Listen to this Post

Introduction:
A multi‑stage intrusion campaign highlights how a single, unpatched F5 BIG‑IP edge appliance can act as the beachhead for a full‑scale Active Directory compromise. In a recently documented incident, threat actors used an end‑of‑life, Azure‑hosted BIG‑IP Virtual Edition to pivot into internal Linux networks and eventually take over the identity infrastructure. The attack underscores that perimeter devices, often lightly monitored and highly trusted inside enterprise environments, are becoming prime initial access vectors. Below we dissect the complete attack chain, from SSH foothold to domain controller compromise, and provide actionable commands and hardening steps for defenders.
Learning Objectives:
- Objective 1: Understand how an unpatched F5 BIG‑IP appliance (version 15.1.201000) can be exploited to gain privileged SSH access into internal networks.
- Objective 2: Learn the post‑exploitation reconnaissance and lateral movement techniques used, including Nmap scanning, gowitness, and NTLM‑based tooling.
- Objective 3: Acquire detection and mitigation commands for Linux/Windows, including log analysis, iControl REST API monitoring, and system hardening.
You Should Know:
1. Initial Compromise Through an End‑of‑Life BIG‑IP Appliance
The attack began with an internet‑facing F5 BIG‑IP Virtual Edition appliance running version 15.1.201000—a build commonly deployed via Azure ARM templates and Terraform modules that reached end‑of‑life on December 31, 2024. The specific vulnerability exploited is CVE-2025-53521, a flaw in the BIG‑IP Access Policy Manager (APM). Originally disclosed as a denial‑of‑service issue, it was reclassified in March 2026 as an unauthenticated remote code execution (RCE) with a CVSS score of 9.8. F5 has confirmed active exploitation, and CISA added this CVE to its Known Exploited Vulnerabilities catalog. Attackers send crafted traffic to a virtual server with an APM access policy, triggering RCE and allowing them to deploy web shells or establish SSH access.
Step‑by‑step guide for detection (Linux/F5 BIG‑IP):
- Check BIG‑IP version and end‑of‑life status:
tmsh show sys version
If you see `15.1.x` (especially
15.1.201000), patch immediately or upgrade to a fixed release: 15.1.10.8,16.1.6.1,17.1.3, or17.5.1.3.- Search for common indicators of compromise (IOCs):
Look for unexpected files or modified binaries ls -la /run/bigtlog.pipe /run/bigstart.ltm md5sum /usr/bin/umount /usr/sbin/httpd Compare hashes with known good versions
- Audit iControl REST API logs for anomalous access:
grep "iControl REST API" /var/log/restjavad-audit..log grep "disable SELinux" /var/log/auditd/audit.log.
F5 notes that an entry showing a local user accessing the API from localhost to disable SELinux is a strong IOC.
- Inspect UCS configuration archives for malicious modifications:
tar -ztf config.ucs | grep -E "passwd|shadow|krb5.conf|openldap"
Attackers often modify
/etc/passwd,/etc/shadow, and Kerberos configuration files.
2. SSH Access and Over‑Privileged Account Abuse
Once the BIG‑IP appliance was compromised, the threat actor used it to establish SSH access into a Linux host—the first internal pivot point. Critically, the attacker authenticated with a privileged account that had unrestricted `sudo` rights. No explicit persistence mechanisms were deployed; the attacker maintained hands‑on‑keyboard control throughout the operation. This scenario highlights the danger of over‑privileged identities: if an attacker lands on a host with broad sudo access, they can operate undetected for extended periods.
Step‑by‑step guide to audit and restrict SSH/sudo on Linux:
– List all users with sudo rights:
grep -Po '^sudo.+:\K.$' /etc/group
– Review recent SSH logins (especially from unknown sources):
sudo journalctl _COMM=sshd --since "2026-05-01" | grep Accepted
– Enforce principle of least privilege:
Example: remove sudo rights from a user sudo deluser username sudo Or restrict specific commands in /etc/sudoers username ALL=(ALL) /usr/bin/systemctl status , !/usr/bin/systemctl stop
– Detect interactive SSH sessions without persistence:
Look for long‑running SSH processes ps aux | grep sshd | grep -v grep
3. Aggressive Internal Reconnaissance with Open‑Source Tooling
After gaining the SSH foothold, the attacker performed layered reconnaissance. Using a shell script, they ran horizontal Nmap scans across internal subnets to discover live hosts, followed by deeper vertical scans on discovered IPs to enumerate open services. The attacker also used gowitness to capture screenshots of HTTP/HTTPS services and testssl to probe SSL/TLS weaknesses. A custom ELF binary, detected as HackTool:Linux/MalPack.B, was downloaded from the C2 server `206.189.27[.]39` using `wget` to further enumerate web application access controls.
