HomeCyberSecurity NewsCISA Alerts Public to Threat Actors Misusing F5 BIG-IP Cookies for Network...

CISA Alerts Public to Threat Actors Misusing F5 BIG-IP Cookies for Network Reconnaissance

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is cautioning about threat actors exploiting unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module for network reconnaissance purposes.

According to CISA, the module is being utilized to identify other devices on the network that are not internet-facing. The agency did not reveal the identities of the threat actors or the objectives of the campaign.

“A malicious cyber actor could potentially exploit vulnerabilities in other network devices by using the information gathered from unencrypted persistence cookies to identify additional network resources,” stated CISA in an advisory.

The agency has advised organizations to encrypt persistent cookies used in F5 BIG-IP devices by enabling cookie encryption within the HTTP profile. Additionally, users are urged to ensure the security of their systems by running F5’s diagnostic tool BIG-IP iHealth to identify any potential issues.

“The BIG-IP iHealth Diagnostics component assesses the logs, command output, and configuration of your BIG-IP system against a database of known issues and best practices,” explained F5 in a support document.

The disclosure follows a joint bulletin released by cybersecurity agencies from the U.K. and the U.S. detailing Russian state-sponsored actors’ efforts to target various sectors for intelligence collection and future cyber operations.

APT29, also known as BlueBravo, Cloaked Ursa, Cozy Bear, and Midnight Blizzard, is said to be behind the activities and is associated with the Russian military intelligence machine.

APT29’s attacks include intelligence gathering and establishing persistent access to facilitate supply chain compromises, as well as hosting malicious infrastructure or conducting follow-on operations through compromised accounts due to known flaws or misconfigurations.

Noteworthy security vulnerabilities include CVE-2022-27924 and CVE-2023-42793, which allow for command injection and authentication bypass, respectively.

To disrupt APT29’s activities, organizations are advised to establish baselines for authorized devices and scrutinize systems accessing network resources that deviate from the baseline.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest News