A threat actor compromised an internet-facing, end-of-life F5 BIG-IP load balancer (Azure-hosted VE, v15.1.201000) and used it as a launch point to SSH into an internal Linux host with a privileged account. From that foothold, the actor performed broad network reconnaissance, exploited an unpatched internal Atlassian Confluence server via RCE, harvested credentials from Confluence config files, and attempted Kerberos/NTLM relay attacks against a domain controller including exploitation of CVE-2025-33073. The intrusion illustrates a cross-domain attack chain spanning network appliances, Linux servers, SaaS applications, and Active Directory identity.
Severity: High
Attack Details
- Initial Access: SSH into Linux host from compromised F5 BIG-IP (EOL appliance, EOL date 31 Dec 2024) using a privileged account
- Persistence: Maintained sustained hands-on SSH access via over-privileged identity with sudo; no explicit persistence implant needed
- Discovery: Horizontal then vertical Nmap scans of internal subnets; HTTP/HTTPS recon via gowitness; file enumeration
- Defense Evasion / Tooling: Downloaded custom scanner from 206.189.27[.]39; set up Python ftplib FTP server on staging host after Defender RTP blocked direct payload drop
- Lateral Movement: Remote code execution against unpatched internal Confluence (Java web app); credential theft from server.xml and confluence.cfg.xml
- Credential Access / Privilege Escalation: Kerberos relay attacks, CVE-2025-33073 exploitation, dnstool.py, coercion via nxc smb … -M coerce_* targeting the DC using stolen Jiraservices account
- Impact (attempted): Domain controller compromise via relay attacks
Tools & Techniques Observed
- Open-source tooling: enum4linux, netexec/nxc, nmbclient, smbclient, rpcclient, timeroast, ldapsearch, kerbrute, responder, gowitness, testssl, Nmap, wget, curl, Python ftplib.
- Custom tooling: ELF scanner targeting org’s web infra (Firebase, GCM endpoints); NTLM relay Python script.
- Notable exploit: CVE-2025-33073 (Kerberos relay / authentication coercion).
- Related CVE referenced: CVE-2025-53521 (F5 BIG-IP APM; added to CISA KEV per the article’s references plausible initial-access vector given the BIG-IP version observed).
Key Mitre Att&Ck Techniques
- T1190 — Exploit Public-Facing Application (Confluence RCE)
- T1021.004 — Remote Services: SSH
- T1059.004 / T1059.006 — Unix shell / Python
- T1083, T1043 — File and network discovery
- T1105, T1071 — Ingress tool transfer / application-layer C2
- T1222.002 — Linux file permission modification
- T1505 — Server Software Component (webshell on Confluence)
- T1078.002 — Valid Accounts: Domain Accounts (Jiraservices)
- T1187, T1557 — Forced Authentication / AitM (relay)
Sensitive Files Accessed For Credential Theft
- /opt/atlassian/confluence/conf/server.xml
- /var/atlassian/application-data/confluence/confluence.cfg.xml
Recommendations
- Inventory and replace EOL edge appliances; restrict management-plane exposure.
- Patch internal apps (Confluence especially) with internet-facing urgency.
- Disable NTLM where feasible; enforce SMB signing, LDAP signing + channel binding, EPA.
- Enable Defender for Endpoint on Linux with real-time protection consistently.
- Detection opportunity:
• SSH logons sourced from F5 device IPs
• Java process spawning cat against Confluence server.xml/confluence.cfg.xml.
• Java parent spawning chmod 777 /dev/shm, chmod 777 /tmp, or base64 -d chains.
• Authentication coercion patterns from Linux hosts toward DCs (NTLM/Kerberos relay tells). - Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/f8c83973855e1618c73e8f76d3615fd26655b91957f2ce52ac578b79d812b5dd/iocs
Source:
- https://www.microsoft.com/en-us/security/blog/2026/05/22/from-edge-appliance-to-enterprise-compromise-multi-stage-linux-intrusion-via-f5-and-confluence/
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.
