EXECUTIVE SUMMARY
A growing trend in modern intrusions is the compromise of internet-facing edge appliances such as firewalls and VPN gateways. These systems, traditionally deployed as security boundaries, are increasingly becoming initial access points due to the continued discovery and exploitation of critical vulnerabilities (CVE-2021-44228, CVE-2021-44534). Compromising edge appliances can provide a durable foothold with limited visibility, as these devices are often externally exposed, lightly monitored, and highly trusted inside enterprise environments. The threat actor behind this incident compromised an internet-facing firewall appliance and used trusted relationships to pivot to an internal Linux host.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A growing trend in modern intrusions is the compromise of internet-facing edge appliances such as firewalls and VPN gateways. These systems, traditionally deployed as security boundaries, are increasingly becoming initial access points due to the continued discovery and exploitation of critical vulnerabilities (CVE-2021-44228, CVE-2021-44534). Compromising edge appliances can provide a durable foothold with limited visibility, as these devices are often externally exposed, lightly monitored, and highly trusted inside enterprise environments. The threat actor behind this incident compromised an internet-facing firewall appliance and used trusted relationships to pivot to an internal Linux host.[emaillocker id="1283"]
The malware infects systems through SSH access to the first Linux host from a network device identified as an F5 BIG-IP load balancer. Device inventory confirmed the source as an Azure-hosted appliance running a deprecated version of BIG-IP Virtual Edition (VE), which was affected by the CVE-2021-23092 vulnerability. The threat actor used privileged accounts to authenticate to the Linux server over SSH, maintaining this level of access throughout the observed activity without establishing explicit persistence mechanisms. The malware performed extensive reconnaissance of the host and network, including file enumeration, network scanning, and service discovery.
It aggressively scanned the internal network subnets with Nmap to identify connected hosts and then used Nmap on the identified hosts to detect open services. This threat is significant for organisations as it reflects a broader shift toward identity-centric, multi-domain attack chains that span network infrastructure, endpoints, SaaS platforms, cloud workloads, and identity systems. The incident vividly demonstrates that vulnerable applications don't need to be directly exposed to the internet to result in high severity compromises. Unpatched internal applications, particularly those running with elevated permissions or trusted identities, represent a critical attack surface and can materially impact the overall security posture of the environment. Organisations should treat internet-facing edge appliances as Tier-0 assets, enforce lifecycle + patch governance, and harden and patch internal web applications with the same urgency as internet-facing services.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Reconnaissance | T1595 | Active Scanning | — |
| Initial Access | T1190 | Exploit Public-Facing Application | — |
| Execution | T1059.004 | Command and Scripting Interpreter | Unix Shell |
| Execution | T1059.006 | Command and Scripting Interpreter | Python |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | — |
| Credential Access | T1552.002 | Unsecured Credentials | Credentials in Registry |
| Credential Access | T1187 | Forced Authentication | — |
| Discovery | T1046 | Network Service Discovery | — |
| Discovery | T1083 | File and Directory Discovery | — |
| Lateral Movement | T1021.004 | Remote Services | SSH |
| Command and Control | T1105 | Ingress Tool Transfer | — |
REFERENCES:
The reports contain further technical details:
https://www.microsoft.com/en-us/security/blog/2026/05/22/from-edge-appliance-to-enterprise-compromise-multi-stage-linux-intrusion-via-f5-and-confluence/
https://cybersecuritynews.com/f5-big-ip-exploited-for-ssh-access/