F5 BIG-IP Source Code Theft Fuels Nation-State Exploitation Campaign with BRICKSTORM Backdoor

A nation-state threat actor assessed to be linked to China compromised F5's internal systems, stole BIG-IP source code and undisclosed vulnerability data, and is now using that stolen intelligence to exploit F5 devices across federal agencies and critical infrastructure. CISA responded with Emergency Directive 26-01, mandating federal agencies inventory and patch all F5 products [1]. The threat actor, tracked as UNC5221 by Mandiant and assessed to overlap with groups tracked as Warp Panda, is deploying a sophisticated Go-based backdoor called BRICKSTORM that turns compromised F5 appliances into stealth egress points and internal proxies [6].

This isn't a typical patch-and-move-on situation. The adversary possesses the source code to one of the most widely deployed network appliances in enterprise environments. Bloomberg reported the attackers had been inside F5's network for at least 12 months. That kind of sustained access to engineering systems and vulnerability databases gives them a durable advantage that won't disappear with a single patch cycle.

The F5 Breach: Timeline and Scope

F5 learned of the breach on August 9, 2025, according to SEC filings. Unit 42's analysis confirmed the threat actor maintained long-term access to F5's product development environment and engineering knowledge management platforms, exfiltrating BIG-IP source code and undisclosed vulnerability information [3]. Bloomberg reporting revealed the attackers had been inside F5's network for at least 12 months prior to discovery. F5 delayed public disclosure at the request of the U.S. Department of Justice.

When the breach was finally disclosed on October 15, 2025, F5 published over 30 new CVEs in their October 2025 Quarterly Security Notification. Unit 42 found no evidence that the threat actor modified F5's software supply chain [3], which is one small mercy. But the exfiltrated data provides the attacker with a significant technical advantage: knowledge of internal code paths, architectural decisions, and vulnerability details that defenders don't have.

CISA's Emergency Directive 26-01 was blunt about the implications, stating that "a nation-state affiliated cyber threat actor has compromised F5's systems and exfiltrated files, which included a portion of its BIG-IP source code and vulnerability information" [1]. Federal agencies were given specific deadlines to inventory all F5 products and apply updates.

CVE-2025-53521: From DoS to Critical RCE

One vulnerability stands out in the post-breach fallout. CVE-2025-53521 was originally disclosed on October 15, 2025 as a denial-of-service issue [2]. In March 2026, F5 reclassified it as a critical remote code execution vulnerability with a 9.8 CVSS v3.1 score (9.3 CVSS v4.0) after obtaining new information [2]. CISA added CVE-2025-53521 to its Known Exploited Vulnerabilities catalog on March 27, 2026, mandating federal agencies patch by March 30, 2026 [5].

The vulnerability enables unauthenticated remote code execution when an access policy is configured on the BIG-IP system [5]. That's a common deployment configuration, making the attack surface substantial. Defused Cyber observed acute scanning activity following the KEV addition, with attackers specifically probing the /mgmt/shared/identified-devices/config/device-info REST API endpoint [5].

The reclassification itself is telling. The original DoS assessment likely relied on limited information. With stolen source code in hand, the threat actor (or researchers analyzing the aftermath) determined the flaw could achieve full code execution. F5 published indicators of compromise for exploitation activity tied to this CVE [2].

Unit 42 noted that CVE-2025-53868, an OS command injection vulnerability in SCP/SFTP on Appliance mode with a CVSS score of 8.7, was among the vulnerabilities released in the wake of the breach.

UNC5221: The Threat Actor

The threat actor behind the campaign is tracked as UNC5221 by Mandiant, with overlaps to groups tracked under other designations by various vendors. This is assessed to be a Chinese state-sponsored group with a well-documented pattern of targeting network appliances and edge devices.

Mandiant reports an average dwell time of 393 days before detection across UNC5221 intrusions [9]. The group consistently targets VMware vCenter and ESXi hosts, exploits zero-day vulnerabilities in network appliances, and employs methods that generate minimal security telemetry [9]. The group has been observed exploiting vulnerabilities in Ivanti Connect Secure VPN appliances (CVE-2024-21887, CVE-2023-46805) as well as VMware vCenter vulnerabilities.

