Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
F5 BIG-IP Exploit Enables Network Intrusion via SSH

F5 BIG-IP Exploit Enables Network Intrusion via SSH

Posted on May 23, 2026 By CWS

A recent cyber attack has been identified where attackers leveraged an F5 BIG-IP edge appliance to initiate a complex intrusion, ultimately targeting Active Directory systems within enterprise networks.

Microsoft’s Defender Security Research has highlighted a concerning trend where devices traditionally serving as security perimeters, such as firewalls and VPNs, are being repurposed by cybercriminals as points of unauthorized entry.

These edge devices are often exposed to the internet, lightly monitored, and trusted within corporate environments, making them attractive targets for attackers seeking a persistent foothold and access to sensitive credentials and identity integrations.

Entry Via Outdated F5 BIG-IP Systems

The attackers began by gaining SSH access to a Linux host through an F5 BIG-IP load balancer. This particular device was identified as an Azure-hosted BIG-IP Virtual Edition appliance running a version that reached its end-of-life on December 31, 2024.

Once access was achieved, intruders used privileged accounts to maintain a presence without deploying obvious persistence tactics, underscoring the risk posed by over-privileged accounts with sudo capabilities.

The attackers conducted thorough reconnaissance using shell scripts for network scanning, further probing the internal network for vulnerabilities and open services.

Advanced Attack Techniques

After initial scans, the cybercriminals used the gowitness tool to capture screenshots of exposed HTTP/HTTPS services, utilizing a SOCKS5 proxy to mask their activities.

When they identified Windows servers, the attackers attempted to move laterally within the network using NTLM-based methods and various open-source tools, though initial attempts were unsuccessful.

Further infiltration involved downloading a custom scanning tool from a command and control server to test the organization’s web applications and mobile services, uncovering vulnerabilities in an internal Atlassian Confluence server.

Security Recommendations and Observations

Microsoft’s findings reveal that a single remote code execution in a perimeter component can lead to extensive identity compromises across different platforms. It emphasizes the need for robust patching and monitoring in hybrid environments.

The company advises treating internet-facing edge devices as high-priority assets, applying strict lifecycle management, and enhancing security measures for internal web applications.

To mitigate such threats, Microsoft recommends disabling NTLM where possible, enforcing secure communication protocols, and using advanced protection methods to deter relay attacks.

Security teams are encouraged to use Microsoft’s advanced hunting queries to detect suspicious activities, such as SSH logins from F5 BIG-IP devices and unauthorized credential access originating from Confluence processes.

By remaining vigilant and adopting comprehensive security practices, organizations can better protect their networks from similar sophisticated intrusion attempts.

Cyber Security News Tags:Active Directory, cyber attack, Cybersecurity, F5 BIG-IP, Hackers, Linux networks, Microsoft Defender, network security, SSH access

Post navigation

Previous Post: Drupal Core SQL Vulnerability Exploitation Reported
Next Post: Compromised Laravel-Lang Packages Spread Credential Stealer

Related Posts

Critical Microsoft Teams Flaw Allows Device Spoofing Critical Microsoft Teams Flaw Allows Device Spoofing Cyber Security News
CyberCheck360: Advancing Email Security Beyond Gateways CyberCheck360: Advancing Email Security Beyond Gateways Cyber Security News
Arcane Werewolf Hacker Group Added Loki 2.1 Malware Toolkit to their Arsenal Arcane Werewolf Hacker Group Added Loki 2.1 Malware Toolkit to their Arsenal Cyber Security News
SentinelOne Global Service Outage Root Cause Revealed SentinelOne Global Service Outage Root Cause Revealed Cyber Security News
Threat Actors Attacking Windows Systems With New Multi-Stage Malware Framework PS1Bot Threat Actors Attacking Windows Systems With New Multi-Stage Malware Framework PS1Bot Cyber Security News
FBI Warns of Hackers Altering Photos Found on Social Media to Use as Fake Proof FBI Warns of Hackers Altering Photos Found on Social Media to Use as Fake Proof Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • GitLost Flaw Exposes GitHub Repos via AI Workflow
  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed
  • Vulnerability in GCP Dialogflow Enables Malicious Code Injection

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • GitLost Flaw Exposes GitHub Repos via AI Workflow
  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed
  • Vulnerability in GCP Dialogflow Enables Malicious Code Injection

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark