A recent cyber attack has been identified where attackers leveraged an F5 BIG-IP edge appliance to initiate a complex intrusion, ultimately targeting Active Directory systems within enterprise networks.
Microsoft’s Defender Security Research has highlighted a concerning trend where devices traditionally serving as security perimeters, such as firewalls and VPNs, are being repurposed by cybercriminals as points of unauthorized entry.
These edge devices are often exposed to the internet, lightly monitored, and trusted within corporate environments, making them attractive targets for attackers seeking a persistent foothold and access to sensitive credentials and identity integrations.
Entry Via Outdated F5 BIG-IP Systems
The attackers began by gaining SSH access to a Linux host through an F5 BIG-IP load balancer. This particular device was identified as an Azure-hosted BIG-IP Virtual Edition appliance running a version that reached its end-of-life on December 31, 2024.
Once access was achieved, intruders used privileged accounts to maintain a presence without deploying obvious persistence tactics, underscoring the risk posed by over-privileged accounts with sudo capabilities.
The attackers conducted thorough reconnaissance using shell scripts for network scanning, further probing the internal network for vulnerabilities and open services.
Advanced Attack Techniques
After initial scans, the cybercriminals used the gowitness tool to capture screenshots of exposed HTTP/HTTPS services, utilizing a SOCKS5 proxy to mask their activities.
When they identified Windows servers, the attackers attempted to move laterally within the network using NTLM-based methods and various open-source tools, though initial attempts were unsuccessful.
Further infiltration involved downloading a custom scanning tool from a command and control server to test the organization’s web applications and mobile services, uncovering vulnerabilities in an internal Atlassian Confluence server.
Security Recommendations and Observations
Microsoft’s findings reveal that a single remote code execution in a perimeter component can lead to extensive identity compromises across different platforms. It emphasizes the need for robust patching and monitoring in hybrid environments.
The company advises treating internet-facing edge devices as high-priority assets, applying strict lifecycle management, and enhancing security measures for internal web applications.
To mitigate such threats, Microsoft recommends disabling NTLM where possible, enforcing secure communication protocols, and using advanced protection methods to deter relay attacks.
Security teams are encouraged to use Microsoft’s advanced hunting queries to detect suspicious activities, such as SSH logins from F5 BIG-IP devices and unauthorized credential access originating from Confluence processes.
By remaining vigilant and adopting comprehensive security practices, organizations can better protect their networks from similar sophisticated intrusion attempts.