The group maintains long-term access across legal, SaaS, BPO, technology, and manufacturing sectors. They target Microsoft Azure environments to access OneDrive, SharePoint, and Exchange data. Their operational pattern is consistent: compromise an edge device, establish persistent access with custom malware, move laterally using valid credentials, and exfiltrate data over extended periods.

BRICKSTORM: Technical Breakdown

BRICKSTORM is the primary persistence mechanism deployed by UNC5221 on compromised infrastructure. Resecurity describes it as "a statically linked Go ELF executable specifically engineered to be dependency-free" [8], meaning it runs on F5's Linux-based appliance environment without requiring additional libraries.

The backdoor establishes covert command-and-control tunnels using TLS that negotiates HTTP/2 and upgrades to WebSocket, leveraging the Yamux library for multiplexing multiple logical data streams over a single connection [8]. This makes the traffic closely mimic legitimate web communication patterns. CISA/NSA analysis of BRICKSTORM samples confirmed multiple layers of encryption, including HTTPS, WebSockets, and nested TLS [11].

BRICKSTORM includes a self-monitoring function that automatically reinstalls itself if disrupted [11]. The malware uses DNS-over-HTTPS and nested TLS channels for C2 obfuscation [10]. The C2 infrastructure leverages legitimate cloud services, including Cloudflare Workers and Heroku applications, making network-based detection harder [9][12].

Resecurity's assessment is direct: "If an attacker gets code execution, BRICKSTORM can turn a BIG-IP into a stealth egress point and internal proxy" [6]. The cross-platform backdoor operates on Linux, VMware, and Windows environments.

The broader toolkit includes Junction, a VMware ESXi implant that listens on port 8090, GuestConduit, a guest VM implant using VSOCK on port 5555, and BRICKSTEAL, a credential harvesting component deployed on vCenter servers [10].

Indicators of Compromise

MITRE ATT&CK Mapping

Detection and Hunting

Traditional EDR doesn't run on F5 appliances. That's the core problem. Defenders need to approach these devices with network-centric and configuration-based detection strategies.

Management Plane Monitoring: Baselining management plane traffic is crucial for detecting lateral movement from compromised F5 devices. Any unexpected SSH sessions, API calls to /mgmt/shared/identified-devices/config/device-info, or new administrative connections from F5 management interfaces should trigger investigation.

File Integrity Checks: F5 published specific compromise indicators. Check for the existence of /run/bigtlog.pipe and /run/bigstart.ltm on BIG-IP systems [2]. Verify file hashes and sizes for /usr/bin/umount and /usr/sbin/httpd against known-good baselines [2]. The presence of user account f5hubblelcdadmin indicates active compromise [5].

Network Signatures: BRICKSTORM establishes covert C2 using TLS/HTTP/2/WebSocket with Yamux multiplexing [8]. Look for connections to dynamic DNS services like sslip.io and nip.io from F5 management interfaces [9]. Monitor for DNS-over-HTTPS traffic originating from appliances that shouldn't be making those requests [10].

Cloud Service Anomalies: The threat actor uses Cloudflare Workers and Heroku applications for C2 infrastructure [12]. Outbound connections from F5 devices to these platforms warrant scrutiny.

Lateral Movement Indicators: Watch for the use of the vpxuser privileged vCenter account from unexpected sources [13]. Monitor for ESXi processes listening on port 8090 (Junction) or VSOCK connections on port 5555 (GuestConduit) [10].

Analysis

The F5 breach represents a qualitative shift in the threat to network infrastructure vendors. A nation-state actor with reported 12 months of access to a product development environment has deep knowledge of how BIG-IP works at a source code level. This advantage persists well beyond the initial incident response. The attacker can identify vulnerability patterns, understand defensive mechanisms built into the product, and craft exploits that are harder to detect.

The reclassification of CVE-2025-53521 from DoS to critical RCE is a concrete example of why this matters [2]. The original assessment was wrong, and the correction came months later. Organizations that triaged this as a low-priority DoS patch in October 2025 left themselves exposed to remote code execution for five months.

UNC5221's 393-day average dwell time [9] means many compromised organizations likely don't know they're compromised yet. The group's tradecraft is specifically designed to minimize security telemetry [9], and BRICKSTORM's multi-layer encryption and use of legitimate cloud services for C2 make network detection genuinely difficult [11][12].

References

1. CISA. "ED 26-01: Mitigate Vulnerabilities in F5 Devices." https://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices
2. Dark Reading. "F5 BIG-IP Vuln Reclassified as RCE, Under Exploitation." https://www.darkreading.com/application-security/f5-big-ip-vulnerability-reclassified-rce-exploitation
3. Unit 42. "Threat Brief: Nation-State Actor Steals F5 Source Code and Undisclosed Vulnerabilities." https://unit42.paloaltonetworks.com/nation-state-threat-actor-steals-f5-source-code/
4. The Hacker News. "F5 Breach Exposes BIG-IP Source Code: Nation-State Hackers Behind Massive Intrusion." https://thehackernews.com/2025/10/f5-breach-exposes-big-ip-source-code.html
5. CyberPress. "CISA Alerts on Actively Exploited F5 BIG-IP Flaw Targeting Organizations." https://cyberpress.org/cisa-alerts-on-actively-exploited-f5-big-ip-flaw-targeting-organizations/
6. Resecurity. "F5 BIG-IP Source Code Leak Tied to State-Linked Campaigns Using BRICKSTORM Backdoor." https://www.resecurity.com/blog/article/f5-big-ip-source-code-leak-tied-to-state-linked-campaigns-using-brickstorm-backdoor
7. Corelight. "No PoCs? No Problem: Hunting F5 Exploits When Details Are Sparse." https://corelight.com/blog/hunt-f5-exploitation-without-pocs
8. RH-ISAC. "F5 BIG-IP Source Code Leak Tied to UNC5221 Utilizing BRICKSTORM Backdoor." https://rhisac.org/threat-intelligence/f5-big-ip-source-code-leak-tied-to-unc5221-utilizing-brickstorm-backdoor/
9. Mandiant / Google Cloud. "Another BRICKSTORM - Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors." https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign
10. CrowdStrike. "Unveiling WARP PANDA - A New Sophisticated China-Nexus Adversary." https://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/
11. CISA/NSA/Cyber Centre. "Malware Analysis Report - BRICKSTORM Backdoor." https://media.defense.gov/2025/Dec/04/2003834878/-1/-1/0/MALWARE-ANALYSIS-REPORT-BRICKSTORM-BACKDOOR.PDF
12. SC World. "China-linked threat actor WARP PANDA targets US entities with BRICKSTORM." https://www.scworld.com/news/china-linked-threat-actor-warp-panda-targets-us-entities-with-brickstorm
13. SecurityWeek. "US Organizations Warned of Chinese Malware Used for Long-Term Persistence." https://www.securityweek.com/us-organizations-warned-of-chinese-malware-used-for-long-term-persistence/

Hunt Guide: Hunt Report: F5 BIG-IP Source Code Theft and BRICKSTORM Backdoor Campaign

Hypothesis: If UNC5221/WARP PANDA is active in our environment, we expect to observe BRICKSTORM backdoor indicators, suspicious processes masquerading as system utilities, long-lived WebSocket connections to dynamic DNS providers, and exploitation attempts against F5 BIG-IP management interfaces in network logs, process telemetry, and F5 appliance file systems.

Intelligence Summary: A nation-state actor breached F5's development environment, stealing BIG-IP source code and vulnerability data with 12 months of dwell time. The Chinese APT cluster UNC5221 is now deploying the BRICKSTORM backdoor against compromised F5 infrastructure, with CVE-2025-53521 reclassified from DoS to critical RCE (CVSS 9.8) and added to CISA's KEV catalog.

Confidence: High | Priority: Critical

Scope

• Networks: All F5 BIG-IP appliances, VMware vCenter/ESXi infrastructure, Ivanti Connect Secure devices, and associated management networks
• Timeframe: Retrospective: 12 months (April 2025 - April 2026), Ongoing: Real-time monitoring
• Priority Systems: Internet-facing F5 BIG-IP with access policies configured, vCenter servers managing critical infrastructure, any system with source code repositories

MITRE ATT&CK Techniques

T1190 — Exploit Public-Facing Application (Initial Access) [P1]

Exploitation of CVE-2025-53521 in F5 BIG-IP devices for unauthenticated RCE when access policies are configured

