A recent cyberattack has highlighted the exploitation of F5 BIG-IP appliances as entry points into enterprise networks. According to Cyber Security News, attackers leveraged an internet-facing F5 BIG-IP device to gain SSH access, subsequently infiltrating internal systems and accessing Active Directory.
The compromised device was an Azure-hosted BIG-IP Virtual Edition running version 15.1.201000, which reached end-of-life on December 31, 2024. This outdated software provided the attackers with a vulnerable target. Once inside, they conducted extensive reconnaissance, using tools like Nmap for network scanning and ‘gowitness’ to capture screenshots of exposed services.
The attackers attempted lateral movement within the network, targeting Windows servers using NTLM-based techniques and various open-source tools. Although initial attempts failed, they exploited an unpatched internal Atlassian Confluence server, gaining remote code execution capabilities. This allowed them to harvest credentials from configuration files and escalate their attack to Windows infrastructure, including Kerberos relay attacks and exploitation of CVE-2025-33073.
This incident underscores the critical importance of maintaining up-to-date software and promptly applying security patches. Organizations should also monitor edge devices closely, as they can serve as gateways for attackers to access internal networks.
Source: Cyber Security News
