The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding the exploitation of unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module. Threat actors are reportedly using these vulnerabilities to conduct reconnaissance on target networks, potentially leading to further exploitation of network resources.
Key Takeaways
CISA warns of unencrypted persistent cookies in F5 BIG-IP devices being exploited.
Threat actors can enumerate non-internet-facing devices on networks.
Organizations are advised to encrypt cookies and run diagnostics to identify vulnerabilities.
Understanding the Threat
CISA's advisory highlights that malicious cyber actors can leverage information from unencrypted cookies to identify additional network resources. This could lead to the exploitation of vulnerabilities in other devices within the network. The agency has not disclosed the identity of the threat actors or their ultimate objectives.
Recommended Actions for Organizations
To mitigate these risks, CISA recommends the following actions for organizations using F5 BIG-IP devices:
Encrypt Persistent Cookies: Configure cookie encryption within the HTTP profile to protect sensitive information.
Run Diagnostics: Utilize the BIG-IP iHealth diagnostic tool to evaluate system logs, command outputs, and configurations against known issues and best practices.
The Bigger Picture
This warning comes amid a broader context of cyber threats, particularly from state-sponsored actors. A joint bulletin from U.S. and U.K. cybersecurity agencies has detailed attempts by Russian state-sponsored actors to target various sectors, including diplomacy, defense, technology, and finance. These activities are attributed to APT29, also known as Cozy Bear, which is linked to the Russian military intelligence service.
Tactics of APT29
APT29 is known for its stealthy operations, employing various tactics to remain undetected:
Use of TOR: The group extensively uses TOR for anonymity during intrusions.
Fake Identities: They lease operational infrastructure using fake identities and low-reputation email accounts.
Exploiting Vulnerabilities: APT29 targets known flaws and misconfigurations to gain access to networks.
Notable Vulnerabilities
Some significant vulnerabilities that APT29 has exploited include:
CVE-2022-27924: A command injection flaw in Zimbra Collaboration.
CVE-2023-42793: A critical authentication bypass bug allowing remote code execution on TeamCity Server.
Organizations are urged to take proactive measures to secure their networks against these evolving threats. By implementing cookie encryption and conducting regular diagnostics, they can better protect their systems from potential exploitation. CISA emphasizes the importance of establishing a baseline for authorized devices and scrutinizing any systems that deviate from this baseline to enhance overall network security.
With cyber threats becoming more sophisticated, it's essential to stay vigilant and proactive. BetterWorld Technology is dedicated to helping businesses like yours safeguard their data and systems. Don't leave your company's security to chance—book a consultation with BetterWorld Technology today and let our experts tailor a cybersecurity strategy that fits your needs.
Sources
CISA Warns of Threat Actors Exploiting F5 BIG-IP Cookies for Network Reconnaissance, The Hacker News.