How Load Balancers Respond to Advanced Persistent Threats and Vulnerabilities

Posted on

Cybercriminals, if anything, are persistent. Advancing their tactics and strategies, constantly on the lookout for opportunities to bypass cybersecurity defenses and gain a foothold on systems where they might remain undetected.

Persistence is especially common of cybercriminal gangs and state-sponsored teams looking to use an advanced persistent threat (APT) approach. 

All network devices are a target for cybercriminals searching for vulnerabilities to exploit. Attackers have targeted routers, VPN access gateways, IoT infrastructure and border firewalls. Load balancers are not exempt from this, given that load balancers are internet-facing and mediate user access to applications. Given this, it comes as no surprise that vulnerabilities are discovered in load balancers from all vendors.

Some vulnerabilities are more critical than others, and hardware of some load balancing vendors are more vulnerable than others to APT attacks. 

Vulnerabilities in F5 and Citrix Load Balancer Firmware 

A new report from the specialist firmware protection company Eclypsium pinpointed several vulnerabilities in hardware based F5 and Citrix load balancers. From the report: 

“Eclypsium research has discovered two of the industry-leading load balancing devices can be easily repurposed as command and control systems, providing persistent access to both the devices themselves and their connected networks. 

“The techniques used are within reach of an average attacker, utilize readily available open-source tooling, and are only detectable from the advanced administrative shell; they are invisible to the web management interface and restricted shell. Furthermore, by abusing built-in functionality, it is possible to retain access if devices are rebooted, patched, or wiped and restored from backup.”

Eclypsium researchers investigated the persistence opportunities that attackers could have when targeting F5 and Citrix hardware load balancers, and did this in response to the disclosure of three critical vulnerabilities facing these load balancing vendors: (
CVE-2019-19781, CVE-2020-5902, and CVE-2022-1388).

In its report, in which Eclypsium details the techniques used, the researchers outline how they were able to compromise the F5 and Citrix hardware load balancers and enable their malware to be persistent across reboots and resets. You can read the
full report here

Note the intent of this posting is not to disparage F5, Citrix or any other load balancing vendor. Cybersecurity is an ongoing process and there will be bugs and vulnerabilities for all vendors — and that includes Progress Kemp LoadMaster. You are encouraged, regardless of which vendor solution you use, to follow for security updates and patches. 

Keeping Up With LoadMaster Security Information

Progress regularly publishes updates directly on its website. You may find several sources of information on LoadMaster security, configuration advice and release notes. 

  • Security Updates — The LoadMaster security updates page houses security announcements in one place. Look here for the latest information on CVEs and other disclosed vulnerabilities in open-source software that LoadMaster uses. You may also find advice and best practices relative to the LoadMaster.

  • LoadMaster Vulnerabilities — A dedicated table of CVEs and if they affect LoadMaster is maintained at the following link. You will see the table with links to more detailed articles on CVEs, if required.

  • Release Notes — The LoadMaster operating system (LMOS) is regularly updated with security fixes and feature updates. You can find the latest release notes and an archive of past updates on this page.

  • Securing LoadMaster Access — Security is only effective if access to the administration interfaces of LoadMaster is controlled. This page details steps to secure LoadMaster access, providing step-by-step guidance to configure administrative access on the LoadMaster. 

Why Utilizing LoadMaster Will Help Improve Your Broader Cybersecurity Posture

LoadMaster can play a pivotal role in a broader cybersecurity defense strategy for organizations of all sizes — from small to enterprise, and everything in between. Whether your infrastructure is on-premises, through a single cloud provider, distributed across a multi-cloud infrastructure or hybrid cloud setting, LoadMaster features and functionalities can quickly and easily boost your cybersecurity posture.

Learn more about how LoadMaster secures applications, including information on DDoS protection, web application firewall security and more. Please view any of the referenced blogs below to learn more about LoadMaster security capabilities and optimizations. 


Posted on

Related Posts

Maurice McMullin

Maurice McMullin was a Principal Product Marketing Manager at Progress Kemp.