F5, a company that specializes in application security and delivery technology, disclosed Wednesday that it had been the target of what it’s calling a “highly sophisticated” cyberattack, which it attributes to a nation-state actor. The announcement follows authorization from the U.S. Department of Justice, which allowed F5 to delay public disclosure of the breach under Item 1.05(c) of Form 8-K due to ongoing law enforcement considerations.

According to an 8-K form filed with the Securities and Exchange Commission, the company first became aware of unauthorized access Aug. 9 and initiated standard incident response measures, including enlisting external cybersecurity consultants. In September, the Department of Justice permitted F5 to withhold public disclosure of the breach, which the government allows if a breach is determined to be a “a substantial risk to national security or public safety.”  

Investigators discovered that the threat actor maintained prolonged access to parts of F5’s infrastructure. Systems affected included the BIG-IP product development environment and the company’s engineering knowledge management platform. The unauthorized access resulted in the exfiltration of files, some of which contained segments of BIG-IP source code and details regarding vulnerabilities that the company was actively addressing at the time. It also said the files taken were “configuration or implementation information for a small percentage of customers.”

F5 reported that independent reviews by incident response firms found no evidence the attacker had modified the software supply chain, including source code or build and release pipelines. The company stated that it is not aware of any undisclosed critical or remote code execution vulnerabilities, nor any current exploitation linked to the breach. The company also stated that containment actions were implemented promptly and have so far been effective, with no evidence of new unauthorized activity since those efforts began.

According to the SEC form, no evidence was found of access to the company’s customer relationship management, financial, support case management, or iHealth systems. However, the company said a portion of the exfiltrated files included configuration or implementation details affecting a small percentage of customers. F5 is continuing to review these materials and is contacting customers as needed.

Investigative findings further indicated that the NGINX product development environment, as well as F5 Distributed Cloud Services and Silverline systems, remained unaffected.

The United Kingdom’s National Cyber Security Centre said in a notice there is currently no indication customer networks have been impacted as a result of F5’s compromised network.

F5 has continued to work alongside federal law enforcement throughout its response and is implementing additional measures to strengthen its network defenses. Company officials reported that the breach has not had a material effect on its daily operations as of the disclosure date. Ongoing assessments are being conducted to determine if there may be any impact on the company’s financial position or results.

F5, based in Seattle, is a major player in the application security and delivery market, serving thousands of enterprise customers worldwide, including much of the Fortune 500. The company’s primary offerings include its BIG-IP line of hardware and software products, which provide network traffic management, application security, and access control, as well as its NGINX and F5 Distributed Cloud Services platforms. F5’s technologies are used extensively by businesses, government agencies, and service providers around the world. 

Fixes rolled out

F5 released a series of updates to its BIG-IP software suite and advised customers to update their clients for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ and APM as soon as possible. 

The company also shared steps customers can take to harden their F5 systems and added some checks to its diagnostic tool, which can help identify gaps in security and prioritize a proper course of action. 

F5 encouraged customers to monitor for potentially unauthorized login attempts and configuration changes by integrating their security information and event management tools. 

The vendor said it bolstered its internal security in the wake of the breach by rotating credentials and improving its network security architecture and access controls across its systems. F5 also added tools to better monitor, detect and respond to threats, and said it strengthened security controls in its product development environment. 

The company brought in multiple firms to assist in its response and recovery efforts, including NCC Group, IOActive and CrowdStrike. F5 said it’s working with CrowdStrike to make endpoint detection and response sensors and threat hunting available to its customers. 

NCC Group and IOActive both attested that they have not identified any critical-severity vulnerabilities in F5’s source code nor did they find evidence of exploited defects in the company’s critical software, products or development environment. NCC Group added that it has not found any suspicious threat activity such as malicious code injection, malware or backdoors in F5 source code during its review thus far.

“Your trust matters. We know it is earned every day, especially when things go wrong,” the company said in a blog post. “We truly regret that this incident occurred and the risk it may create for you. We are committed to learning from this incident and sharing those lessons with the broader security community.”

Matt Kapko contributed to this story.

The post F5 discloses breach tied to nation-state threat actor appeared first on CyberScoop.

The FBI released a trove of research on The Com last week, warning that the sprawling cybercriminal network of minors and young adults is growing rapidly and splintering into three primary subsets described by officials as Hacker Com, In Real Life Com and Extortion Com.

The warnings lay out how The Com’s thousands of members, typically between 11 and 25 years old, pose a rising threat, especially to youth online, the FBI said. Criminal acts committed by these multiple, interconnected networks include swatting, extortion and sextortion of minors, production and distribution of child sexual abuse material, violent crime and various other cybercrimes, the bureau said.

“The motivations behind the criminal activity vary, but often fall within one of the following: financial gain, retaliation, ideology, sexual gratification and notoriety,” the FBI said in a public service announcement.

