Heimdal
article featured image

Contents:

The F5 BIG-IP Local Traffic Manager (LTM) module is used by threat actors to manage unencrypted persistent cookies, which the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is alerting users to as a means of network surveillance.

The advisory stated that other networked devices without internet access are being counted using this module.

However, neither the campaign’s ultimate objectives nor the identity of its sponsoring organization were disclosed by the agency.

Details About the Threat: What Are the Threat Actors After?

CISA mentioned in the advisory that the threat actor could leverage the information gathered from unencrypted persistence cookies to infer or identify additional network resources and potentially exploit vulnerabilities found in other devices on the network.

It has also advised that businesses configure cookie encryption in the HTTP profile to secure persistent cookies used in F5 BIG-IP devices.

Additionally, it advises customers to confirm that their systems are protected by using F5’s BIG-IP iHealth diagnostic tool to find any possible problems.

The BIG-IP iHealth Diagnostics component of the BIG-IP iHealth system evaluates the logs, command output, and configuration of your BIG-IP system against a database of known issues, common mistakes, and published F5 best practices.

The prioritized results provide tailored feedback about configuration issues or code defects and provide a description of the issue, [and] recommendations for resolution.

F5 Support Document

The finding comes with the release of a joint bulletin by US and UK cybersecurity agencies describing efforts by Russian state-sponsored entities to obtain foreign intelligence and facilitate future cyber operations by targeting the defense, technology, finance, and diplomatic sectors.

Threat actor APT29, also known as BlueBravo, Cloaked Ursa, Cozy Bear, and Midnight Blizzard, has been linked to the behavior. APT29, which is associated with the Foreign Intelligence Service (SVR), is recognized as a crucial component of the Russian military intelligence.

SVR cyber intrusions include a heavy focus on remaining anonymous and undetected. The actors use TOR extensively throughout intrusions – from initial targeting to data collection – and across network infrastructure.

The actors lease operational infrastructure using a variety of fake identities and low reputation email accounts. The SVR obtains infrastructure from resellers of major hosting providers.

Joint Advisory (Source)

Targets of intent are attacks that are intended to gather intelligence and gain persistent access in order to facilitate supply chain compromises.

On the other hand, targets of opportunity are attacks that make use of vulnerabilities that are widely known to the public, weak credentials, or other misconfigurations to host malicious infrastructure or carry out follow-on operations from compromised accounts.

If you liked this piece, you can find more on the blog. Follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE