Overview of MITRE ATT&CK Tactic: TA0040 - Impact
This article focuses on the Impact Tactic, and the techniques adversaries use to manipulate, disrupt or damage the systems and data as they reach the final stage of an attack. This is one of the critical tactics, as it highlights the adverse effects attackers can cause, including exploitation, operational disruption, data destruction, or financial gainForwarding Logs to SIEM Tools via HTTP Proxy for F5 Distributed Cloud Global Log Receiver
Purpose This guide provides a solution for forwarding logs to SIEM tools that support syslog but lack HTTP/HTTPS ingestion capabilities. It covers the deployment and tuning of an HTTP Proxy log receiver configured to work with F5 Distributed Cloud (XC) Global Log Receiver settings. Audience: This guide is intended for technical professionals, including SecOps teams and Solution Architects, who are responsible for integrating SIEM tools with F5 XC Global Log Receiver. Readers should have a solid understanding of HTTP communication (methods, request body, reverse proxy), syslog, and data center network architecture. Familiarity with F5 XC concepts such as namespaces, log types, events, and XC-GLR is also required. Introduction: Problem Statement: SIEM tools often support syslog ingestion but lack HTTP/HTTPS log reception capabilities. Objective: Explain how to deploy and configure an HTTP Proxy to forward logs to F5 Distributed Cloud Global Log Receiver. Solution Overview: Architecture Diagram and workflow: Configuration Steps: Configure Global Log Receiver in F5 Distributed Cloud Console Navigate to: Home → Shared Configuration → Global Log Receiver Create or edit the Global Log Receiver settings for HTTP receiver Ensure the Global Log Receiver batch size is based on the payload size expected from F5 NGINX. Example configuration snap: Set Up NGINX as an HTTP Log Receiver Install NGINX on your designated server. Configure log_format Configure NGINX to accept HTTP POST requests only and forward access logs to syslog Example configuration snippet: log_format custom_log_format_1 escape=json $request_body; # Example: include request body only server { listen 443 ssl; server_name <logreceiver_server_name>; ssl_certificate /etc/ssl/<logreceiver_server_cert>; ssl_certificate_key /etc/ssl/<logreceiver_server_key>; # Other SSL/TLS configurations (e.g., protocols, ciphers) ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; client_body_in_single_buffer on; # The directive is recommended when using the $request_body variable, to save the number of copy operations involved client_body_in_file_only off; #default client_max_body_size 32M; # based on tuning gzip on; location /log_endpoint { # Allow only POST requests for sending log data limit_except POST { deny all; } # Configure access_log to write incoming data to a file # access_log /var/log/nginx/log_receiver.log custom_log_format_1; access_log syslog:server=127.0.0.1:514,facility=local7,tag=nginx,severity=info custom_log_format_1; proxy_pass http://localhost:8091/; # This dummy Internal server required to collect request_body variable. } } # dummy internal server to respond back 200 ok server { listen 8091; server_name localhost; location / { return 200 "Log received successfully."; } } Set Up rsyslog server Install/configure rsyslog on your designated server. Configure 60-nginx.conf file in /etc/rsyslog.d/ directory Sample 60-nginx.conf file #nginx.* @@127.0.0.1:514 :syslogtag, isequal, "[nginx]" /var/log/nginx-syslog/nginx-access-log.log References: F5 Distributed Cloud Global log receiver supports many log receivers natively: F5 Distributed Cloud Technical Knowledge page on "Configure Global Log receiver" Prerequisites: An external log collection system reachable publicly. The following IP address ranges are required to be added to your firewall's allowlist: 193.16.236.64/29 185.160.8.152/29Service Extensions with SSL Orchestrator: Advanced Blocking Pages
Introduction Service Extensions are a new programmable capability in F5 BIG-IP SSL Orchestrator (as of F5 BIG-IP 17.0) that allow for customizable behaviors on decrypted HTTP traffic directly from within the Service Chain. In this article you will learn how to download, install, and configure the policy that enables the “Advanced Blocking Pages” Service Extension. Demo Video What are Advanced Blocking Pages? Advanced Blocking Pages allow for easy customization of the block page as well as flexible policy options to trigger specific block pages. This Service Extension creates a Service that will return a block page when placed into a Service Chain. It can also apply the iRule logic to dynamically inject the contents of a blocking page. Deployment Prerequisites F5 BIG-IP version 17.1.x SSL Orchestrator version 11.1+ This article assumes you have an SSL Orchestrator configured with a Topology and Service Chain. Advanced Blocking Pages Service Extension Installation The information below is from the GitHub repository for the Advanced Blocking Pages Service Extension (click here for a direct link). It includes an installer to create all the necessary objects. Download the installer: curl -sk https://raw.githubusercontent.com/f5devcentral/sslo-service-extensions/refs/heads/main/advanced-blocking-pages/advanced-blocking-pages-installer.sh -o advanced-blocking-pages-installer.sh CLI output: Make the script executable: chmod +x advanced-blocking-pages-installer.sh CLI output: Export the BIG-IP username and password: export BIGUSER='admin:password' CLI output: Note: replace “password” with your actual BIG-IP admin password Run the script to create all the SaaS Tenant Isolation objects: ./advanced-blocking-pages-installer.sh CLI output: The installer creates a new Inspection Service named "ssloS_F5_Advanced-Blocking-Pages". Add this Inspection Service to any Service Chain that can receive decrypted HTTP traffic. Service Extension Services will only trigger on decrypted HTTP, so can be inserted into Service Chains that may also see TLS bypass traffic (not decrypted). SSL Orchestrator will simply bypass this Service for anything that is not decrypted HTTP. After following the steps above, the SSL Orchestrator screen should look like this: Customizing Functionality To customize the functionality of the Blocking Pages we’ll start by editing an iRule. Navigate to Local Traffic > iRules > iRule List Click on the iRule named “advanced-blocking-pages-rule” (you may need to expand the iRule List) To enable the Advanced Blocking Pages, set the value for “GLOBAL_BLOCK” from 0 to 1. Click Update. NOTE: We’ll go over the other customization options later in this article. Move the Advanced-Blocking-Pages Service to a Service Chain Go to the SSL Orchestrator Configuration screen Click Service Chains then Add NOTE: For testing purposes, it is recommended to create a new Service Chain and add the Advanced-Blocking-Page Service to it Give it a name, “AdvancedBlocking” in this example. Select the ssloS_F5_Advanced-Blocking-Pages Service and click the arrow to move it to the right Click Deploy Click OK Edit the Security Policy From the Configuration screen, select Security Policies then click the policy you want to edit, “L3_Outbound” in this example. Click Add to add a Rule Give the Rule a name, “BlockThreats” in this example Configure the Rule Conditions by selecting Category Lookup (All) Select the Categories you wish to Block by clicking in the “Click to select” field Select all Malware-related categories These are all the Malware-related categories: Advanced Malware Command and Control Advanced Malware Payloads Malicious Embedded Link Malicious Embedded iFrame Malicious Web Sites Mobile Malware You may want to consider adding the following Categories, too: Spyware and Adware Suspicious NOTE: For testing purposes, it would be safer to add a category like “Alcohol and Tobacco” to the above rule in order to test its efficacy. Set the Action to Allow (this is counterintuitive) Set the SSL Proxy Action to Intercept Set the Service Chain to the one created previously, “AdvancedBlocking” Click OK The Security Policy should look like this: Click Deploy Click Deploy Click OK Test the Advanced Blocking Page Assuming you have added the “Alcohol and Tobacco” Category to the Security Policy, go to a client computer and test it now. An attempt to view the Products page on www.marlboro.com results in the following: Note: remember to remove the “Alcohol and Tobacco” category from the Security Policy. Customizing the Blocking Page First, you need an html file to use as the custom Blocking Page. You can use a sample file from the GitHub repository. Expand the folder “blocking-page-samples” and click “blocking-page-sample1.html”. Click the Download button on the right. To Customize the Blocking Page, go to System > File Management > iFile List > Import Choose the Blocking Page sample file in your Downloads folder. Choose Overwrite Existing, then click Import. Test the Blocking Page again and it should look like the following: Injecting Dynamic Messages To inject a dynamic message in the block page, edit the “advanced-blocking-pages-rule” iRule. Find “set static::GLOBAL_BLOCK_MESSAGE” in the iRule and replace all the text within the quotation marks: Click Update when done Test the Blocking Page again and it should look like the following: Handling Server-Side Certificate Errors SSL Orchestrator can also be customized to handle different server-side certificate validation errors. To configure this, start by editing the SSL Configuration. Click the Edit icon Click Show Advanced Settings Near the bottom, set Expire Certificate Response and Untrusted Certificate Authority from Drop to Mask. Click Save & Next when done. The Mask option tells SSL Orchestrator to send a good/valid certificate to the client when these certificate errors occur. This allows a custom blocking page to be presented to the client. Click OK Click Deploy Click OK Next, edit the Interception Rule for this Topology Click the Edit icon In the Resources section near the bottom, move the “ssl-tls-verify-rule” from Available to Selected. Click Save & Next Click Deploy Click OK NOTE: The blocking page iRule (when GLOBAL_BLOCK is 0) will read this context array variable and trigger the blocking page if the certificate verification code is not ‘ok’. It also injects the verification code string into the page. You can test this using the site, https://badssl.com Under Certificate, try “expired” and “self-signed” Example of Expired Certificate: Example of Self-Signed Certificate: Handling Custom Blocking Page Triggers The included iRule is intentionally sparse to include the two primary blocking page use cases (global blocking and server-side certificate validation errors): when HTTP_REQUEST { if { $static::GLOBAL_BLOCK } { call GEN_BLOCK_PAGE ${static::GLOBAL_BLOCK_MESSAGE} event disable all } else { sharedvar ctx if { ( [info exists ctx(tlsverify)] ) and ( $ctx(tlsverify) ne "ok" ) } { call GEN_BLOCK_PAGE "This request has been blocked due to a server side TLS issue: <br /></br>[string toupper $ctx(tlsverify)]" event disable all } } } To customize this for additional triggers, add iRule logic inside the “else” block as required: if { some-condition } { call GEN_BLOCK_PAGE "message to send into blocking page `receive_msg` variable" event disable all } Conclusion SSL Orchestrator Advanced Blocking Pages allow for easy customization of the block page as well as flexible policy options to trigger specific block pages. Related Content Service Extensions with SSL Orchestrator SaaS Tenant Isolation Service Extensions with SSL Orchestrator User Coaching of AI Related Content SSL Orchestrator Service Extensions: DoH Guardian Office 365 Tenant Restrictions Introduction to BIG-IP SSL Orchestrator Integrating Security Solutions with F5 BIG-IP SSL Orchestrator
Overview of MITRE ATT&CK Tactic - TA0010 Exfiltration
Introduction In current times of cyber vulnerabilities, data theft is the ultimate objective with which attackers monetize their presence within a victim network. Once valuable information is identified and collected, the attackers can package sensitive data, bypass perimeter defences, and finalize the breach. Exfiltration (MITRE ATT&CK Tactic TA0010) represents a critical stage of the adversary lifecycle, where the adversaries focus on extracting data from the systems under their control. There are multiple ways to achieve this, either by using encryption and compression to avoid detection or utilizing the command-and-control channel to blend in with normal network traffic. To avoid this data loss, it is important for defenders to understand how data is transferred from any system in the network and the various transmission limits imposed to maintain stealth. This article walks through the most common Exfiltration techniques and how F5 solutions provide strong defense against them. T1020 - Automated Exfiltration To exfiltrate the data, adversaries may use automated processing after gathering the sensitive data during collection. T1020.001 – Traffic Duplication Traffic mirroring is a native feature for some devices for traffic analysis, which can be used by adversaries to automate data exfiltration. T1030 – Data Transfer Size Limits Exfiltration of the data in limited-size packets instead of whole files to avoid network data transfer threshold alerts. T1048 – Exfiltration over Alternative Protocol Stealing of data over a different protocol or channel other than the command-and-control channel created by the adversary. T1048.001 – Exfiltration Over Symmetric Encrypted Non-C2 Protocol Symmetric Encryption uses shared or the same keys/secrets on all the channels, which requires an exchange of the value used to encrypt and decrypt the data. This symmetric encryption leads to the implementation of Symmetric Cryptographic Algorithms, like RC4, AES, baked into the protocols, resulting in multiple layers of encryption. T1048.002 – Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Asymmetric encryption algorithms or public-key cryptography require a pair of cryptographic keys that can encrypt/decrypt data from the corresponding keys on each end of the channel. T1048.003 – Exfiltration Over Unencrypted Non-C2 Protocol Instead of encryption, adversaries may obfuscate the routine channel without encryption within network protocols either by custom or publicly available encoding/compression algorithms (base64, hex-code) and embedding the data. T1041 – Exfiltration Over C2 Channel Adversaries can also steal the data over command-and-control channels and encode the data into normal communications. T1011 – Exfiltration Over Other Network Medium Exfiltration can also occur through a wired Internet connection, for example, a WiFi connection, modem, cellular data connection or Bluetooth. T1011.001 – Exfiltration Over Bluetooth Bluetooth can also be used to exfiltrate the data instead of a command-and-control channel in case the command-and-control channel is a wired Internet connection. T1052 – Exfiltration Over Physical Medium Under circumstances, such as an air-gapped network compromise, exfiltration occurs through a physical medium. Adversaries can exfiltrate data using a physical medium, for example, say a removable drive. Some examples of such media include external hard drives, USB drives, cellular phones, or MP3 players. T1052.001 – Exfiltration Over USB One such circumstance is where the adversary may attempt to exfiltrate data over a USB connected physical device, which can be used as the final exfiltration point or to hop between other disconnected systems. T1567 – Exfiltration Over Web Services Adversaries may use legitimate external Web Service to exfiltrate the data instead of their command-and-control channel. T1567.001 – Exfiltration to Code Repository To exfiltrate the data to a code repository, rather than adversary’s command-and-control channel. These code repositories are accessible via an API over HTTPS. T1567.002 – Exfiltration to Cloud Storage To exfiltrate the data to a cloud storage, rather than their primary command-and-control channel. These cloud storage services allow storage, editing and retrieval of the exfiltrated data. T1567.003 – Exfiltration to Text Storage Sites To exfiltrate the data to a text storage site, rather than their primary command-and-control. These text storage sites, like pastebin[.]com, are used by developers to share code. T1567.004 – Exfiltration Over Webhook Adversaries also exfiltrate the data to a webhook endpoint, which are simple mechanisms for allowing a server to push data over HTTP/S to a client. The creation of webhooks is supported by many public services, such as Discord and Slack, that can be used by other services, like GitHub, Jira, or Trello. T1029 – Scheduled Transfer To exfiltrate the data, the adversaries may schedule data exfiltration only at certain times of the day or at certain intervals, blending the traffic patterns with general activity. T1537 – Transfer Data to Cloud Account Many a times, exfiltration of data can also be through transferring the data through sharing/syncing and creating backups of cloud environment to another cloud account under adversary control on the same service. How F5 Can Help F5 offers a comprehensive suite of security solutions designed to safeguard applications and APIs across diverse environments, including cloud, edge, on-premises, and hybrid platforms. These solutions enable robust risk management to effectively mitigate and protect against MITRE ATT&CK Exfiltration threats, delivering advanced functionalities such as: Web Application Firewall (WAF): Available across all F5 products, the WAF is a flexible, multi-layered security solution that protects web applications from a wide range of threats. It delivers consistent defense, whether applications are deployed on-premises, in the cloud, or in hybrid environments. HTTPS Encryption: F5 provides robust HTTPS encryption to secure sensitive data in transit, ensuring protected communication between users and applications by preventing unauthorized access or data interception. Protecting sensitive data with Data Guard: F5's WAF Data Guard feature prevents sensitive data leakage by detecting and blocking exposure of confidential information, such as credit card numbers and PII. It uses predefined patterns and customizable policies to identify transmissions of sensitive data in application responses or inputs. This proactive mechanism secures applications against data theft and ensures compliance with regulatory standards. For more information, please contact your local F5 sales team. Conclusion Adversaries Exfiltration of data often aims to steal sensitive information by packaging it to evade detection, using methods such as compression or encryption. They may transfer the data through command-and-control channels or alternate paths while applying stealth techniques like transmission size limitations. To defend against these threats, F5 provides a layered approach with its advanced offerings. The Web Application Firewall (WAF) identifies and neutralizes malicious traffic aimed at exploiting application vulnerabilities. HTTPS encryption ensures secure data transmission, preventing unauthorized interception during the attack. Meanwhile, a data guard policy set helps detect and block exposure of confidential information, such as credit card numbers and PII. Together, these F5 solutions effectively counteract data exfiltration attempts and safeguard critical assets. Reference links MITRE | ATT&CK Tactic 10 – Exfiltration MITRE ATT&CK: What It Is, how it Works, Who Uses It and Why | F5 Labs MITRE ATT&CK®F5 Threat Report - December 10th, 2025
JPCERT Confirms Active Command Injection Attacks on Array AG Gateways JPCERT/CC has confirmed active command injection attacks targeting Array Networks AG Series secure access gateways, exploiting a vulnerability in the DesktopDirect feature since August 2025. This flaw, which currently lacks a CVE identifier, affects ArrayOS versions 9.4.5.8 and earlier, allowing attackers to execute arbitrary commands and drop web shells, with observed attacks originating from the IP address 194.233.100[.]138. Array Networks released a fix on May 11, 2025, in ArrayOS version 9.4.5.9, and users are advised to apply this update promptly; alternatively, disabling DesktopDirect services or implementing URL filtering to deny access to URLs containing semicolons can serve as mitigation. While a separate authentication bypass flaw (CVE-2023-28461) in the same product was previously exploited by the China-linked MirrorFace group, there is no current evidence connecting them to these latest command injection incidents. Severity: High Sources https://buaq.net/go-379737.html https://cyberpress.org/arrayos-ag-vpn-vulnerability/ https://gbhackers.com/arrayos-ag-vpn/ https://thecyberexpress.com/cve-2023-28461-jpcert-array-gateway-warning/ https://thehackernews.com/2025/12/jpcert-confirms-active-command.html https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-arrayos-ag-vpn-flaw-to-plant-webshells/ Threat Details and IOCs Malware: Agenda, Albiriox, PoisonPlug, Qilin, Sha1-Hulud, ShadowPad, Shai-Hulud CVEs: CVE-2023-28461 Technologies: Array Networks AG Series, Array Networks ArrayOS, Array Networks vxAG, PHP Threat Actors: APT10, EarthKasha, MirrorFace Attacker Countries: China Attacker IPs: 194.233.100.138 Victim Industries: Aerospace, Defense, E-commerce, Education, Energy, Financial Services, Government, Healthcare, Information and Communication, Manufacturing, Multimedia, Public Sector, Semiconductors, Technology Hardware, Telecommunications, Utilities Victim Countries: China, India, Japan, Taiwan, United States Mitigation Advice Update all Array Networks AG Series gateways to ArrayOS version 9.4.5.9 or a later version to remediate the command injection vulnerability. If patching Array AG gateways to version 9.4.5.9 is not immediately feasible, disable the 'DesktopDirect' feature on all vulnerable devices. Configure your perimeter firewall or Web Application Firewall (WAF) to block all inbound HTTP/HTTPS requests to Array AG gateways that contain a semicolon character (';') in the URL. Add the IP address 194.233.100.138 to your network firewall's blocklist to deny all inbound and outbound traffic. Scan the file systems of all Array AG gateways for indicators of compromise, such as recently created or modified web shell files (e.g., .php, .asp) in web-accessible directories. Compliance Best Practices Establish a formal patch management policy that mandates regular vulnerability scanning of all internet-facing systems and defines strict service-level agreements (SLAs) for applying critical security patches. Implement a recurring configuration review process for all network security appliances to identify and disable any non-essential features and services, thereby minimizing the device's attack surface. Design and implement a DMZ network segment for all internet-facing services, including secure access gateways, and enforce strict firewall rules that only permit essential, pre-approved traffic between the DMZ and the internal corporate network. Configure all internet-facing appliances to forward detailed system, process, and network logs to a centralized SIEM, and develop detection rules to alert on anomalous file creation, command execution, and unusual outbound connections. LangChain Prompt Template Injection Vulnerability: Property Access (CVE-2025-65106) A prompt template injection vulnerability has been discovered in the LangChain `langchain-core` package, affecting versions up to `1.0.6` and `0.3.79`, with fixes implemented in versions `1.0.7` and `0.3.80`. Identified as CVE-2025-65106 and GHSA-6qv9-48xg-fc7f, this vulnerability allows attackers who can control template strings—rather than just template variables—to access Python object attributes, internal properties, and sensitive information, potentially escalating to more severe attacks. The flaw impacts F-string, Mustache, and Jinja2 template formats, stemming from issues such as attribute access in F-strings, `getattr()` fallback in Mustache, and insufficient sandboxing in Jinja2. Applications are at high risk if they accept untrusted template strings, dynamically construct prompts based on user input, or allow users to customize or create prompt templates. Remediation requires updating to the patched `langchain-core` versions, auditing code for any template strings originating from untrusted sources, and ensuring a clear separation between template structure and user-provided data. Specific fixes include F-string validation to restrict variable names to simple Python identifiers, strict type checking for Mustache to limit object traversal to dict, list, and tuple types, and the introduction of a `_RestrictedSandboxedEnvironment` for Jinja2 to block all attribute and method access. Severity: High Sources https://buaq.net/go-379721.html Threat Details and IOCs CVEs: CVE-2025-65106 Technologies: Jinja2, LangChain LangGraph, Python Victim Industries: E-commerce, Financial Services, Healthcare, Legal Services, Retail, Software Mitigation Advice Update all instances of the `langchain-core` Python package to version 1.0.7 or 0.3.80 or newer to patch the template injection vulnerability (GHSA-6qv9-48xg-fc7f). Audit your codebase to identify all applications using LangChain's `ChatPromptTemplate`. Prioritize remediation for any applications found to accept template strings from untrusted sources. Compliance Best Practices Enforce a secure coding standard for all AI/LLM applications that strictly separates the prompt template structure from user-provided data. Ensure that user input can only populate predefined variables within a static, developer-controlled template. During application design and code reviews, challenge the necessity of using string-based prompt templating. Where possible, refactor applications to use direct message objects (e.g., `HumanMessage`, `AIMessage`) to eliminate the risk of template injection vulnerabilities. Create a development policy that restricts the use of the Jinja2 template format (`template_format="jinja2"`) in LangChain to only those instances where the template content is hardcoded or originates from a fully trusted, internally-controlled source. Chinese State-Sponsored Actors Deploy Brickstorm Backdoor in US Critical Networks for Years Chinese state-sponsored actors, identified as UNC5221 by Mandiant and Warp Panda by CrowdStrike, have maintained long-term access, sometimes for years, within critical US networks, including at least eight government services and IT organizations, and dozens of other entities across legal, SaaS, business process outsourcing, technology, and manufacturing sectors. These groups deployed the sophisticated, cross-platform Brickstorm backdoor, which operates across Linux, VMware, and Windows environments, alongside new Go-based implants named Junction (for VMware ESXi, listening on port 8090) and GuestConduit (for guest VMs, using VSOCK on port 5555). Initial access was often gained by exploiting internet-facing edge devices, followed by pivoting to vCenter environments using valid credentials or vulnerabilities. Once inside, the adversaries stole cryptographic keys from domain controllers and Active Directory Federation Services servers, accessed and exfiltrated sensitive data from Microsoft Azure environments (OneDrive, SharePoint, Exchange), and established persistence by registering new multi-factor authentication devices. Warnings from CISA, NSA, and the Canadian Cyber Security Centre, along with reports from Google Threat Intelligence (Mandiant) and CrowdStrike, highlight the ongoing threat and the actors' evolving techniques, with Palo Alto Networks' Unit 42 also monitoring the activity. Severity: Critical Sources https://cyberpress.org/china-nexus-hackers/ https://federalnewsnetwork.com/cybersecurity/2025/12/agencies-it-companies-impacted-by-latest-malware-from-china/ https://gbhackers.com/vmware-vcenter-systems/ https://industrialcyber.co/cisa/cisa-nsa-sound-alarm-on-brickstorm-backdoor-used-by-china-linked-actors-targeting-vmware-windows-systems/ https://securitybrief.asia/story/warp-panda-cyberespionage-group-targets-us-cloud-networks https://thecyberexpress.com/cisa-prc-hackers-target-vmware-with-brickstorm/ https://thehackernews.com/2025/12/cisa-reports-prc-hackers-using.html https://www.bleepingcomputer.com/news/security/cisa-warns-of-chinese-brickstorm-malware-attacks-on-vmware-servers/ https://www.cisa.gov/news-events/alerts/2025/12/04/prc-state-sponsored-actors-use-brickstorm-malware-across-public-sector-and-information-technology https://www.cisa.gov/news-events/analysis-reports/ar25-338a https://www.cisa.gov/news-events/news/cisa-nsa-and-cyber-centre-warn-critical-infrastructure-brickstorm-malware-used-peoples-republic https://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/ https://www.darkreading.com/cyberattacks-data-breaches/cisa-ongoing-brickstorm-backdoor-attacks https://www.hendryadrian.com/cisa-warns-of-chinese-brickstorm-malware-attacks-on-vmware-servers/ https://www.infosecurity-magazine.com/news/chinalinked-warp-panda/ https://www.safebreach.com/blog/safebreach-coverage-for-updated-cisa-ar25-338a-brickstorm-backdoor/ https://www.securityweek.com/us-organizations-warned-of-chinese-malware-used-for-long-term-persistence/ https://www.theregister.com/2025/12/04/prc_spies_brickstrom_cisa/ Threat Details and IOCs Malware: BRICKSTEAL, BrickStorm, BRICKSTORM, GuestConduit, Junction, RESURGE, SPAWN, SPAWNANT, SPAWNCHIMERA, SPAWNMOLE, SPAWNSNAIL, ZIPLINE CVEs: CVE-2021-22005, CVE-2023-34048, CVE-2023-46747, CVE-2023-46805, CVE-2023-4966, CVE-2024-21887, CVE-2024-21893, CVE-2024-38812, CVE-2025-0282, CVE-2025-22457 Technologies: BSD, F5 BIG-IP, Ivanti Connect Secure, Ivanti Policy Secure, Linux, Microsoft 365, Microsoft Active Directory, Microsoft Azure, Microsoft Windows, Microsoft Windows Server, VMware ESXi, VMware vCenter Server, VMware vSphere Threat Actors: RedDev61, Unc5221, Uta0178, WarpPanda Attacker Countries: China Attacker IPs: 1.0.0.1, 1.1.1.1, 149.112.112.11, 149.112.112.112, 149.28.120.31, 208.83.233.14, 45.90.28.160, 45.90.30.160, 8.8.4.4, 8.8.8.8, 9.9.9.11, 9.9.9.9 Attacker URLs: https://1.0.0.1/dns-query, https://1.1.1.1/dns-query, https://149.112.112.112/dns-query, https://149.112.112.11/dns-query, https://45.90.28.160/dns-query, https://45.90.30.160/dns-query, https://8.8.4.4/dns-query, https://8.8.8.8/dns-query, https://9.9.9.11/dns-query, https://9.9.9.9/dns-query Attacker Hashes: 013211c56caaa697914b5b5871e4998d0298902e336e373ebb27b7db30917eaf, 0a4fa52803a389311a9ddc49b7b19138, 10d811029f6e5f58cd06143d6353d3b05bc06d0f, 18f895e24fe1181bb559215ff9cf6ce3, 22c15a32b69116a46eb5d0f2b228cc37cd1b5915a91ec8f38df79d3eed1da26b, 320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759, 39111508bfde89ce6e0fe6abe0365552, 39b3d8a8aedffc1b40820f205f6a4dc041cd37262880e5030b008175c45b0c46, 40992f53effc60f5e7edea632c48736ded9a2ca59fb4924eb6af0a078b74d557, 40db68331cb52dd3ffa0698144d1e6919779ff432e2e80c058e41f7b93cec042, 44a3d3f15ef75d9294345462e1b82272b0d11985, 4c52caf2e5f114103ed5f60c6add3aa26c741b07869bb66e3c25a1dc290d4a8bf87c42c336e8ac8ebf82d9a9b23eaa18c31f7051a5970a8fe1125a2da890340f, 57bd98dbb5a00e54f07ffacda1fea91451a0c0b532cd7d570e98ce2ff741c21d, 5e654776e9c419e11e6f93a452415a601bd9a2079710f1074608570e498a9af37b81bb57c98cb8bb626c5ee4b3e35757d3ae8c1c3717f28d9f3fe7a4cebe0608, 659205fa2cfa85e484c091cc2e85a7ec4e332b196e423b1f39bafdc8fca33e3db712bbe07afcc091ff26d9b4f641fa9a73f2a66dce9a0ced54ebeb8c2be82a7f, 65ebf5dfafb8972ffead44271436ec842517cfaaf3d1f1f1237a32d66e1d280943bd3a69f1d539a1b7aca6152e96b29bc822e1047e2243f6aec8959595560147, 73fe8b8fb4bd7776362fd356fdc189c93cf5d9f6724f6237d829024c10263fe5, 74b4c6f7c7cae07c6f8edf3f2fb1e9206d4f1f9734e8e4784b15d192eec8cd8a4f59078fc0c56dc4ad0856cdd792337b5c92ffd3d2240c8a287a776df4363bba, 79276523a6a507e3fa1b12b96e09b10a01c783a53d58b9ae7f5780a379431639a80165e81154522649b8e2098e86d1a310efffebe32faafc7b3bc093eec60a64, 82bf31e7d768e6d4d3bc7c8c8ef2b358, 88db1d63dbd18469136bf9980858eb5fc0d4e41902bf3e4a8e08d7b6896654ed, 8e29aeb3603ffe307b2d60f7401bd9978bebe8883235eb88052ebf6b9e04ce6bf35667480cedea5712c1e13e8c6dcfb34d5fde0ddca6ca31328de0152509bf8f, 8e4c88d00b6eb46229a1ed7001451320, 97001baaa379bcd83677dca7bc5b8048fdfaaddc, 9a0e1b7a5f7793a8a5a62748b7aa4786d35fc38de607fb3bb8583ea2f7974806, 9bf4c786ebd68c0181cfe3eb85d2fd202ed12c54, a02469742f7b0bc9a8ab5e26822b3fa8, a52e36a70b5e0307cbcaa5fd7c97882c, aaf5569c8e349c15028bc3fac09eb982efb06eabac955b705a6d447263658e38, b3b6a992540da96375e4781afd3052118ad97cfe60ccf004d732f76678f6820a, b91881cb1aa861138f2063ec130b2b01a8aaf0e3f04921e5cbfc61b09024bf12, bbe18d32bef66ccfa931468511e8ba55b32943e47a1df1e68bb5c8f8ae97a5bf991201858ae9632fa24df5f6c674b6cb260297a1c11889ca61bda68513f440ce, bfb3ffd46b21b2281374cd60bc756fe2dcc32486dcc156c9bd98f24101145454, c3549d4e5e39a11f609fc6fbf5cc1f2c0ec272b4, dbca28ad420408850a94d5c325183b28, de28546ec356c566cd8bca205101a733e9a4a22d, dfac2542a0ee65c474b91d3b352540a24f4e223f1b808b741cfe680263f0ee44, f639d9404c03af86ce452db5c5e0c528b81dc0d7, f7cda90174b806a34381d5043e89b23ba826abcc89f7abd520060a64475ed506, fb11c6caa4ea844942fe97f46d7eb42bc76911ab Victim Industries: Business Process Outsourcing, Critical Manufacturing, Facilities Services, Government, Information Technology, Legal Services, Manufacturing, Public Sector, Software as a Service (SaaS), Technology Hardware Victim Countries: Australia, Austria, Canada, Germany, Greece, Mexico, New Zealand, United Kingdom, United States Mitigation Advice Download and run the open-source Brickstorm scanner from Mandiant's GitHub repository on all Linux, VMware, and Windows environments, prioritizing vCenter servers. Scan VMware ESXi hosts for the 'Junction' implant and monitor for suspicious processes masquerading as legitimate VMware services. Scan guest VMs within your VMware environment for the 'GuestConduit' implant, paying close attention to unusual VSOCK listener activity. Immediately scan all internet-facing edge devices for vulnerabilities and apply all available security patches, prioritizing any devices with known exploits. Audit all Microsoft 365 and Azure AD accounts for any recently registered MFA devices and verify the legitimacy of each new registration with the account owner. Review Microsoft 365 audit logs for anomalous access patterns to OneDrive, SharePoint, and Exchange Online, specifically looking for session replay activity or access from unusual IP addresses or locations. Compliance Best Practices Implement network segmentation to create isolated security zones for critical assets like VMware vCenter servers, ESXi hosts, and Domain Controllers, restricting access from less secure network segments. Enforce the principle of least privilege for all accounts, especially service accounts and administrative accounts, ensuring they only have the minimum permissions necessary to perform their functions on systems like vCenter and Active Directory. Implement a default-deny egress filtering policy on the network firewall, allowing outbound traffic only for explicitly approved protocols, ports, and destinations to disrupt command-and-control communications. Enhance security logging for critical systems, including VMware vCenter, ESXi hosts, Domain Controllers, and ADFS servers. Forward these logs to a SIEM and develop correlation rules to detect lateral movement and credential access techniques. Strengthen MFA policies by requiring re-authentication for sensitive actions such as registering a new MFA device, and enforce phishing-resistant MFA for all administrative and privileged accounts. Intellexa Deployed Predator Spyware via iOS Zero-Day Exploit Chain Against Egyptian Targets Sanctioned commercial surveillance vendor Intellexa deployed a three-stage iOS zero-day exploit chain, internally codenamed "smack," against targets in Egypt to install its Predator spyware. The initial stage leveraged a Safari remote code execution zero-day (CVE-2023-41993), which Google assessed Intellexa likely acquired externally due to its use of the "JSKit" framework, previously observed in attacks by other surveillance vendors and Russian government-backed actors. The second stage achieved sandbox escape and privilege escalation by exploiting kernel vulnerabilities CVE-2023-41991 and CVE-2023-41992, providing kernel memory read/write capabilities. The final stage, PREYHUNTER, comprised "helper" and "watcher" modules; the "watcher" module performed anti-detection by monitoring for security tools, specific locale settings, and other anomalies, while the "helper" module used custom frameworks (DMHooker, UMHooker) to hook system functions for VOIP recording, keylogging, and camera capture, also hiding notifications. Intellexa has been linked to 15 zero-day vulnerabilities since 2021, including several Chrome V8 engine exploits (CVE-2021-38003, CVE-2023-4762, CVE-2023-3079, CVE-2023-2033, CVE-2025-6554) observed in Saudi Arabia. Google Threat Intelligence Group and CitizenLab collaborated on this discovery, leading Google to issue warnings to Intellexa's customers across multiple countries and add associated domains to Safe Browsing. Severity: Critical Sources https://gbhackers.com/ios-zero-day/ https://thecyberexpress.com/ios-zero-day-exploit-chain-egypt/ Threat Details and IOCs Malware: Alien, ALIEN, Nova, Predator, PREYHUNTER CVEs: CVE-2021-38003, CVE-2022-42856, CVE-2023-2033, CVE-2023-3079, CVE-2023-41991, CVE-2023-41992, CVE-2023-41993, CVE-2023-4762, CVE-2025-6554 Technologies: Apple iOS, Apple Safari, Google Chrome Threat Actors: Intellexa Attacker Countries: Russia Attacker Hashes: 85d8f504cadb55851a393a13a026f1833ed6db32cb07882415e029e709ae0750, e3314bcd085bd547d9b977351ab72a8b83093c47a73eb5502db4b98e0db42cac Victim Industries: Government, Multimedia, Technology Hardware Victim Countries: Angola, Egypt, Kazakhstan, Mongolia, Pakistan, Saudi Arabia, Tajikistan, Uzbekistan Mitigation Advice Update all corporate and BYOD iOS devices to the latest available OS version to mitigate vulnerabilities CVE-2023-41993, CVE-2023-41991, and CVE-2023-41992. Ensure all Google Chrome and Chromium-based browsers on corporate endpoints are updated to the latest version to protect against CVE-2021-38003, CVE-2023-4762, CVE-2023-3079, CVE-2023-2033, and CVE-2025-6554. Scan managed mobile devices for the presence of unauthorized security research tools such as Bash, tcpdump, frida, sshd, or checkra1n, as these can be indicators of compromise or reconnaissance. Audit managed mobile devices for unauthorized custom HTTP proxy configurations and non-corporate root certificate installations. Compliance Best Practices Implement or enhance a Mobile Device Management (MDM) solution to enforce mandatory and timely OS and application updates on all mobile devices accessing corporate data. Develop and enforce a security policy that enables Apple's Lockdown Mode on iOS devices used by executives and other employees at high risk of being targeted by sophisticated spyware. Establish a continuous security awareness training program that educates users on how to identify and report phishing attempts and suspicious links on mobile devices. Implement and maintain network egress filtering to block outbound connections from all corporate devices to known malicious domains and un-categorized websites. Use MDM to establish and enforce a policy that prohibits the use of Developer Mode on all corporate-managed iOS devices unless there is a documented and approved business justification. Microsoft Patches Critical Windows .LNK Flaw (CVE-2025-9491) Exploited by State-Sponsored Groups Microsoft has addressed a critical Windows shortcut file (.lnk) vulnerability, tracked as CVE-2025-9491 (ZDI-CAN-25373), which allowed malicious .lnk files to conceal harmful command-line arguments, enabling hidden code execution. This flaw, exploited by at least 11 state-sponsored groups from North Korea, Iran, Russia, and China since 2017 for cyber espionage and data theft, involved padding commands with whitespace to make the "Target" field appear innocuous in Windows properties. Despite initially downplaying its severity, Microsoft issued a "silent mitigation" in its November 2025 Patch Tuesday, which now reveals the full command in the "Properties" dialog. The fix follows a recent campaign by the China-linked UNC6384/Mustang Panda group, which leveraged CVE-2025-9491 in spear-phishing attacks against European diplomatic entities, deploying the PlugX remote access trojan. The .lnk format remains a significant threat due to its ability to bypass email filters and facilitate remote code execution through social engineering, and the risk persists until all vulnerable systems are updated. Severity: Critical Sources https://blog.0patch.com/2025/12/microsoft-silently-patched-cve-2025.html https://cyberpress.org/microsoft-windows-lnk-vulnerability/ https://dataconomy.com/2025/11/24/why-that-harmless-looking-desktop-icon-might-actually-be-a-weapon/ https://gbhackers.com/hackers-actively-exploit-new-windows-lnk-0-day/ https://it.slashdot.org/story/25/12/04/1744255/microsoft-mitigates-windows-lnk-flaw-exploited-as-zero-day?utm_source=rss1.0mainlinkanon&utm_medium=feed https://meterpreter.org/microsoft-finally-patches-lnk-flaw-cve-2025-9491-exploited-by-spies-since-2017/ https://thehackernews.com/2025/12/microsoft-silently-patches-windows-lnk.html https://www.bleepingcomputer.com/news/microsoft/microsoft-mitigates-windows-lnk-flaw-exploited-as-zero-day/ https://www.hendryadrian.com/microsoft-mitigates-windows-lnk-flaw-exploited-as-zero-day/ https://www.techrepublic.com/article/news-microsoft-fixes-security-flaw/ https://www.theregister.com/2025/12/04/microsoft_lnk_bug_fix/ Threat Details and IOCs Malware: CirenegRAT, C_Major, Destroy RAT, DestroyRAT, Dreambot, Farfli, Gh0st, Gh0st RAT, Ghost RAT, Gozi, Gozi-ISFB, HiddenGh0st, Hodur, ISFB, Kaba, Konni, KONNI, Korplug, LDR4, Moudour, Papras, PCrat, PCRat, PlugX, QNAP-Worm, Raspberry Robin, Roshtyak, Snifula, Sogu, SOGU, Storm-0856, SugarGh0st RAT, TheTrick, TIGERPLUG, Trickbot, TrickBot, TrickLoader, Trickster, UpDog, Ursnif, UsrRunVGA.exe, XDigo CVEs: CVE-2025-9491 Technologies: Microsoft Windows, Microsoft Windows Server Threat Actors: APT10, APT15, APT17, APT20, APT21, APT22, APT26, APT27, APT3, APT31, APT37, APT40, APT41, APT43, Barium, Bitter, BronzePresident, BronzeUnion, Daggerfly, DoubleDragon, DragonOK, EarthIktomi, EarthLusca, EarthPreta, EmissaryPanda, EvilCorp, HazyTiger, Hellsing, HurricanePanda, Kimsuky, Konni, LuckyMouse, MenuPass, MUSTANGPANDA, OpalSleet, RazorTiger, RedDelta, RedHotel, SadFuture, SAMURAIPANDA, Sidewinder, TA416, TA505, TEMPHex, TwillTyphoon, UNC1878, UNC6384, VelvetAnt, WaterPoukai, WickedPanda, WickedSpider, WIZARDSPIDER, XDSpy Attacker Countries: China, India, Iran, North Korea, Russia Attacker IPs: 195.154.152.70 Attacker Domains: cseconline.org, d32tpl7xt7175h.cloudfront.net, dorareco.net, mydownload.z29.web.core.windows.net, naturadeco.net, paquimetro.net, racineupci.org, vnptgroup.it.com Victim Industries: Aerospace, Civic and Social Organizations, Defense, Education, Energy, Financial, Financial Services, Government, Healthcare, Mining, Non-Governmental Organizations (NGOs), Technology Hardware, Telecommunications Victim Countries: Afghanistan, Algeria, Australia, Austria, Bangladesh, Belarus, Belgium, Bhutan, Brazil, Bulgaria, Cambodia, China, Cyprus, Czech Republic, Djibouti, Egypt, Estonia, Ethiopia, Finland, France, Germany, Greece, Hong Kong, Hungary, India, Indonesia, Ireland, Italy, Japan, Kuwait, Laos, Latvia, Malaysia, Maldives, Moldova, Mongolia, Mozambique, Myanmar, Nepal, Netherlands, Nigeria, Pakistan, Palestine, Philippines, Romania, Russia, Rwanda, Saudi Arabia, Serbia, Singapore, Slovakia, South Africa, South Korea, Sri Lanka, Sudan, Sweden, Taiwan, Thailand, Turkey, Uganda, Ukraine, United Arab Emirates, United Kingdom, United States, Vatican City, Vietnam Mitigation Advice Prioritize and deploy the November 2025 Microsoft Patch Tuesday security updates to all Windows endpoints and servers to apply the mitigation for CVE-2025-9491. Conduct a threat hunt across all endpoints for indicators of compromise related to this campaign, such as anomalous PowerShell execution originating from .lnk files, evidence of the PlugX RAT, and signs of DLL sideloading. Configure your email security gateway to block or quarantine all incoming emails containing .lnk file attachments, including those within compressed archives like .zip files. Issue an immediate security alert to all employees, warning them not to open or click on unexpected shortcut (.lnk) files, especially those received in emails, and to report any suspicious emails to the security team. Compliance Best Practices Implement an application allowlisting policy, such as Windows Defender Application Control (WDAC), to restrict the execution of unauthorized applications and scripts on endpoints. Enable PowerShell Script Block Logging and Module Logging on all Windows systems and forward these logs to a centralized SIEM for monitoring and alerting on suspicious script execution. Deploy or tune an Endpoint Detection and Response (EDR) tool to create detection rules for suspicious process chains, such as explorer.exe spawning a .lnk file which then launches PowerShell or cmd.exe. Establish a continuous security awareness training program that includes regular phishing simulations using lures with various attachment types, including shortcuts and archives, to train users to identify and report threats. Enforce the principle of least privilege by removing local administrator rights from all standard user accounts to contain the impact of malware execution. Stay updated on emerging threats: sign up for the F5 Threat Report to receive the Weekly Threat Report in your inbox.The End of ClientAuth EKU…Oh Mercy…What to do?
If you’ve spent any time recently monitoring the cryptography and/or public key infrastructure (PKI) spaces…beyond that ever-present “post-quantum” thing, you may have read that starting in May of 2026, Google Chrome Root Program Policy will start requiring public certificate authorities (CAs) to stop issuing certificates with the Client Authentication Extended Key Usage (ClientAuth EKU) extension. While removing ClientAuth EKU from TLS server certificates correctly reduces the scope of these certificates, some internal client certificate authenticated TLS machine-to-machine and API workloads could fail when new/renewed certificates are received from a public CA. Read more here for details and options.What's new in BIG-IP v21.0?
Introduction In November of 2025 F5 released the latest version of BIG-IP software, v21.0. This release is packed with fixes and new features that enhance the F5 Application Delivery and Security Platform (ADSP). These changes complement the Delivery, Security and Deployment aspects of the ADSP. New SSL Orchestrator Features SNI Preservation SNI (Server Name Indication) Preservation is now supported for Inbound Gateway Mode. This preserves the client’s original SNI information as traffic passes through the reverse proxy, allowing backend TLS servers to access and use this information. This enables accurate application routing and supports security workflows like threat detection and compliance enforcement. Previous software versions required custom iRules to enable this functionality. Note: SNI preservation is enabled by default. However, if you have existing Inbound Gateway Topologies, you must redeploy them for the change to take effect. iRule Control for Service Entry and Return Previously, iRules were only available on the entry (ingress) side, limiting customization to traffic entering the Inspection Service. iRule control is now extended to the return-side traffic of Inspection Services. You can now apply iRules on both sides of an Inspection Service (L2, L3, HTTP). This enhancement provides full control over traffic entering and leaving the Inspection Service, enabling more flexible, powerful, and fine-grained traffic handling. The Services page will now include configuration for iRules on service entry and iRules on service return. A typical use-case for this feature is what we call Header Enrichment. In this case, iRules are used to add headers to the payload before sending it to the Inspection Service. The headers could contain the authenticated username/group membership of the person who initiated the connection. This information can be useful for Inspection Services for either logging, policy enforcement, or both. The benefit of this feature is that the authenticated username/group membership header can be removed from the payload on egress, preventing it from being leaked to origin servers. New Access Policy Manager (APM) Features Expanded Exclusion Support for Locked Client Mode Previously, APM-locked client mode allowed a maximum of 10 exclusions, preventing administrators from adding more than 10 destinations. This limitation has now been removed, and the exclusion list can contain more than 10 entries. OAuth Authorization Server Max Claims Data Support The max claim data size is set to 8kb by default, but a large claim size can lead to excessive memory consumption. You must allocate the right amount of memory dynamically as required based on claims configuration. New Features in BIG-IP v21.0.0 Control Plane Performance and Scalability Improvements The BIG-IP 21.0.0 release introduces significant improvements to the BIG-IP control plane, including better scalability and support for large-scale configurations (up to 1 million objects). This includes MCPD efficiency enhancements and eXtremeDB scale improvements. AI Data Delivery Optimize performance and simplify configuration with new S3 data storage integrations. Use cases include secure ingestion for fine-tuning and batch inference, high-throughput retrieval for RAG and embeddings generation, policy-driven model artifact distribution with observability, and controlled egress with consistent security and compliance. F5 BIG-IP optimizes and secures S3 data ingress and egress for AI workloads. Model Context Protocol (MCP) support for AI traffic Accelerate and scale AI workloads with support for MCP that enables seamless communication between AI models, applications, and data sources. This enhances performance, secures connections, and streamlines deployment for AI workloads. F5 BIG-IP optimizes and secures S3 data ingress and egress for AI workloads. Migrating BIG-IP from Entrust to Alternative Certificate Authorities Entrust is soon to be delisted as a certificate authority by many major browsers. Following a variety of compliance failures with industry standards in recent years, browsers like Google Chrome and Mozilla made their distrust for Entrust certificates public last year. As such, Entrust certificates issued on or after November 12, 2024, are deemed insecure by most browsers. Conclusion Upgrade your BIG-IP to version 21.0 today to take advantage of these fixes and new features that enhance the F5 Application Delivery and Security Platform (ADSP). These changes complement the Delivery, Security and Deployment aspects of the ADSP. Related Content SSL Orchestrator Release Notes BIG-IP Release Notes BLOG F5 BIG-IP v21.0: Control plane, AI data delivery and security enhancements Press Release F5 launches BIG-IP v21.0 Introduction to BIG-IP SSL OrchestratorDistributed Cloud for App Delivery & Security for Hybrid Environments
As enterprises modernize and expand their digital services, they increasingly deploy multiple instances of the same applications across diverse infrastructure environments—such as VMware, OpenShift, and Nutanix—to support distributed teams, regional data sovereignty, redundancy, or environment-specific compliance needs. These application instances often integrate into service chains that span across clouds and data centers, introducing both scale and operational complexity. F5 Distributed Cloud provides a unified solution for secure, consistent application delivery and security across hybrid and multi-cloud environments. It enables organizations to add workloads seamlessly—whether for scaling, redundancy, or localization—without sacrificing visibility, security, or performance.BIG-IP for Scalable App Delivery & Security in Hybrid Environments
Scope: As enterprises deploy multiple instances of the same applications across diverse infrastructure platforms such as VMware, OpenShift, Nutanix, and public cloud environments and across geographically distributed locations to support redundancy and facilitate seamless migration, they face increasing challenges in ensuring consistent performance, centralized security, and operational visibility. The complexity of managing distributed application traffic, enforcing uniform security policies, and maintaining high availability across hybrid environments introduces significant operational overhead and risk, hindering agility and scalability. F5 BIG-IP Application Delivery and Security address this challenge by providing a unified, policy-driven approach to manage secure workloads across hybrid multi-cloud environments. It can be used to scale up application services on existing infrastructure or with new business models. Introduction: This article highlights how F5 BIG-IP deploys identical application workloads across multiple environments. This ensur high availability, seamless traffic management, and consistent performance. By supporting smooth workload transitions and zero-downtime deployments, F5 helps organizations maintain reliable, secure, and scalable applications. From a business perspective, it enhances operational agility, supports growing traffic demands, reduces risk during updates, and ultimately delivers a reliable, secure, and high-performance application experience that meets customer expectations and drives growth. This use case covers a typical enterprise setup with the following environments: VMware (On-Premises) Nutanix (On-Premises) Google Cloud Platform (GCP) Architecture: As illustrated in the diagram, when new application workloads are provisioned across environments such as AWS, GCP, VMware (on-prem), Nutanix (on-prem & VMware) BIG-IP ensures seamless integration with existing services. Platforms Supported Environments VMware On-Prem, GCP, Azure Nutanix On-Prem, AWS, Azure This article outlines the deployment in VMware platform. For deployment in other platforms like Nutanix and GCP, refer the detailed guide below. F5 Scalable Enterprise Workload Deployments Complete Guide Scalable Enterprise Workload Deployment Across Hybrid Environments Enterprise applications are deployed smoothly across multiple environments to address diverse customer needs. With F5’s advanced Application Delivery and Security features, organizations can ensure consistent performance, high availability, and robust protection across all deployment platforms. F5 provides a unified and secure application experience across cloud, on-premises, and virtualized