Step‑by‑step guide for defenders (Linux network monitoring):
- Detect Nmap scans from internal hosts:
Look for multiple SYN packets to different ports in a short time sudo tcpdump -i eth0 'tcp[bash] & (tcp-syn) != 0' -c 100 Check process list for Nmap ps aux | grep -E 'nmap|masscan|zmap'
- Monitor for gowitness or testssl execution:
Search bash history for reconnaissance tools grep -E "gowitness|testssl|nmap" ~/.bash_history
- Block outbound connections to suspicious IPs:
sudo iptables -A OUTPUT -d 206.189.27.39 -j DROP
- Linux command to list all listening services (to understand your own exposure):
sudo ss -tulpn
- Lateral Movement to Internal Confluence Server and Credential Harvesting
Reconnaissance revealed an internal Atlassian Confluence server that was not internet‑facing but became reachable after the attacker gained an internal foothold. The Confluence server carried unpatched RCE vulnerabilities (such as CVE‑2025‑33073). When real‑time protection blocked direct payload drops, the attacker adapted by setting up an anonymous FTP server on the initial Linux host using Python’s `ftplib` and transferred the exploit payload via `curl` into /dev/shm.
Step‑by‑step guide to harden internal web apps and detect FTP staging:
– Windows command to detect FTP servers on unexpected ports:
netstat -an | findstr ":21"
– Linux command to monitor /dev/shm for unusual executables:
find /dev/shm -type f -exec ls -la {} \;
– Check Confluence logs for exploitation attempts:
grep -i "rce|exploit|cmd=" /path/to/confluence/logs/atlassian-confluence.log
– Apply Confluence patches – Ensure all internal web applications are patched with the same urgency as external ones.
- Credential Harvesting and Kerberos Relay to Active Directory
Once Confluence was compromised, the attacker harvested credentials from configuration files such as `server.xml` and confluence.cfg.xml. These credentials were then used against Windows infrastructure, leading to Kerberos relay attacks and exploitation of CVE‑2025‑33073. The attacker used `netexec` with `PetitPotam` coercion and DNS manipulation tooling to target a domain controller. The open‑source toolkit included enum4linux, kerbrute, responder, smbclient, and rpcclient.
Step‑by‑step guide to detect NTLM/Kerberos abuse (Windows/Linux):
- Windows command to check for unusual Kerberos ticket requests:
Get-WinEvent -LogName "Security" | Where-Object { $<em>.Id -eq 4768 -or $</em>.Id -eq 4769 } | Select-Object TimeCreated, Message - Detect responder or ntlmrelayx activity:
Linux – look for LLMNR/NBT‑NS spoofing sudo tcpdump -i eth0 'udp port 5355 or udp port 137'
- Enforce SMB signing and LDAP signing:
Windows – Check SMB signing configuration Get-SmbServerConfiguration | Select EnableSMB1Protocol, RequireSecuritySignature Set-SmbServerConfiguration -RequireSecuritySignature $true
- Linux command to monitor for unexpected SMB connections:
sudo netstat -tunap | grep :445
6. Detection Using F5‑Specific Indicators and Logs
F5 has released a set of indicators of compromise (IOCs) that defenders can use to assess whether their BIG‑IP systems have been compromised. These include:
– File‑related IOCs: Presence of `/run/bigtlog.pipe` or /run/bigstart.ltm; mismatched hashes, sizes, or timestamps for `/usr/bin/umount` or /usr/sbin/httpd.
– Log‑related IOCs: Entries in `/var/log/restjavad-audit.
– Network IOCs: Outbound HTTP/S traffic containing CSS `content‑type` and HTTP `201` response codes, which may disguise webshell activity.
– TTPs: Modifications to binaries that break the system integrity checker (sys‑eicheck) and webshells that operate in‑memory only, leaving no modified files on disk.
