CISA Issues Warning on Threat Actors Exploiting F5 BIG-IP Cookies for Network Reconnaissance

October 11, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has observed unidentified threat actors using unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module for network reconnaissance. The module is being exploited to discover other non-internet-facing devices on the network. However, CISA has not disclosed the identities of these threat actors or their end goals.

According to CISA, 'A malicious cyber actor could leverage the information gathered from unencrypted persistence cookies to infer or identify additional network resources and potentially exploit vulnerabilities found in other devices present on the network.' To mitigate this risk, CISA recommends organizations encrypt persistent cookies used in F5 BIG-IP devices by configuring cookie encryption within the HTTP profile. They also suggest users verify the protection of their systems by running a diagnostic utility provided by F5 named BIG-IP iHealth to identify potential issues.

This warning comes as cybersecurity agencies from the U.K. and the U.S. have issued a joint bulletin detailing attempts by Russian state-sponsored actors to target diplomatic, defense, technology, and finance sectors for intelligence collection and future cyber operations. This activity has been attributed to a threat actor known as APT29, also referred to as BlueBravo, Cloaked Ursa, Cozy Bear, and Midnight Blizzard. APT29 is believed to be integral to the Russian military intelligence apparatus and is associated with the Foreign Intelligence Service (SVR).

APT29 has been responsible for attacks designed to gather intelligence and establish persistent access for future operations. They exploit publicly known flaws, weak credentials, and other misconfigurations. Notable security vulnerabilities they have exploited include CVE-2022-27924, a command injection flaw in Zimbra Collaboration, and CVE-2023-42793, a critical authentication bypass bug that permits remote code execution on TeamCity Server.

APT29 represents a significant threat, continuously innovating their tactics, techniques, and procedures to remain stealthy and bypass defenses. They have even been known to destroy their infrastructure and erase evidence if they suspect their intrusions have been detected. They extensively use proxy networks, including mobile telephone providers or residential internet services, to interact with victims in North America and blend in with legitimate traffic.

Cybersecurity firm Tenable has observed that APT29 uses a variety of security vulnerabilities, including known vulnerabilities with available patches, to target organizations. Keeping software updated is the primary defense against attacks by this threat actor and others. According to Satnam Narang, senior staff research engineer at Tenable, 'APT29 has persistently targeted organizations in the United States and Europe for years, utilizing various techniques, including spear-phishing and exploitation of vulnerabilities to gain initial access and elevate privileges. The modus operandi of APT29 is the collection of foreign intelligence as well as maintaining persistence in compromised organizations in order to conduct future operations.'

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.