A China-nexus state-sponsored actor called Velvet Ant was observed conducting espionage after establishing persistence in a large organization’s network for three years by exploiting two legacy F5 BigIP appliances with outdated, vulnerable operating systems.
In a June 17 blog post, Sygnia researchers explained that F5 Big-IP load balancer appliances occupy a trusted position within the network, often placed at the perimeter or between different network segments. By compromising such a device, the researchers said attackers can exert significant control over network traffic without arousing suspicion.
The researchers said Velvet Ant used the tools and techniques typically associated with Chinese state-sponsored threat actors. For example, the attacks had a clear definition of goals, targeting of network devices, exploitation of vulnerabilities, and a toolset that includes the ShadowPad and PlugX malware families, as well as the use of DLL side-loading techniques.
Velvet Ant was very crafty and slippery, which made it possible for gain access to sensitive data, the researchers said. “After one foothold was discovered and remediated, the threat actor swiftly pivoted to another, demonstrating agility and adaptability in evading detection. The threat actor also exploited various entry points across the victim’s network infrastructure, indicating a comprehensive understanding of the target’s environment.”
Outdated technology targeted by threat actors
Legacy equipment in an organization's network has clearly become a significant cybersecurity risk, said Jason Soroko, senior vice president of product at Sectigo. Soroko said these outdated systems lack modern authentication capabilities and have vulnerabilities that often teams cannot patch, making them prime targets for cyberattacks.
“Legacy systems also often rely on simple passwords [gained from harvested credentials], as seen in the Velvet Ant attack,” said Soroko. “Despite efforts to eradicate these threats, legacy equipment provided persistent re-entry points for attackers. Balancing the risk posed by legacy systems with the investment needed to upgrade them is crucial. These kinds of decisions need to be made using a top-down approach, with executives who own the risk within an organization understanding where the balance point is.”
Chinese APTs have a documented history of maintaining prolonged access to targeted networks, explained Callie Guenther, senior manager of threat research at Critical Start, and an SC Media columnist. Guenther said Velvet Ant's TTPs align closely with known behaviors of Chinese threat groups, often characterized by their persistence, adaptability, and long-term strategic objectives.
“The use of legacy systems, like the F5 BIG-IP appliance in this case, as an entry and persistence point is not unusual,” said Guenther. “These groups frequently exploit outdated and unpatched hardware and software, knowing that many organizations struggle with maintaining up-to-date systems due to various constraints.”
Guenther added that Velvet Ant’s use of multiple persistence mechanisms, such as DLL search order hijacking, DLL sideloading, and phantom DLL loading, alongside tampering with security software, demonstrates a sophisticated level of OpSec. The group's ability to quickly adapt and pivot between different methods to maintain their foothold is indicative of advanced threat groups that continuously refine their techniques to evade detection.
