A complex multi-stage intrusion has come to light, wherein a threat actor compromised an internet-exposed F5 BIG-IP edge appliance, serving as the conduit for a pervasive identity-centric assault that ultimately breached Active Directory.
As delineated by Microsoft’s Defender Security Research team, this incident underscores an alarming trend: firewalls, VPN gateways, and load balancers—devices historically regarded as bastions of security—are increasingly being utilized as vectors for initial access by malicious actors.
Given that edge appliances are positioned externally, often under minimal monitoring yet enjoying a high degree of trust within enterprise infrastructures, even a singular compromise can afford attackers an enduring, low-visibility foothold, granting access to stored credentials, certificates, and various identity integrations.
Initial Access Through an End-of-Life F5 BIG-IP
The threat actor managed to establish SSH access to an initial Linux host via an F5 BIG-IP load balancer.
Device inventory traced the breach to an Azure-hosted BIG-IP Virtual Edition appliance, operating on the obsolete version 15.1.201000, which officially reached end-of-life on December 31, 2024.
The malicious actor authenticated to the Linux server over SSH using a privileged account, maintaining direct access throughout the operation, notably without deploying explicit persistence techniques.
This circumstance reveals the inherent dangers associated with overly privileged identities wielding sudo rights.
Upon gaining access to the host, the attacker embarked on extensive reconnaissance. Employing a shell script, horizontal Nmap scans were executed across internal subnets to identify active hosts, followed by deeper vertical scans to uncover open services.
The tool gowitness was then employed to capture screenshots and fingerprint exposed HTTP/HTTPS services through a SOCKS5 proxy.
When Windows servers were uncovered, the assailant attempted NTLM-based lateral movement via a familiar open-source toolkit, including enum4linux, netexec, smbclient, rpcclient, timeroast, ldapsearch, kerbrute, and responder, although these initial endeavors proved unsuccessful.
Subsequently, the attacker retrieved a custom scanning tool from the command-and-control server 206.189.27[.]39, identified by Microsoft as HackTool: Linux/MalPack.B, which probed the organization’s web applications and mobile services, including Firebase and GCM, to assess access controls.
The reconnaissance efforts unveiled an internally hosted Atlassian Confluence server rife with unpatched vulnerabilities, which the attacker successfully exploited for remote code execution.
Remarkably, Confluence was not internet-facing but became accessible once the attacker secured an internal foothold.
Due to real-time protections obstructing repeated payload deployments, the hacker adapted their strategy: presumably anticipating network-level defenses, they initiated an anonymous FTP server on the Linux staging host using Python’s ftplib and transferred the tool via curl into /dev/shm.
Following the Confluence compromise, the perpetrator harvested credentials from configuration files, such as server.xml confluence.cfg.xml, subsequently leveraging those credentials against the Windows infrastructure.
This led to escalated Kerberos relay attacks and the exploitation of CVE-2025-33073, utilizing netexec alongside PetitPotam coercion and DNS manipulation tools targeting a domain controller.
Microsoft emphasizes that this intrusion illustrates how a singular remote code execution in a perimeter-adjacent web component can lead to identity compromise across disparate applications, transgressing platform and trust boundaries.
This vulnerability evidences that attackers need not possess sophistication—only persistence in environments rife with patching and monitoring deficiencies.
Detections by Microsoft Defender for Endpoint thwarted the activity, successfully blocking the ELF payload on the solitary Confluence host where real-time protection provisions were operational.
The organization advises treating internet-facing edge appliances as Tier-0 assets, mandating rigorous lifecycle and patch governance.
They recommend hardening internal web applications with the same urgency attributed to external services, enhancing identity protections, disabling NTLM wherever feasible, enforcing SMB and LDAP signing, and activating Extended Protection for Authentication to mitigate relay-based attacks.
Noteworthy indicators include the command-and-control address 206.189.27[.]39 alongside file hashes for the custom scanner, Kerbrute, gowitness, and an NTLM relay script.
Microsoft has also published advanced hunting queries designed to reveal SSH logons originating from F5 BIG-IP devices and credential access from Confluence processes.
Indicators of Compromise (IOC)
| Indicator | Type | Description |
| 4a927d031919fd6bd88d3c8a917214b54bca00f8ddc80ecfe4d230663dda7465 | File hash | Custom scanning tool |
| b4592cea69699b2c0737d4e19cff7dca17b5baf5a238cd6da950a37e9986f216 | File hash | Shell script for automated network scanning using Nmap |
| 710a9d2653c8bd3689e451778dab9daec0de4c4c75f900788ccf23ef254b122a | File hash | Kerbrute tool |
| 57b3188e24782c27fdf72493ce599537efd3187d03b80f8afe733c72d68c5517 | File hash | gowitness scanner |
| bdd5da81ac34d9faa2a5118d4ed8f492239734be02146cd24a0e34270a48a455 | File hash | NTLM relay Python script |
| 206.189.27[.]39 | IPv4 address | C2 server |
Source link: Cybersecuritynews.com.
