Hackers Exploit F5 BIG‑IP

May 24, 2026 Faeem BLOGS 0

Overview

A sophisticated multi‑stage intrusion campaign has exposed how attackers are exploiting F5 BIG‑IP edge appliances to infiltrate enterprise environments. According to Microsoft Defender Security Research, the threat actor used an internet‑facing BIG‑IP load balancer as the initial access point, ultimately pivoting into Active Directory and internal Linux systems.

This attack highlights a growing trend: security boundary devices — firewalls, VPN gateways, and load balancers — are being repurposed as entry points. Because these appliances are externally exposed yet highly trusted inside networks, a single compromise can yield persistent access, stored credentials, and identity integrations.

Key Highlights

  • Attackers exploited an end‑of‑life F5 BIG‑IP Virtual Edition (v15.1.201000) hosted on Azure, reaching end‑of‑life on December 31, 2024.
  • The actor gained SSH access using a privileged account and conducted hands‑on keyboard operations without persistence mechanisms.
  • Reconnaissance included horizontal Nmap scans, gowitness fingerprinting, and SOCKS5 proxy enumeration of internal web services.
  • Windows lateral movement attempts used open‑source tools like enum4linux, netexec, smbclient, ldapsearch, and kerbrute.
  • A custom scanner (HackTool:Linux/MalPack.B) was downloaded from C2 server 206.189.27[.]39, probing web and mobile services.
  • The attacker exploited an unpatched Atlassian Confluence server for remote code execution, harvesting credentials from configuration files.
  • Escalation included Kerberos relay attacks and exploitation of CVE‑2025‑33073 via PetitPotam coercion and DNS manipulation.

Impact

This intrusion demonstrates how one vulnerable edge appliance can cascade into cross‑platform identity compromise. Once inside, attackers leveraged Linux and Windows tools interchangeably, bridging hybrid cloud and on‑prem environments.

Even though real‑time protection blocked payloads on one Confluence host, the attacker’s persistence through anonymous FTP transfers and Python ftplib staging underscores the need for continuous monitoring and patch governance.

Defensive Guidance

Microsoft recommends treating internet‑facing edge appliances as Tier‑0 assets and enforcing strict lifecycle management:

  • Patch or decommission end‑of‑life devices immediately.
  • Harden internal web applications with the same urgency as public‑facing services.
  • Disable NTLM and enable Extended Protection for Authentication.
  • Monitor SSH logons and credential access from Confluence processes.
  • Apply identity hardening across hybrid estates.

Final Thought

The F5 BIG‑IP exploitation campaign is a stark reminder that edge infrastructure is not immune to compromise. Attackers increasingly target trusted network devices to bypass perimeter defenses and move laterally into identity systems.

For defenders, the takeaway is clear: patch aggressively, monitor continuously, and treat every edge appliance as a potential attack vector.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.