Brief #126: Nation-State Steals F5 Code, Prompt Injection Costs $100K+, CISO Skills

Happy Sunday!

In this week's brief:

F5 confirms a nation-state breach that exposed BIG-IP source code and undisclosed vulnerabilities, reminding us that even security vendors aren't immune to persistent attacks
AI security incidents more than doubled in 2025 with prompt injection attacks now accounting for 35% of all documented incidents and causing six-figure financial losses
90% of security leaders say managing cyber risk is harder now than five years ago, yet only 19% rate their programs as mature - highlighting the growing complexity we're all facing

A quick note before we dive in.

Industry News

F5 disclosed that a nation-state threat actor gained persistent access to their network and stole BIG-IP source code along with information about undisclosed vulnerabilities, with the breach discovered on August 9, 2025.
The attackers accessed F5's product development environment and knowledge management platform, exfiltrating configuration and implementation information affecting a small percentage of customers who will be directly notified.
F5 has engaged Google Mandiant and CrowdStrike for incident response, implemented enhanced security controls, and advises users to apply the latest updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients immediately.

Google Threat Intelligence observed UNC5342 using EtherHiding to deliver JADESNOW malware through fake job interviews – marking the first time a nation-state actor has adopted this blockchain-based technique that stores malicious payloads in smart contracts on BNB Smart Chain and Ethereum, making takedowns nearly impossible.
The social engineering campaign targets cryptocurrency developers with fraudulent job interviews, deploying a multi-stage infection chain where JADESNOW downloads INVISIBLEFERRET backdoor from blockchain transactions, ultimately leading to cryptocurrency wallet theft and credential harvesting from browsers and password managers.
While the blockchain storage provides resilience against traditional blocking methods, the attack still relies on centralized API services to interface with blockchains – creating potential mitigation opportunities through Chrome Enterprise policies that block dangerous downloads and enforce managed browser updates.

Threat actors leveraged CVE-2025-20352, a Cisco SNMP vulnerability in both 32-bit and 64-bit switch builds, to achieve remote code execution and deploy Linux rootkits on unprotected devices, primarily targeting Cisco 9400, 9300, and legacy 3750G series switches.
The rootkit establishes persistent access through a universal password containing "disco" and installs hooks into IOSd memory space, enabling attackers to disable logging, bypass authentication, hide configuration changes, and control network traffic through UDP listeners on any port.
Attackers used sophisticated lateral movement techniques including ARP spoofing to impersonate waystation IP addresses, bypass internal firewalls, and move between network zones while evading detection through log manipulation and configuration hiding capabilities.

Member-Only Content

Get instant access to this article and the Mandos Brief - your weekly 10-minute security leadership update.

Already a member? Sign in