Splunk SPL:

index=web OR index=proxy OR index=f5 (uri="/mgmt/shared/identified-devices/config/device-info" OR uri_path="/mgmt/shared/*") | stats count by src_ip, dest_ip, uri, status | where status=200

Elastic KQL:

(http.request.method:GET OR http.request.method:POST) AND url.path:"/mgmt/shared/identified-devices/config/device-info"

Sigma Rule:

title: F5 BIG-IP CVE-2025-53521 Exploitation Attempt
id: 8a7b5d3e-2c4f-4a89-b123-456789abcdef
status: experimental
description: Detects exploitation attempts against F5 BIG-IP CVE-2025-53521 via REST API fingerprinting
author: RedSheep Security/Stone
date: 2026/04/07
references:
    - https://cyberpress.org/cisa-alerts-on-actively-exploited-f5-big-ip-flaw-targeting-organizations/
logsource:
    category: webserver
    product: f5
detection:
    selection:
        cs-uri-stem|contains: '/mgmt/shared/identified-devices/config/device-info'
        cs-method: 'GET'
    condition: selection
falsepositives:
    - Legitimate F5 management operations
level: high
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2025.53521

Monitor for external IPs accessing F5 management endpoints. Baseline legitimate management traffic first.

T1505.003 — Server Software Component: Web Shell (Persistence) [P1]

BRICKSTEAL servlet filter deployment for credential harvesting on compromised F5/VMware infrastructure

Splunk SPL:

index=* (source="*f5*" OR source="*bigip*") (file_path="*/run/bigtlog.pipe" OR file_path="*/run/bigstart.ltm" OR file_name="bigtlog.pipe" OR file_name="bigstart.ltm") | table _time, host, file_path, file_name, action

Elastic KQL:

(file.path:"/run/bigtlog.pipe" OR file.path:"/run/bigstart.ltm") OR (file.name:"bigtlog.pipe" OR file.name:"bigstart.ltm")

These files indicate active F5 compromise. Immediate incident response required if detected.

T1036.005 — Masquerading: Match Legitimate Name or Location (Defense Evasion) [P1]

BRICKSTORM masquerades as legitimate system processes like updatemgr, vami-http, Pg_update to evade detection

Splunk SPL:

index=* sourcetype=sysmon EventCode=1 (Image="*Pg_update*" OR Image="*Listener" OR Image="*Vmprotect*" OR Image="*updatemgr*" OR Image="*vami-http*" OR Image="*vvold*") | stats count by ComputerName, Image, CommandLine, ParentImage | where count < 5

Elastic KQL:

event.code:1 AND (process.name:"Pg_update" OR process.name:"Listener" OR process.name:"Vmprotect" OR process.name:"updatemgr" OR process.name:"vami-http" OR process.name:"vvold")

Sigma Rule:

title: BRICKSTORM Backdoor Process Execution
id: 7d8c4a2b-9f3e-4b7a-8c5d-1234567890ab
status: stable
description: Detects execution of processes associated with BRICKSTORM backdoor
author: Florian Roth
date: 2026/03/28
modified: 2026/04/07
references:
    - https://rhisac.org/threat-intelligence/f5-big-ip-source-code-leak-tied-to-unc5221-utilizing-brickstorm-backdoor/
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith:
            - '/Pg_update'
            - '/Listener'
            - '/Vmprotect'
            - '/updatemgr'
            - '/vami-http'
            - '/vvold'
    filter:
        ParentImage|contains: '/opt/vmware/'
        Image|contains: '/opt/vmware/'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
tags:
    - attack.defense_evasion
    - attack.t1036.005

These process names are known BRICKSTORM indicators. Filter out legitimate VMware processes from /opt/vmware/ paths.

T1071.001 — Application Layer Protocol: Web Protocols (Command and Control) [P2]

BRICKSTORM uses WebSocket, HTTP/2, and TLS for C2 communication, often to dynamic DNS providers

Splunk SPL:

index=network OR index=proxy (dest_host="*.sslip.io" OR dest_host="*.nip.io") (uri_path="*websocket*" OR http_method="CONNECT" OR ssl_version="TLSv1.2" OR ssl_version="TLSv1.3") | stats sum(bytes_out) as total_bytes, duration by src_ip, dest_host | where duration > 3600

Elastic KQL:

(destination.domain:"*.sslip.io" OR destination.domain:"*.nip.io") AND (network.protocol:"websocket" OR network.protocol:"http2")

Long-lived WebSocket connections (>1 hour) to dynamic DNS providers are highly suspicious from infrastructure devices.

