Stealer malware is thriving—especially Lumma and Risepro. These logs fuel ransomware, MFA bypass, and persistent access. It's $10 to compromise an account. Explore this and other insights the data reveals.
Critical Intelligence Alert: ED 26-01 – Action Required
Share:
On October 15, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive ED 26-01, ordering federal agencies to mitigate a significant security breach involving F5 BIG-IP products.
F5 disclosed that nation-state threat actors maintained long-term unauthorized access to internal systems, exfiltrating:
- Portions of BIG-IP source code
- Unpublished vulnerability information
- Customer implementation/configuration data
This breach represents a major risk to organizations running F5 devices, especially those with exposed management interfaces or unpatched systems. This alert outlines what ED 26-01 means for you, and how to take action.
What ED 26-01 means for you
While ED 26-01 targets U.S. Federal Civilian Executive Branch (FCEB) agencies, all organizations using F5 devices should take note. CISA cites:
- The technical advantage attackers gained from stolen source code and zero-day data
- The imminent threat to government networks and likely spillover into commercial targets
- The urgency to mitigate against further compromise
What you should do now
- Patch Immediately
Apply the latest updates to:- BIG-IP (all versions)
- F5OS
- BIG-IP Next (including Kubernetes & CNF)
- BIG-IQ
- APM clients
- Disconnect End-of-Support Devices
Remove public-facing F5 hardware no longer supported unless mission-critical. CISA requires plans for decommissioning. - Restrict Interface Exposure
Lock down management interfaces. Do not allow internet exposure. Use jump boxes and internal-only access. - Inventory and Monitor
Inventory all F5 assets and monitor for anomalies. CISA mandates inventory reporting by October 29, 2025. - Watch for Exploitation
The stolen vulnerability data could allow attackers to develop targeted exploits before patches are applied.
Malware insight: BRICKSTORM
According to Bloomberg and Mandiant, the breach involved the use of BRICKSTORM malware. BRICKSTORM enabled:
- Long-term persistence inside F5’s internal development environment
- Credential and configuration data collection
- Covert access and potential lateral movement
Although BRICKSTORM has not been observed in customer environments, defenders should monitor for related indicators.
Strategic risk indicators
- The combination of stolen code and zero-day intelligence gives attackers a head start in exploit development.
- No access was reported to CRM, financials, support case management, or iHealth systems. (Source: F5 SEC 8-K Filing)
How Bitsight supports your response
- Attack Surface Monitoring: See if your org or vendors expose vulnerable F5 infrastructure
- Threat Intelligence: Track BRICKSTORM activity, exploit chatter, and IOC development
- Vulnerability Detection: Monitor BIG-IP patch adoption across your third-party ecosystem
- Executive Reporting: Convert ED 26-01 response into actionable, board-level communication
Bottom Line: ED 26-01 is not just a government alert, it’s a call to action for every organization using F5 technology. The breach has changed the threat landscape. Apply patches. Reduce exposure. Stay ahead of exploitation.
For more help understanding your exposure to this incident, contact Bitsight CTI.
Report: 7.7 Million endpoint logs for sale & more