Crimes attributed to members of The Com have grown increasingly complex, with perpetrators going to great lengths to mask identities, hide financial transactions and launder money. The Com generally targets young and impressionable people for recruitment on gaming sites and social media platforms to indoctrinate them into their ideology, officials said.

Various subsections of this group have been linked to high-profile crimes over the past few years. In April, two men accused of leading a Com offshoot known as “764” were charged with operating an international child exploitation enterprise. Scattered Spider, another offshoot, tends to focus on cybercrime like ransomware and data extortion. 

Allison Nixon, chief research officer at Unit 221B, commended the level of detail the FBI shared across the series of PSAs, noting that the agency left nothing of importance out of its warnings. Nixon has studied domestic and English-speaking cybercrime and tracked its rise for more than a decade.

“The assessments in this PSA are consistent with what we have seen. There has been a population explosion in The Com and it is good to see law enforcement respond to this — not just with a PSA but with real crackdowns,” she said.

“Hopefully this PSA helps the public understand that many cybercrime arrests nowadays implicate gang violence and sexual crime against children, by children.”

Hacker Com

Hacker Com members are involved in a vast array of cybercrime activities, including distributed denial-of-service attacks, personally identifiable information theft, the sale of government email accounts, ransomware attacks, phishing, malware development and deployment, cryptocurrency theft, intrusions and SIM swapping, according to the FBI.

Scattered Spider, which is responsible for attacks on more than 100 businesses since 2022, is included in this subset.

This subset of The Com uses remote access trojans, phishing kits, voice over internet protocol providers, voice modulators, virtual private networks, cryptocurrency cash-out services, live-streaming services and encrypted email domains, officials said.

“Open-source information indicates Hacker Com groups are responsible for high-profile attacks and intrusions and have affiliations with ransomware organizations,” the FBI said in a PSA dedicated solely to Hacker Com.

The group also has been observed using the same attack methods against each other. The FBI warning details how internal conflicts are common among members of The Com. Personal disputes or rivalries — often over cryptocurrency — frequently lead Hacker Com members to attack and steal from one another, the FBI said.

In Real Life (IRL) Com

Some Com subgroups have gone beyond digital means, offering swat-for-hire services and targeting members for swatting and doxxing, kidnapping and physical extortion, which the FBI refers to as “IRL Com.” 

“The intensification of these online conflicts has resulted in the emergence of a new layer of The Com known as In Real Life (IRL) Com, which includes subgroups that aim to facilitate real world acts of violence, oftentimes resulting from online conflicts,” the FBI said.

Acts of physical violence have intensified and expanded to other layers of The Com, as multiple subgroups adopt similar methods of retaliation, the FBI said in a PSA dedicated solely to IRL Com. Some subgroups advertise contracts on messaging apps or other social media networks to commit violence or swatting for payment. 

“IRL Com groups also see swatting as a way of gaining credibility among members; the more attention a swatting incident gets, the more attention the member receives from the group,” the FBI said. “Leaders from IRL Com groups may use swatting to ensure members of the group remain obedient. When members of the IRL Com group disobey orders or refuse to comply with demands, the member or the member’s family may become the target of swatting.”

Extortion Com

The FBI also released a PSA about a subgroup it calls “Extortion Com,” which “systematically targets underage females” and vulnerable populations, including children and those who struggle with mental health issues.

“Victims are typically between the ages of 10 and 17 years old, but the FBI has seen some victims as young as 9 years old,” the FBI said in its PSA. “Threat actors often groom their victims by first establishing a trusting or romantic relationship before eventually manipulating and coercing them into engaging in escalating harmful behavior designed to shame and isolate them.”

Officials said these acts are driven by a range of personal motives, including the pursuit of social status, sexual gratification or a sense of belonging. 

The FBI warns that members of this subgroup manipulate or coerce their victims to produce pornographic material or other videos depicting animal cruelty and self-harm, oftentimes further threatening to share the material with victims’ families, friends or other public communities on the internet.

Two alleged leaders of the child sextortion group 764 were arrested and charged for directing and distributing CSAM in April. The two men, Leonidas Varagiannis and Prasan Nepal, are accused of exploiting at least eight minor victims, some as young as 13 years old, and face charges that carry a maximum penalty of life in prison.

Officials advised people to look for warning signs that a victim may be targeted by The Com and shared resources for help, including the National Center for Missing and Exploited Children’s CyberTipline and Take It Down service. Victims are encouraged to retain all information about an incident and immediately report to the FBI’s Internet Crime Complaint Center and an FBI Field Office.

The post FBI alerts tie together threats of cybercrime, physical violence from The Com appeared first on CyberScoop.