Step‑by‑step guide to automate IOC checking:
- Script to check F5 BIG‑IP IOCs:
!/bin/bash echo "=== Checking F5 BIG-IP IOCs ===" [ -f /run/bigtlog.pipe ] && echo "[!] /run/bigtlog.pipe found" [ -f /run/bigstart.ltm ] && echo "[!] /run/bigstart.ltm found" echo "Checking /usr/bin/umount hash..." md5sum /usr/bin/umount echo "Checking /usr/sbin/httpd hash..." md5sum /usr/sbin/httpd echo "Checking iControl REST API logs..." grep "iControl REST API" /var/log/restjavad-audit..log
- Mitigation and Hardening: Treat Edge Appliances as Tier‑0 Assets
The attack demonstrates that internet‑facing edge appliances must be treated as Tier‑0 security assets with strict lifecycle governance. Microsoft recommends that organizations:
– Apply patches for CVE‑2025‑53521 immediately (upgrade to 15.1.10.8, 16.1.6.1, 17.1.3, or 17.5.1.3).
– Replace EOL appliances – any BIG‑IP version that has reached end‑of‑life (like 15.1.201000) should be decommissioned or upgraded immediately.
– Harden internal web applications with the same urgency as external services.
– Apply identity hardening – enforce multi‑factor authentication, restrict sudo privileges, and monitor for anomalous Kerberos activity.
– Implement network segmentation so that compromise of an edge appliance does not grant unfettered access to internal networks.
Step‑by‑step guide for rapid mitigation:
- Upgrade F5 BIG‑IP to a fixed version:
Download the patch from F5 Downloads, then: tmsh load sys config tmsh install sys software image BIGIP-15.1.10.8.iso
- If patching is not immediately possible, restrict access:
Block external access to the iControl REST API tmsh modify sys httpd allow-management-from add { 127.0.0.1 } - Linux command to segment an edge appliance:
sudo iptables -A INPUT -i eth0 -p tcp --dport 443 -j DROP Block external HTTPS management
What Undercode Say:
- Key Takeaway 1: The reclassification of CVE‑2025‑53521 from a DoS to an RCE shows how vulnerability severity can evolve; organizations must continuously monitor for updated advisories, not just initial patch levels.
- Key Takeaway 2: Over‑privileged identities with unrestricted sudo are as dangerous as unpatched software; the attacker maintained hands‑on access without any persistence mechanism solely because the initial host had a privileged account.
Analysis (Undercode):
This attack chain is a textbook example of how a single perimeter misconfiguration—an end‑of‑life edge appliance—can lead to complete domain compromise. The attacker didn’t need zero‑day sophistication; they used publicly disclosed vulnerabilities (CVE‑2025‑53521) and open‑source tooling. The most alarming aspect is the lack of explicit persistence: the attacker simply stayed logged in via an over‑privileged SSH session. This means that traditional endpoint detection (which looks for malware or persistence) would have missed the entire operation. Organizations need to shift from “patch and forget” to continuous identity and access governance. Edge appliances must be treated as critical infrastructure, with strict change management, regular integrity checks, and real‑time monitoring of management interfaces. Moreover, internal web applications like Confluence must be hardened even if they are not internet‑facing—once an attacker has a foothold, all internal systems become potential targets. Finally, the incident reaffirms that detection must occur at multiple layers: network (scanning activity), host (SSH logs, sudo abuse), and identity (anomalous Kerberos tickets).
Prediction:
Expect a surge in supply‑chain attacks targeting F5 BIG‑IP source code and vulnerability research exfiltrated during the August 2025 breach of F5’s internal systems. Adversaries now have insider knowledge of undisclosed vulnerabilities, which they will weaponize into zero‑days within the next 6‑12 months. This will be compounded by the high number of still‑unpatched 15.1.x appliances in cloud environments (Azure ARM, Terraform deployments). Organizations that fail to treat edge appliances as Tier‑0 assets will face repeated compromises, with attackers pivoting from edge to identity in under 48 hours. To stay ahead, defenders must adopt continuous vulnerability reassessment, real‑time identity analytics, and assume that perimeter appliances will eventually be breached.
▶️ Related Video (74% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Cybersecuritynews Share – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