environments. Workload Distribution Across Environments Workloads are distributed across the following environments: VMware: App A & App B OpenShift: App B Nutanix: App B & App C → VMware: Add App C → OpenShift: Add App A & App C → Nutanix: Add App A Applications being used: A → Juice Shop (Vulnerable web app for security testing) B → DVWA (Damn Vulnerable Web Application) C → Mutillidae Initial Infrastructure: & B, Nutanix: App B &C, GCP: App B. VMware: In the VMware on-premises environment, Applications A and B are deployed and connected to two separate load balancers. This forms the existing infrastructure. These applications are actively serving user traffic with delivery and security managed by BIG-IP. Web Application Firewall (WAF) is enabled, which will prevent any malicious threats. The corresponding logs can be found under BIG-IP > Security > Event Logs Note: This initial deployment infrastructure has also been implemented on Nutanix and GCP. For the full details, please consult the complete guide here Adding additional workloads: To demonstrate BIG-IP’s ability to support evolving enterprise demands, we will introduce new workloads across all environments. This will validate its seamless integration, consistent security enforcement, and support for continuous delivery across hybrid infrastructures. VMware: Let us add additional application-3 (mutillidae) to the VMware on-premises environment. Try to access the application through BIG-IP virtual server. Apply the WAF policy to the newly created virtual server, then verify the same by simulating malicious attacks. Nutanix: The use case described for VMware is equally applicable and supported when deploying BIG-IP on Nutanix Bare Metal as well as Nutanix on VMware. For demonstration purposes, the Nutanix Community Edition hypervisor is booted as a virtual machine within VMware. Inside this hypervisor, a new virtual machine is created and provisioned using the BIG-IP image downloaded from the F5 Downloads portal. Once the BIG-IP instance is online, an additional VM hosting the application workload is deployed. This application VM is then associated with a BIG-IP virtual server, ensuring that the application remains isolated and protected from direct external exposure. GCP (Google Cloud Platform): The use case discussed above for VMware is also applicable and supported when deploying BIG-IP on public cloud platforms such as Azure, AWS, and GCP. For demonstration purposes, GCP is selected as the cloud environment for deploying BIG-IP. Within the same project where the BIG-IP instance is provisioned, an additional virtual machine hosting application workloads is deployed and associated with the BIG-IP virtual server. This setup ensures that the application workloads remain protected behind BIG-IP, preventing direct external exposure. Key Resources: Please refer to the detailed guide below, which outlines the deployment of Nutanix on VMware and GCP, and demonstrates how BIG-IP delivers consistent security, traffic management, and application delivery across hybrid environments. F5 Scalable Enterprise Workload Deployments Complete Guide Conclusion: This demonstration clearly illustrates that BIG-IP’s Application Delivery and Security capabilities offer a robust, scalable, and consistent solution across both multi-cloud and on-premises environments. By deploying BIG-IP across diverse platforms, organizations can achieve uniform application security, while maintaining reliable connectivity, strong encryption, and comprehensive protection for both modern and legacy workloads. This unified approach allows businesses to seamlessly scale infrastructure and address evolving user demands without sacrificing performance, availability, or security. With BIG-IP, enterprises can confidently deliver applications with resilience and speed, while maintaining centralized control and policy enforcement across heterogeneous environments. Ultimately, BIG-IP empowers organizations to simplify operations, standardize security, and accelerate digital transformation across any environment. References: F5 Application Delivery and Security Platform BIG-IP Data Sheet F5 Hybrid Security Architectures: One WAF Engine, Total Flexibility Distributed Cloud (XC) Github Repo BIG-IP Github RepoDetection of Malicious Users using F5 Distributed Cloud WAAP – Part III
Introduction We have already discussed the advantages that the F5 Distributed cloud’s solution for malicious users’ brings to the table as well as how simple it is to configure and monitor those events using an interactive UI dashboard of F5 Distributed Cloud Console. Below are the links for parts 1 and 2 of this article: Detection of Malicious Users using F5 Distributed Cloud WAAP – Part I Detection of Malicious Users using F5 Distributed Cloud WAAP – Part II In this article, we will go over a few more test scenarios covering the detection and mitigation of malicious user events. Demonstration (using Multi Load Balancer ML config) Scenario 1: In this scenario, we will monitor and mitigate detected malicious users for forbidden access attempts. Step1: Enable malicious user detection using Multi Load Balancer ML config as mentioned in the document. Step2: Configure a policy that prevents users from accessing a specific path. From the Console homepage, click Web App & API Protection. Click Manage -> Service Policies -> Service Policies. Click 'Add service policy,' give it a name, and set the rules as needed. Here, we are prohibiting access to the path '/delete,' as illustrated in the screenshot below. As a result, users will be unable to access the endpoint "https://<domain>/delete". Go to Home -> Web App & API Protection -> Manage -> Load Balancers -> HTTP Load Balancers, and add the created service policy to the LB Step3: Configure app setting object to detect malicious user activity based on forbidden access requests Go to Home->WAAP->Manage->AI&ML->App Settings, click ‘Add App Setting’. Enter a name and go to ‘AppType’ Settings section. Click ‘Add item’. Click on the ‘App Type’ drop-down and select the app type configured in the LB while executing Step1. Click ‘Configure’ in ‘Malicious User Detection’, tune the settings as per your need. Here, we have set the threshold limit for forbidden access requests to 10, beyond which the system will flag the user as malicious. Apply and add the configurations and then click ‘Save and Exit’ to create the app settings object. Step4: Configure automatic mitigation for malicious users Go to your LB and click ‘Edit Configuration’ Scroll down to ‘Common Security Controls’ section Enable 'Malicious User Mitigation And Challenges'. Set the ‘Malicious User Mitigation Settings’ as ‘Default’. click Save & Exit. Step5: Generate requests (more than the configured threshold value in Step3) to forbidden path (https://<domain>/delete). Note: Here generating requests indicates attempts of an attacker to bypass 403 forbidden error response. For example, trying different HTTP request methods, manipulating endpoint by appending sequences to it like {%2e}, {%2f}, {%5c} or by applying some other technique manually or through script. Step6: Go to Home->Web App & API Protection->Overview->Dashboards->Security Dashboard, select your LB and switch to Malicious Users tab, monitor the activity. Note: You can also use manual configuration for mitigation if automatic mitigation is not applied by simply clicking on ‘Block User’ on the top right side and adding detected malicious user's IP address to the deny list. Scenario 2: In this scenario, we will set the configuration to detect malicious users based on requests from potentially High-Risk IPs and block them by configuring default automatic mitigation action. Step1: Enable malicious user detection using Multi Load Balancer ML config as mentioned in the document. Step2: In app settings object configuration, make sure 'IP Reputation' is enabled (follow points in Step3 from Scenario1). Apply, Save & Exit. Step3: Follow Step4 in Scenario 1 to enable default automatic malicious user mitigation action . Step4: Generate 20+ requests in a minute from Tor browser. At the end follow Step6 from Scenario1 to monitor the malicious user activity Note: Tor is a free and open-source software developed to hide its user’s identity and activities over the Internet and make them anonymous. Conclusion This brings us to the end of this article series. We have seen how F5 Distributed Cloud WAAP’s security solution for malicious users aids in the identification and mitigation of suspicious activities. Alert fatigue, long investigation times, missed attacks, and false positives are all common issues for security teams. However, by utilizing malicious user detection, security teams can effectively filter out noise and identify actual risks and threats without the need for manual intervention. Suspicious actions such as Forbidden access attempts, login failures, and so on create a timeline of events that suggests the possibility of malicious user activity. Users who exhibit such behavior can be blocked manually or automatically based on their threat levels, and exceptions can be made using allow lists.
