CISA warns of threat actors abusing F5 BIG-IP cookies for network reconnaissance

October 11, 2024Ravie LakshmananVulnerability / Network Security

The US Cybersecurity and Infrastructure Security Agency (CISA) warns that it has observed threat actors using unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to conduct reconnaissance of target networks.

It says that the module is used to enumerate other non-Internet-facing devices on the network. However, the agency has not revealed who is behind the activity, or what the end goals of the campaign are.

“A malicious cyber actor could use the information collected from unencrypted persistence cookies to divert or identify additional network resources and potentially exploit vulnerabilities found in other devices present on the network,” CISA said in an advice.

It also recommended that organizations encrypt persistent cookies used in F5 BIG-IP devices by configuring cookie encryption within the HTTP profile. Additionally, it urges users to verify the protection of their systems by running an F5 diagnostic tool called BIG-IP iHealth to identify potential problems.

“The BIG-IP iHealth Diagnostics component of the BIG-IP iHealth system evaluates your BIG-IP system’s logs, command output, and configuration against a database of known issues, common errors, and published F5 best practices” , F5 notes in a support document.

“The prioritized results provide tailored feedback on configuration issues or code defects and provide a description of the problem, (and) recommendations for resolution.”

The revelation comes as cybersecurity agencies from Britain and the US published a joint bulletin detailing attempts by Russian state-backed actors to target the diplomatic, defense, technology and financial sectors to gather foreign intelligence and enable future cyber operations.

The activity is attributed to a threat actor tracked as APT29, also known as BlueBravo, Cloaked Ursa, Cozy Bear, and Midnight Blizzard. APT29 is considered a key player in the Russian military intelligence machine and is affiliated with the Foreign Intelligence Service (SVR).

“SVR cyber intrusions involve a strong focus on remaining anonymous and undetected. Actors use TOR extensively during intrusions – from initial targeting to data collection – and across network infrastructure,” the agencies said.

“The actors lease operational infrastructure using a variety of fake identities and low-reputation email accounts. The SVR obtains infrastructure from resellers of major hosting providers.”

APT29 attacks are categorized as those designed to gather intelligence and establish persistent access to facilitate supply chain compromises (i.e., deliberate targeting), as well as attacks that allow them to host malicious infrastructure or follow-on operations from compromised accounts by exploiting publicly known flaws, weak credentials, or other misconfigurations (i.e., targets of opportunity).

Some of the significant security vulnerabilities highlighted include CVE-2022-27924, a command injection flaw in Zimbra Collaboration, and CVE-2023-42793, a critical authentication bypass bug that prevents remote code execution on TeamCity Server makes it possible.

APT29 is a relevant example of threat actors constantly innovating their tactics, techniques and procedures in an attempt to remain stealthy and evade defenses, even going so far as to destroy their infrastructure and erase all evidence if they suspect their breaches have been discovered , either by the victim or law enforcement.

Another notable technique is the extensive use of proxy networks, consisting of mobile phone or residential Internet service providers, to communicate with victims in North America and blend in with legitimate traffic.

“To disrupt this activity, organizations should baseline authorized devices and place additional controls on systems accessing their network resources that do not meet the baseline,” the agencies said.