Warning from CISA Regarding Malicious Actors Exploiting F5 BIG-IP Cookies for Network Recon
CISA, the United States Cybersecurity and Infrastructure Security Agency, has issued a cautionary message regarding the exploitation of unencrypted durable cookies overseen by the F5 BIG-IP Local Traffic Manager (LTM) module by threat actors for network exploration purposes.
The module is presently being utilized to list other gadgets not directly accessible on the network. Despite this revelation, the agency refrained from disclosing the identities behind this operation or the objectives guiding the campaign.
“Through unencrypted persistent cookies, a malicious cyber actor could potentially deduce or pinpoint additional network resources and potentially exploit vulnerabilities present in other devices within the network,” CISA mentioned in a recent notification.
It has strongly advised organizations to secure persistent cookies in F5 BIG-IP devices by enacting cookie encryption within the HTTP profile. Additionally, users are urged to confirm the safety of their systems by utilizing a diagnostics tool known as BIG-IP iHealth to identify potential issues.
“The diagnostic functionality of the BIG-IP iHealth system evaluates the logs, command output, and setup of your BIG-IP system against an extensive database of known problems, common errors, and published F5 best practices,” F5 pointed out in a support guide.
The unveiling of this information coincides with the collective release of a communication by cybersecurity agencies from both the United Kingdom and the United States elucidating the endeavors of Russian state-supported actors to target diplomatic, defense, technology, and finance sectors to gather foreign intelligence and facilitate future cyber activities.
The events have been linked to a threat actor identified as APT29, which goes by various aliases such as BlueBravo, Cloaked Ursa, Cozy Bear, and Midnight Blizzard. APT29 is believed to be an essential component of the Russian military intelligence machinery and is associated with the Foreign Intelligence Service (SVR).
“SVR cyber intrusions are characterized by a strong emphasis on maintaining anonymity and staying under the radar. TOR is heavily utilized by the actors throughout their operations – from initial selection to data gathering – and across their network infrastructure,” the agencies reported.
“The actors acquire operational infrastructure through various fake identities and low-profile email accounts. The SVR procures infrastructure from resellers working with major hosting providers.”
APT29’s attacks have been classified into intelligence-gathering operations and persistent access establishment aiming to enable supply chain compromises, as well as operations that support the hosting of malicious infrastructure or subsequent activities via exploited accounts, leveraging well-known vulnerabilities, weak credentials, or other misconfigurations.
Some of the critical security vulnerabilities highlighted include CVE-2022-27924, a command injection vulnerability in Zimbra Collaboration, and CVE-2023-42793, a severe authentication bypass flaw allowing remote code execution on TeamCity Server.
APT29 serves as a prime instance of threat actors consistently enhancing their strategies, methods, and behaviors to remain discreet and circumvent defensive measures, even opting to dismantle their infrastructure and eliminate any traces if they suspect their activities have been discovered, either by the target or law enforcement agencies.
Another noteworthy tactic is the extensive use of proxy networks, encompassing mobile service providers or residential internet services, to interact with individuals in North America and merge seamlessly with legitimate traffic.
“To disrupt this behavior, organizations should establish a baseline of authorized devices, and subject systems that deviate from this baseline and access their network resources to enhanced scrutiny,” suggested the agencies.
About Author