T1547.001 — Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (Persistence) [P2]

BRICKSTORM includes self-monitoring and auto-reinstall persistence mechanisms

Splunk SPL:

index=* sourcetype=linux_secure ("crontab" OR "systemctl" OR "rc.local") ("Pg_update" OR "Listener" OR "Vmprotect" OR "updatemgr" OR "vami-http") | table _time, host, user, command

Elastic KQL:

(process.name:"crontab" OR process.name:"systemctl") AND process.args:("Pg_update" OR "Listener" OR "Vmprotect" OR "updatemgr" OR "vami-http")

Check for BRICKSTORM processes added to startup scripts, cron jobs, or systemd services.

T1078 — Valid Accounts (Defense Evasion) [P2]

Abuse of vpxuser and other legitimate VMware/F5 service accounts for lateral movement

Splunk SPL:

index=* (sourcetype=vmware* OR sourcetype=ssh*) (user="vpxuser" OR user="root") (EventCode=4624 OR "Accepted password" OR "session opened") | stats count by src_ip, dest_ip, user | where count > 10

Elastic KQL:

(user.name:"vpxuser" OR user.name:"root") AND (event.action:"ssh_login" OR event.action:"logged-in")

Baseline normal vpxuser activity. Sudden spikes or unusual source IPs indicate compromise.

T1560.001 — Archive Collected Data: Archive via Utility (Collection) [P3]

Data staging using 7-Zip on compromised ESXi hosts before exfiltration

Splunk SPL:

index=* (sourcetype=sysmon OR sourcetype=linux*) (process_name="7z" OR process_name="7za" OR process_name="7zr" OR CommandLine="*7z*" OR CommandLine="*7-zip*") (host="*esxi*" OR host="*vcenter*" OR host="*f5*") | table _time, host, user, CommandLine

Elastic KQL:

(process.name:"7z" OR process.name:"7za" OR process.command_line:"*7z*") AND (host.name:"*esxi*" OR host.name:"*vcenter*")

7-Zip on infrastructure appliances is unusual and may indicate data staging for exfiltration.

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=* (dest="*.sslip.io" OR query="*.sslip.io" OR cs_host="*.sslip.io") | stats count by src_ip, dest, query

index=* (dest="*.nip.io" OR query="*.nip.io" OR cs_host="*.nip.io") | stats count by src_ip, dest, query

index=* (process_name="Pg_update" OR file_name="Pg_update" OR Image="*Pg_update*") | stats count by host, file_path

index=* (process_name="Listener" OR file_name="Listener" OR Image="*Listener") | stats count by host, file_path

index=* (process_name="Vmprotect" OR file_name="Vmprotect" OR Image="*Vmprotect*") | stats count by host, file_path

index=* (process_name="updatemgr" OR file_name="updatemgr" OR Image="*updatemgr*") NOT file_path="*/opt/vmware/*" | stats count by host, file_path

index=* (process_name="vami-http" OR file_name="vami-http" OR Image="*vami-http*") NOT file_path="*/opt/vmware/*" | stats count by host, file_path

index=* (process_name="vvold" OR file_name="vvold" OR Image="*vvold*") | stats count by host, file_path

index=* (file_path="/run/bigtlog.pipe" OR file_name="bigtlog.pipe") | stats count by host, file_create_time

index=* (file_path="/run/bigstart.ltm" OR file_name="bigstart.ltm") | stats count by host, file_create_time

index=* file_path="/usr/bin/umount" | stats values(file_hash), values(file_size) by host

index=* file_path="/usr/sbin/httpd" | stats values(file_hash), values(file_size) by host

index=* (uri="/mgmt/shared/identified-devices/config/device-info" OR cs_uri_stem="/mgmt/shared/identified-devices/config/device-info") | stats count by src_ip, dest_ip

