Eclypsium
Nate Warfield
Now I have a BIG-IP. Ho-ho-ho.
Over the last two years, F5 Networks devices have been the target of widescale attack campaigns. Starting in 2020, they have issued advisories for multiple critical remote code execution vulnerabilities. In both 2022 and 2020, these disclosures were immediately followed by mass exploitation due to the simplicity of the exploits and internet exposure of the devices. These attacks, while suboptimal, were primarily carried out by low-skilled attackers & coin mining groups.
In May 2022, Mandiant released their report on UNC3524; a group whose TTPs match multiple Russian espionage threat actors. UNC3524’s preferred access method? Load balancers, SAN devices and IOT cameras. Armed only with experience working for F5, their public knowledge base and an open source C2 framework I decided to see how deep an attacker can burrow. What I found was startling, and this talk will dive into how easily the devices can be repurposed for lateral movement, used as pivots to breach servers without direct internet access, and demonstrate multiple by-design features which allow malware to persist past reboots, security patches and even infect device backups. Attendees will leave with a better understanding of the complexity of these devices and usable information to aid their next DFIR engagement.
Nate has been hacking networks since he got his first 2400 baud modem. After his first hack of a dial-up BBS at 12, he was hooked and over the following 25 years he sharpened his skills through jobs in network engineering, vulnerability response, endpoint research and side projects – hacking phones & researching network attack surface. After shipping the MS17-010, Spectre/Meltdown and Bluekeep patches in his 4.5yr tenure at the Microsoft Security Response Center, he is currently Director of Threat Research & Intelligence for Eclypsium. He was featured in WIRED magazines’ “25 people doing good in 2020” for his role in starting CTI League, a volunteer group of InfoSec professions who provided threat intelligence to hospitals during COVID-19.