Security researchers at Microsoft Defender have documented a sophisticated multi-stage intrusion campaign in which threat actors exploited an end-of-life F5 BIG-IP edge appliance as the initial entry point, ultimately pivoting deep into enterprise Linux and Windows networks — and reaching Active Directory. The case illustrates a growing trend where perimeter security devices, traditionally trusted as network defenders, are being weaponized as attack launchpads.
Initial Access: End-of-Life F5 BIG-IP
The threat actor established SSH access to the victim’s internal Linux host from a network device identified as an F5 BIG-IP load balancer — specifically, an Azure-hosted BIG-IP Virtual Edition running version 15.1.201000, a build that reached end-of-life on December 31, 2024. Azure ARM templates and Terraform modules commonly deploy this version, making it a widespread target in cloud environments.
Once inside, the attacker authenticated using a privileged account and maintained hands-on keyboard access throughout the operation, deliberately avoiding the deployment of explicit persistence mechanisms. This hands-on approach exploited over-privileged identities with sudo rights — a common misconfiguration in enterprise Linux environments.
Reconnaissance and Lateral Movement
After gaining initial access, the attacker conducted aggressive internal reconnaissance. Using a shell script, they executed horizontal Nmap scans across internal subnets to enumerate live hosts, followed by vertical scans to identify exposed services. The tool gowitness was then used to screenshot and fingerprint HTTP/HTTPS services via a SOCKS5 proxy.
Where Windows servers were discovered, the actor attempted NTLM-based lateral movement using familiar open-source tools including enum4linux, netexec, smbclient, rpcclient, timeroast, ldapsearch, kerbrute, and responder. Initial attempts failed, prompting a pivot in tactics.
The actor then pulled a custom scanning tool from a remote C2 server at 206.189.27[.]39 over wget — flagged by Microsoft as HackTool:Linux/MalPack.B — to probe web applications and mobile services including Firebase and GCM. This reconnaissance uncovered an unpatched internal Atlassian Confluence server that, while not internet-facing, was reachable from the attacker’s internal foothold.
Confluence Exploitation and Credential Harvesting
The attacker exploited the unpatched Confluence server for remote code execution. When real-time protection repeatedly blocked payload drops, they pivoted to hosting an anonymous FTP server on the Linux staging host using Python’s ftplib and transferring tools via curl into /dev/shm — an in-memory filesystem that leaves no disk artifacts.
After compromising Confluence, the attacker harvested credentials from configuration files including server.xml and confluence.cfg.xml. These credentials were then used against Windows infrastructure, escalating into Kerberos relay attacks and exploitation of CVE-2025-33073 using netexec with PetitPotam coercion and DNS manipulation targeting a domain controller.
Key Indicators of Compromise
- C2 server: 206.189.27[.]39
- Custom scanner hash: 4a927d031919fd6bd88d3c8a917214b54bca00f8ddc80ecfe4d230663dda7465
- Nmap automation script: b4592cea69699b2c0737d4e19cff7dca17b5baf5a238cd6da950a37e9986f216
- Kerbrute tool: 710a9d2653c8bd3689e451778dab9daec0de4c4c75f900788ccf23ef254b122a
- gowitness scanner: 57b3188e24782c27fdf72493ce599537efd3187d03b80f8afe733c72d68c5517
Microsoft’s Recommendations
Microsoft notes this intrusion demonstrates how a single RCE in a perimeter-adjacent application can cascade into identity compromise across entirely separate platforms, crossing trust boundaries with persistence. Their recommendations include:
- Treat internet-facing edge appliances as Tier-0 assets with strict lifecycle and patch governance — retire end-of-life devices immediately.
- Apply the same patching urgency to internal web apps (like Confluence) as to external-facing services.
- Enforce identity hardening: disable NTLM where possible, enforce SMB and LDAP signing, and enable Extended Protection for Authentication.
- Deploy advanced hunting queries to detect SSH logons originating from F5 BIG-IP devices and credential access from Confluence processes.
- Audit sudo rights on Linux hosts and eliminate over-privileged service accounts.
Microsoft Defender for Endpoint detected and blocked the ELF payload on the one Confluence host where real-time protection was enabled — underscoring the importance of comprehensive endpoint coverage across hybrid environments, not just Windows systems.