The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that threat actors are using unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to conduct network reconnaissance.
CISA noted that the module is being utilized to identify non-internet-facing devices on the network, potentially leading to exploitation of vulnerabilities in other devices. The agency did not disclose the identity of the threat actors behind this campaign or their objectives.
“A malicious cyber actor could leverage the information gathered from unencrypted persistence cookies to infer or identify additional network resources and potentially exploit vulnerabilities found in other devices present on the network,” CISA explained in an advisory.
Organizations are urged to encrypt persistent cookies in F5 BIG-IP devices by configuring cookie encryption within the HTTP profile. They are also advised to use the BIG-IP iHealth diagnostic tool to identify and address potential issues.
The joint bulletin published by cybersecurity agencies from the U.K. and the U.S. details Russian state-sponsored actors’ targeting of various sectors for foreign intelligence gathering and future cyber operations.
APT29, also known as BlueBravo, Cloaked Ursa, Cozy Bear, and Midnight Blizzard, has been attributed to a threat group affiliated with the Russian military intelligence service SVR. The group’s operations emphasize anonymity and remaining undetected through the use of TOR and infrastructure obtained from hosting providers.
APT29’s activities include intelligence gathering, supply chain compromises, and exploiting vulnerabilities to establish persistent access for future operations.
Security vulnerabilities such as CVE-2022-27924 and CVE-2023-42793 have been highlighted as part of APT29’s tactics, showcasing their continual evolution to bypass defenses and maintain stealth.
Organizations are encouraged to baseline authorized devices and scrutinize systems accessing their network resources to detect and counter APT29’s activities.