Analysis Summary

The F5 BIG-IP Local Traffic Manager (LTM) module is used by threat actors to manage unencrypted persistent cookies, which the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is alerting users to as a means of network surveillance.

It stated that other networked devices without internet access are being counted using this module. However, neither the campaign's ultimate objectives nor the identity of its sponsoring organization were disclosed by the agency. An adversarial threat actor might use the data obtained via unencrypted persistence cookies to deduce or locate extra network resources and possibly take advantage of vulnerabilities in other networked devices.

CISA has also advised that businesses configure cookie encryption in the HTTP profile to secure persistent cookies used in F5 BIG-IP devices. Additionally, it advises customers to confirm that their systems are protected by using F5's BIG-IP iHealth diagnostic tool to find any possible problems.

The BIG-IP iHealth Diagnostics part of the BIG-IP iHealth system compares your BIG-IP system's configuration, logs, and command output to a database of known problems, typical errors, and F5 best practices that have been published. The findings are prioritized and include customized comments regarding setup problems or code flaws, along with a description of the problem and suggestions for fixing it.

The revelation coincides with the release of a joint bulletin by US and UK cybersecurity agencies describing efforts by Russian state-sponsored entities to obtain foreign intelligence and facilitate future cyber operations by targeting the defense, technology, finance, and diplomatic sectors. Threat actor APT29, also known as BlueBravo, Cloaked Ursa, Cozy Bear, and Midnight Blizzard, has been linked to the behavior. APT29, which is associated with the Foreign Intelligence Service (SVR), is recognized as a crucial component of the Russian military intelligence apparatus.

Threat actors like APT29 are a good example of how they constantly adapt their methods, strategies, and procedures to evade defenses and remain covert. In the event that they believe their intrusions have been discovered, either by the victim or law enforcement, they even go so far as to destroy their infrastructure and remove any evidence. The widespread use of proxy networks, which include home internet services or mobile phone carriers, to communicate with victims in North America and mix in with legal traffic is another noteworthy tactic.

Impact

• Cyber Espionage
• Data Theft
• Unauthorized Access

Remediation

• Organizations should configure cookie encryption in the HTTP profile to secure persistent cookies used in F5 BIG-IP devices.
• Customers should confirm that their systems are protected by using F5's BIG-IP iHealth diagnostic tool to find any possible problems.
• Never trust or open links and attachments received from unknown sources/senders.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.