Initial Access via Obsolete F5 BIG-IP Appliance
Microsoft’s Defender Security Research team has detailed a sophisticated multi-stage intrusion campaign where attackers used an internet-facing F5 BIG-IP load balancer as the initial entry point. The compromised device, a Virtual Edition running version 15.1.201000 hosted on Azure, had reached end-of-life status in December 2024, leaving it without security updates. The threat actor established SSH access to an internal Linux server from this edge appliance, exploiting the device’s high trust level within the enterprise network.
Attack Progression and Lateral Movement
Once authenticated via a privileged SSH account, the attacker maintained persistent keyboard access without deploying traditional backdoors, taking advantage of excessive sudo privileges. They conducted thorough reconnaissance using Nmap scans across internal subnets, identified open ports and services, and leveraged gowitness to capture screenshots of exposed HTTP/HTTPS services through a SOCKS5 proxy. The attacker also deployed a custom scanning tool retrieved from a command-and-control server to probe web applications and mobile services for access control vulnerabilities.
Broader Implications for Edge Device Security
This incident highlights a growing trend where network boundary appliances such as firewalls, VPN gateways, and load balancers are being repurposed as initial attack vectors. Because these devices are externally exposed, lightly monitored, and deeply integrated into identity and authentication workflows, a single compromise can provide attackers with a stable, low visibility foothold. Organizations are urged to audit outdated edge appliances, enforce strict SSH access controls, and remove over-privileged accounts to reduce the risk of such pivoting attacks.
Source: Cyber Security News
