The U.S. Cybersecurity and Infrastructure Safety Company (CISA) is warning that it has noticed menace actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Native Site visitors Supervisor (LTM) module to conduct reconnaissance of goal networks.
It stated the module is getting used to enumerate different non-internet-facing gadgets on the community. The company, nevertheless, didn’t disclose who’s behind the exercise, or what the top targets of the marketing campaign are.
“A malicious cyber actor could leverage the information gathered from unencrypted persistence cookies to infer or identify additional network resources and potentially exploit vulnerabilities found in other devices present on the network,” CISA stated in an advisory.
It has additionally really useful organizations encrypt persistent cookies employed in F5 BIG-IP gadgets by configuring cookie encryption inside the HTTP profile. Moreover, it is urging customers to confirm the safety of their programs by operating a diagnostic utility supplied by F5 referred to as BIG-IP iHealth to determine potential points.
“The BIG-IP iHealth Diagnostics component of the BIG-IP iHealth system evaluates the logs, command output, and configuration of your BIG-IP system against a database of known issues, common mistakes, and published F5 best practices,” F5 notes in a assist doc.
“The prioritized results provide tailored feedback about configuration issues or code defects and provide a description of the issue, [and] recommendations for resolution.”
The disclosure comes as cybersecurity businesses from the U.Okay. and the U.S. have revealed a joint bulletin detailing Russian state-sponsored actors’ makes an attempt to focus on diplomatic, protection, expertise, and finance sectors to gather international intelligence and allow future cyber operations.
The exercise has been attributed to a menace actor tracked as APT29, which is also referred to as BlueBravo, Cloaked Ursa, Cozy Bear, and Midnight Blizzard. APT29 is known to be a key cog within the Russian army intelligence machine and is affiliated with the Overseas Intelligence Service (SVR).
“SVR cyber intrusions include a heavy focus on remaining anonymous and undetected. The actors use TOR extensively throughout intrusions – from initial targeting to data collection – and across network infrastructure,” the businesses stated.
“The actors lease operational infrastructure using a variety of fake identities and low reputation email accounts. The SVR obtains infrastructure from resellers of major hosting providers.”
Assaults mounted by APT29 have been categorized as these designed to reap intelligence and set up persistent entry in order to facilitate provide chain compromises (i.e., targets of intent), in addition to people who enable them to host malicious infrastructure or conduct follow-on operations from compromised accounts by benefiting from publicly identified flaws, weak credentials, or different misconfigurations (i.e., targets of alternative).
A number of the important safety vulnerabilities highlighted embody CVE-2022-27924, a command injection flaw in Zimbra Collaboration, and CVE-2023-42793, a crucial authentication bypass bug that permits for distant code execution on TeamCity Server.
APT29 is a related instance of menace actors constantly innovating their ways, strategies and procedures in an try to remain stealthy and circumvent defenses, even going to the extent of destroying their infrastructure and erasing any proof ought to it suspect their intrusions have been detected, both by the sufferer or regulation enforcement.
One other notable approach is the intensive use of proxy networks, comprising cell phone suppliers or residential web providers, to work together with victims positioned in North America and mix in with respectable visitors.
“To disrupt this activity, organizations should baseline authorized devices and apply additional scrutiny to systems accessing their network resources that do not adhere to the baseline,” the businesses stated.
