The F5 BIG-IP Local Traffic Manager module is used by threat actors to manage unencrypted persistent cookies, which the U.S. CISA is alerting users to as a means of network surveillance.
The advisory stated that other networked devices without internet access are being counted using this module. CISA says that the threat actor could leverage the information gathered from unencrypted persistence cookies to infer or identify additional network resources and potentially exploit vulnerabilities found in other devices on the network.
- CISA recommended organizations to encrypt persistent cookies employed in F5 BIG-IP devices by configuring cookie encryption within the HTTP profile.
- CISA urges users to verify the protection of their systems by running a diagnostic utility provided by F5 called BIG-IP iHealth to identify potential issues.
These advisories are a joint effort from US and UK cybersecurity agencies that describe efforts by Russian state-sponsored entities to obtain foreign intelligence and facilitate future cyber operations by targeting the defense, technology, finance, and diplomatic sectors.
Threat actor APT29, aka Midnight Blizzard, has been linked to the behavior. APT29, which is associated with the Foreign Intelligence Service (SVR), is recognized as a crucial component of Russian military intelligence.
Targets of intent are attacks that are intended to gather intelligence and gain persistent access in order to facilitate supply chain compromises. These attacks make use of vulnerabilities that are widely known to the public, weak credentials, or other misconfigurations to host malicious infrastructure or carry out follow-on operations from compromised accounts.
