the attackers disabled the Endpoint Detection and Response (EDR) product before redeploying PlugX malware. They achieved lateral movement using Impacket and executed remote commands via WMI. PlugX was reconfigured to use an internal file server as a covert Command-and-Control (C2) channel.
The investigation traced the compromise back to an outdated F5 load balancer that tunneled traffic between the C2 server and the infected file server. This allowed the attackers to perform reconnaissance and propagate the PlugX malware across older networks using SMB and WMI protocols. Four specific binaries were deployed by the attackers: VELVETSTING, VELVETTAP, SAMRID, and ESRDE.
The research highlights the continued use of shared tools and infrastructure by Chinese intrusion sets. Despite extensive efforts to remove the threat, the attackers remained embedded in the compromised network for approximately three years. However, limited visibility prevented definitive attribution and ruled out false-flag operations by other advanced persistent threat groups.
Comparing current findings with past incidents shows that Chinese threat actors consistently exploit legacy systems and unpatched devices to maintain long-term access. The persistence of these attackers underscores the necessity for continuous monitoring and updating of critical network components. Previously, similar methods and malware variants have been used to achieve prolonged access and control over targeted systems.
This sustained intrusion into enterprise networks highlights the cyber adversaries’ evolving tactics and the importance of proactive defense strategies. Organizations must prioritize the security hardening of legacy systems, restrict unnecessary network traffic, and implement robust endpoint protection to mitigate such sophisticated threats.
Effective countermeasures include limiting outbound internet traffic, enhancing security hardening of legacy servers, and protecting public-facing devices. These strategies are critical in preventing credential harvesting and limiting lateral movement within networks.
Sygnia’s findings underscore the importance of vigilant cybersecurity practices and the need for continuous adaptation to evolving threats. Organizations must remain proactive in updating and securing their network infrastructures to prevent similar exploits. Understanding and implementing these defense strategies can significantly enhance an organization’s resilience against advanced persistent threats.
