Weekend Cybersecurity Roundup: Hackers and Source Code Threats

Both stories highlight how even well-established vendors and service providers remain vulnerable, and why the supply-chain, software-maintenance and third-party risk issues must be front and centre in your security strategy.

Headline 1: F5 Networks source code stolen, supply chain under threat

As we previously shared, one of the most consequential stories: F5 Networks, a key infrastructure vendor whose load-balancers, firewalls and application delivery controllers underpin a huge portion of enterprise and federal networks, was breached and subject to sustained access.

A prolonged intrusion (more than a year) resulted in the theft of development files, including source-code and internal research on undisclosed vulnerabilities. In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive telling federal civilian agencies to immediately patch/replace at-risk F5 devices. 

Analysts warn that the stolen code could enable rapid weaponization of known/unknown vulnerabilities, leaving a large attack surface exposed. 

Read more.

Headline 2: Envoy Air hit in Oracle E-Business Suite campaign — third-party software under siege

Another significant incident: Envoy Air (regional carrier for American Airlines) confirmed a cyber-intrusion tied to vulnerabilities in the Oracle E‑Business Suite (EBS) applications — part of a broader campaign by the threat actor group CL0P. 

While no sensitive customer data has been publicly confirmed as compromised, business data and contact info may have been accessed. The campaign exploits third-party software weaknesses — organizations using EBS or similar suites should consider their exposure and vendor patching cycles.

Read more. 

Not sure if your network security would hold up against this attack? Download the IT Admins' Guide to find out. 

Key take-aways

1. Assume vendor compromise is possible

   • Even trusted infrastructure vendors (like F5) can be breached. Don’t solely rely on “vendor trusted” status; maintain your internal controls, logging, and mitigation plans.

   • Monitor vendor advisories, emergency directives (e.g., from CISA) and apply patches/mitigations promptly.

2. Patch proactively and comprehensively

   • Both incidents underscore that adversaries exploit unpatched or legacy systems. If your organization uses appliances, remote access software, legacy ERP suites, you need an aggressive patch strategy.

   • Include asset-discovery; ensure no “shadow systems” are unmonitored.

3. Segment and manage risk at access points

   • Remote access endpoints (VPNs, remote desktop gateways, etc.) are high value. Ensure strong authentication (MFA), least-privilege access, zero-trust network segmentation.

   • Log and monitor connections, especially to critical backend systems.

4. Treat third-party/vendor software as part of your attack surface

   • Vendor code, supply-chain components, and software suites (ERP, CRM, PaaS) can introduce risk into your network even if your systems appear “locked down.”

   • Perform regular vendor-risk assessments, insist on security-by-design from your suppliers, and verify controls on update/patch cycles. Additionally, using SaaS app protection can help. 

5. Elevate your incident response readiness

   • Given how quickly vulnerabilities can be weaponized (vendor-code leaks, exploit chains), your IR playbook needs to be current.

   • Run tabletop exercises simulating large-scale vendor/device compromise; ensure you can rapidly isolate affected components, rotate credentials, monitor for lateral movement.

Final Thoughts

This weekend’s stories are reminders that:

• Even mature, high-value vendors are vulnerable.

• Attackers increasingly exploit supply-chain and third-party software vectors.

• Orgs cannot rely purely on perimeter defenses; they must assume internal systems and vendor components may be breached.

Stay vigilant.