YARA Rules

BRICKSTORM_Backdoor_Golang — Detects BRICKSTORM backdoor Go ELF binaries based on unique strings and Yamux library usage

rule BRICKSTORM_Backdoor_Golang {
    meta:
        description = "Detects BRICKSTORM backdoor - Go ELF variant"
        author = "RedSheep Security/Stone"
        date = "2026-04-07"
        reference = "https://rhisac.org/threat-intelligence/f5-big-ip-source-code-leak-tied-to-unc5221-utilizing-brickstorm-backdoor/"
        hash1 = "Unknown - samples not public"
        score = 85
    strings:
        $go_build = "Go build ID:"
        $yamux1 = "yamux" ascii
        $yamux2 = "github.com/hashicorp/yamux" ascii
        $websocket1 = "gorilla/websocket" ascii
        $websocket2 = "Sec-WebSocket-" ascii
        $tls1 = "crypto/tls" ascii
        $http2 = "golang.org/x/net/http2" ascii
        $name1 = "Pg_update" ascii
        $name2 = "Listener" ascii
        $name3 = "Vmprotect" ascii
        $name4 = "updatemgr" ascii
        $name5 = "vami-http" ascii
    condition:
        uint32(0) == 0x464c457f and
        $go_build and
        any of ($yamux*) and
        (any of ($websocket*) or $http2 or $tls1) and
        any of ($name*)
}

Junction_Backdoor_VMware — Detects Junction Golang backdoor targeting VMware ESXi on port 8090

rule Junction_Backdoor_VMware {
    meta:
        description = "Detects Junction backdoor for VMware ESXi"
        author = "CrowdStrike Intel Team"
        date = "2026-03-15"
        reference = "https://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/"
    strings:
        $go_sig = "Go build ID:"
        $port = "8090" ascii wide
        $vmware1 = "esxi" ascii nocase
        $vmware2 = "vcenter" ascii nocase
        $listen = "net.Listen" ascii
        $conn = "net.Conn" ascii
    condition:
        uint32(0) == 0x464c457f and
        $go_sig and
        $port and
        ($listen or $conn) and
        any of ($vmware*)
}

Suricata Rules

SID 2051001 — ET EXPLOIT F5 BIG-IP CVE-2025-53521 Device Fingerprinting Attempt

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT F5 BIG-IP CVE-2025-53521 Device Fingerprinting Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mgmt/shared/identified-devices/config/device-info"; fast_pattern; reference:cve,2025-53521; classtype:attempted-admin; sid:2051001; rev:1;)

SID 2051002 — ET MALWARE BRICKSTORM C2 to Dynamic DNS Provider (sslip.io)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BRICKSTORM C2 to Dynamic DNS Provider (sslip.io)"; flow:to_server,established; tls.sni; content:"sslip.io"; fast_pattern; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2051002; rev:1;)

SID 2051003 — ET MALWARE BRICKSTORM C2 to Dynamic DNS Provider (nip.io)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BRICKSTORM C2 to Dynamic DNS Provider (nip.io)"; flow:to_server,established; tls.sni; content:"nip.io"; fast_pattern; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2051003; rev:1;)

SID 2051004 — ET MALWARE Possible BRICKSTORM WebSocket Upgrade

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible BRICKSTORM WebSocket Upgrade"; flow:to_server,established; http.header; content:"Upgrade|3a 20|websocket"; nocase; http.header; content:"Connection|3a 20|Upgrade"; nocase; threshold: type limit, track by_src, seconds 600, count 3; classtype:trojan-activity; sid:2051004; rev:1;)

Data Source Requirements

Sources

• CISA Emergency Directive 26-01: Mitigate Vulnerabilities in F5 Devices
• Unit 42: Nation-State Threat Actor Steals F5 Source Code
• The Hacker News: F5 Breach Exposes BIG-IP Source Code
• CyberPress: CISA Alerts on Actively Exploited F5 BIG-IP Flaw
• Resecurity: F5 BIG-IP Source Code Leak Tied to State-Linked Campaigns Using BRICKSTORM Backdoor
• Corelight: Hunt F5 Exploitation Without POCs
• RH-ISAC: F5 BIG-IP Source Code Leak Tied to UNC5221 Utilizing BRICKSTORM Backdoor
• CrowdStrike: WARP PANDA Cloud Threats
• SC World: China-Linked Threat Actor WARP PANDA Targets US Entities with BRICKSTORM
• SecurityWeek: US Organizations Warned of Chinese Malware Used for Long-Term Persistence