The fallout from an attack spree targeting defects in on-premises Microsoft SharePoint servers continues to spread nearly a week after zero-day exploits were discovered, setting off alarms across the globe. More than 400 organizations have been actively compromised across four waves of attacks, according to Eye Security.

Multiple government agencies, including the Departments of Energy, Homeland Security and Health and Human Services, have been hit. The California Independent System Operator, which operates some of the state’s wholesale electric grid, was also impacted.

As more victims confirm varying levels of compromise from the attack spree, researchers are learning and sharing more details about post-exploit activities. One of the China-based attackers behind the initial wave of attacks, Storm-2603, deployed Warlock ransomware starting July 18, Microsoft Threat Intelligence said Wednesday in an updated blog post.

The Chinese government-affiliated threat groups Linen Typhoon and Violet Typhoon — which have been active for at least a decade — are also actively exploiting the zero-day vulnerabilities, Microsoft said. Linen Typhoon has focused on stealing intellectual property and Violet Typhoon is an espionage threat group. Storm is a moniker Microsoft uses for threat groups in development.

Microsoft said it observed Storm-2603 modifying policy settings to distribute Warlock ransomware in compromised environments. The attacker is also attempting to steal cryptographic keys from compromised SharePoint servers, which could allow attackers to maintain persistent access to victim environments after the patch has been applied. Microsoft did not say how many organizations have been hit with ransomware.

The zero-days under active exploit —  CVE-2025-53770 and CVE-2025-53771 — are variants of a pair of previously disclosed vulnerabilities — CVE-2025-49706 and CVE-2025-49704 — Microsoft addressed in its security update earlier this month. After discovering the new flaws, Microsoft scrambled to develop patches, releasing the updates for all affected versions of SharePoint by late Monday.

The exploit dubbed “ToolShell,” which allows attackers to bypass multi-factor authentication and single sign-on, contains the newly discovered defects: CVE-2025-53770, a critical remote-code execution vulnerability, and CVE-2025-53771, a security-bypass vulnerability. 

The “ToolShell” exploit chain allows attackers to fully access SharePoint content and execute code over the network, the Cybersecurity and Infrastructure Security Agency said. ESET Labs researchers said threat groups often chain all four vulnerabilities to intrude organizations.

CISA added CVE-2025-53770 to its known exploited vulnerabilities catalog Sunday, and added CVE-2025-47904 and CVE-2025-47906 to the database Tuesday. CISA said CVE-2025-53770 is a patch bypass for CVE-2025-49704 and CVE-2025-53771 is a patch bypass for CVE-2025-49706.

Officials declined to describe the level of compromise sustained across the federal government.

“Once the Microsoft SharePoint vulnerability was identified on Friday, CISA quickly launched a national coordinated response through an initial alert and two cybersecurity updates,” a Department of Homeland Security spokesperson said in a statement. “CISA has been working around the clock with Microsoft, impacted agencies, and critical infrastructure partners to share actionable information, apply mitigation efforts, implement protective measures, and assess preventative measures to shield from future attacks.”

The spokesperson said an investigation to identify potential exposure remains ongoing, adding “there is no evidence of data exfiltration at DHS or any of its components at this time.”

The Energy Department, which was impacted along with the National Nuclear Security Administration, is also unaware of any compromise of sensitive or classified information. 

Exploitation of the Microsoft SharePoint zero-day vulnerability began affecting the Energy Department and the NNSA on Friday. “The department was minimally impacted due to its widespread use of the Microsoft 365 cloud and very capable cybersecurity systems,” an agency spokesperson said in a statement.

“A very small number of systems were impacted. NNSA is taking the appropriate action to mitigate risk and transition to other offerings as appropriate,” the spokesperson added.

The Department of Health and Human Services said it is monitoring, identifying and mitigating all risks to its IT systems posed by the Microsoft SharePoint vulnerability. “This vulnerability is not unique to HHS and has been observed in other federal agencies and the private sector,” a spokesperson for the agency said in a statement. “At present, we have no indication that any information was breached as a result of this vulnerability.”

Jayme Ackemann, director of communications at the California Independent System Operator, said the nonprofit, which manages long-distance power lines across 80% of California’s grid, became aware of potential exploitation Sunday. “There has been no impact to market operations or grid reliability due to this incident,” Ackemann said. “All systems remain stable and fully operational.”

Microsoft SharePoint is prevalent across enterprise and government and deeply integrated with Microsoft’s platform. Researchers warn that attackers could use intrusions to burrow deeper into victim networks.

Attacks have spread globally but U.S.-based organizations are the most heavily targeted to date, accounting for more than 13% of attacks, according to ESET’s telemetry data. Scans from the Shadowserver Foundation showed nearly 11,000 SharePoint instances were still exposed to the internet as of Wednesday.

The post Microsoft SharePoint attacks ensnare 400 victims, including federal agencies appeared first on CyberScoop.