The US Cybersecurity and Infrastructure Security Agency (CISA) warns that threat actors have been observed using unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to conduct intelligence on target networks.
It says that the module is used to list other devices on the network that do not have access to the Internet. The agency, however, does not reveal who is behind this activity and what the ultimate goals of the campaign are.
“An attacker could use information collected from unencrypted cookies to infer or identify additional network resources and potentially exploit vulnerabilities discovered in other devices present on the network,” CISA said in the consulting room.
It also recommended that organizations encrypt persistent cookies used by F5 BIG-IP devices cookie encryption setting in the HTTP profile. It also encourages users to check their systems’ protection by running the F5 diagnostic utility called BIG-IP iHealth to identify potential problems.
“The BIG-IP iHealth Diagnostics component of BIG-IP iHealth evaluates the logs, command output, and configuration of your BIG-IP system against F5’s database of known issues, common errors, and published best practices,” notes F5 in a support document.
“Prioritized results provide customized feedback on configuration issues or code defects and provide a description of the problem, (and) recommendations for resolution.”
The disclosure comes as UK and US cyber security agencies published a joint bulletin detailing attempts by Russian state actors to target the diplomatic, defense, technology and financial sectors in order to gather foreign intelligence and conduct future cyber- operations.
The activity has been classified as a monitored threat APT29which is also known as BlueBravo, Cloaked Ursa, Cozy Bear and Midnight Blizzard. APT29 is considered a key cog in Russia’s military intelligence machine and is linked to the Foreign Intelligence Service (FSS).
“SVR’s cyber intrusions place great emphasis on anonymity and stealth. TOR is widely used by actors during intrusions – from initial targeting to data collection – and throughout the network infrastructure,” the agencies noted. said.
“Actors rent operational infrastructure using a variety of fake identities and low-reputation email accounts. SVR gets its infrastructure from resellers of major hosting providers.”
Attacks carried out by APT29 have been classified as those designed to gather intelligence and establish persistent access to facilitate the breach of supply chains (i.e. targets), as well as those that allow them to host malicious infrastructure or carry out subsequent operations with compromised accounts by exploiting publicly known vulnerabilities, weak credentials, or other misconfigurations (ie, target capabilities).
Some of the highlighted significant security vulnerabilities include CVE-2022-27924lack of command entry in Zimbra Collaboration and CVE-2023-42793critical authentication bypass bug that allows remote code execution on the TeamCity server.
APT29 is a relevant example of threat actors constantly updating their tactics, methods and procedures in an attempt to remain stealthy and bypass defenses, even going so far as to destroy their infrastructure and remove any evidence if it is suspected that their intrusions have been detected or the victim or law enforcement.
Another prominent technique is the widespread use of proxy networks, which include mobile phone service providers or residential Internet service providers, to interact with victims located in North America and merge with legitimate traffic.
“To disrupt this activity, organizations must establish a baseline of authorized devices and apply additional scrutiny to systems accessing their network resources that do not adhere to the baseline,” the agencies said.
