The United States Cybersecurity and Infrastructure Security Agency (CISA) warns who observed cybercriminals exploiting persistent unencrypted cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to conduct reconnaissance activities on target networks.
CISA and the warning about the F5 BIG-IP module
He stated that the module is used to enumerate other non-Internet exposed devices present on the network; but CISA has not revealed who is behind this activity nor what the campaign’s ultimate goals are.
“A cybercriminal could leverage information collected from persistent unencrypted cookies to infer or identify additional network resources and potentially exploit vulnerabilities in other devices in the network. network,” he declared CISA in a notice.
CISA also recommended that organizations encrypt persistent cookies used on F5 BIG-IP devices by configuring cookie encryption within the HTTP profile and urges users to check the security of their systems by running a diagnostic utility provided by F5 called BIG-IP iHealth to identify potential problems.
“The BIG-IP iHealth Diagnostics component of the BIG-IP iHealth System evaluates the logs, command output, and configuration of the BIG-IP System against a database of known issues, common errors, and best practices [di sicurezza] published by F5“, notes F5 in a supporting document, which also adds: “Priority results provide personalized feedback on configuration issues or defects in your code and offer a description of the problem and recommendations for resolution.“
But in addition to CISA, the corresponding agencies in other countries are moving
The disclosure comes as the UK and US cybersecurity agencies published a joint bulletin detailing attempts by Russian-mandated cybercriminals targeting the diplomatic, defence, technology and finance sectors to gather intelligence information foreign and enable future cyber operations.
The activity was attributed to a cybercriminal group that goes by the name of APT29also known as BlueBravo, Cloaked Ursa, Cozy Bear, and Midnight Blizzard; it is therefore understood that APT29 is a key element of the Russian military intelligence machine and is affiliated with the Foreign Intelligence Service (SVR).
“SVR cyber intrusions include a strong focus on remaining anonymous and undetected. The authors [del crimine informatico] use widely TOR during intrusions – from initial targeting to data collection – and across the network infrastructure“, they have stated CISA and other agencies, adding: “The authors rent operational infrastructure using a variety of fake identities and low-reputation email accounts. The SVR obtains infrastructure from resellers of major hosting providers.“
The attacks conducted by APT29 have been categorized as designed to collect data and establish persistent access in order to facilitate supply chain compromises (i.e., targets of intent), as well as those that allow them to host malicious infrastructure or conduct subsequent operations from compromised accounts by exploiting publicly known vulnerabilities , weak credentials or other misconfigurations (i.e., opportunity goals).
Some of the significant security vulnerabilities highlighted include CVE-2022-27924a command injection flaw in Zimbra CollaborationAnd CVE-2023-42793a critical authentication bypass bug that allows remote code execution on TeamCity Server.
APT29 is a relevant example of cyber criminals who they continually innovate their tactics, techniques and procedures in an effort to remain stealthy and evade defenseseven going as far as destroying their infrastructure and deleting any evidence if they suspect their intrusions have been detected, either by the victim or by law enforcement.
Another notable technique is the extensive use of proxy networks, made up of mobile phone or residential Internet service providersto interact with victims located in North America and mix with legitimate trafficking.
“To stop this activity, organizations should establish a baseline of authorized devices and apply additional vigilance to systems accessing their network resources that do not meet the baseline“, the agencies said.
#CISA #warning #BIGIP #cookie #vulnerability