CISA Warning: Cyber Criminals Exploit F5 BIG-IP LTM Cookies
The United States (US) Cybersecurity Infrastructure Security Agency (CISA) has issued an alert pertaining to the F5 BIG-IP Local Traffic Manager (LTM) module cookies being exploited. As per the CISA warning the main objective behind the exploits is to conduct reconnaissance of target networks.
In this article, we’ll dive into the exploits and uncover mitigation measures that can help safeguard against them. Let’s begin!
CISA Warning Details
As per the CISA warning, threat actors are leveraging unencrypted persistent cookies in the LTM module. The module is being used for the enumeration of non-internet-facing devices. While the CISA has disclosed the identity of the threat actors or their initiatives, it has provided valuable insights and stated that:
“A malicious cyber actor could leverage the information gathered from unencrypted persistence cookies to infer or identify additional network resources and potentially exploit vulnerabilities found in other devices present on the network.”
BIG-IP iHealth Diagnostics
The CISA warning also urges users to verify system security using a diagnostic tool called BIG-IP iHealth. Sharing insights about the functionality and results of the tool, F5, in a support document, has mentioned that:
“The BIG-IP iHealth Diagnostics component of the BIG-IP iHealth system evaluates the logs, command output, and configuration of your BIG-IP system against a database of known issues, common mistakes, and published F5 best practices. The prioritized results provide tailored feedback about configuration issues or code defects and provide a description of the issue, recommendations for resolution.”
It’s worth mentioning that this detail stems from both the United Kingdom (UK) and the US detailing initiatives of Russian state-sponsored hackers. These initiatives target various sectors that include:
- Finance.
- Defense.
- Diplomacy.
- Technology.
These sectors are a key target for state-sponsored threat actors given that breaching organizations within them helps acquire sensitive information pertaining to foreign intelligence. This data is essential as it helps them plan future attacks.
Exploit Arsenal And Mitigation Measures
As far as the attack arsenal is concerned, the threat actor being the exploits for which the CISA warning was issued mainly rely on using leased operational infrastructure. Two of the most important parts of the infrastructure are fake identities and low reputation emails.
In addition, the hacker also uses the Tor browser throughout the attack for initiatives like targeting victims and data collection. Apart from this, threat actors are also capable of hosting malicious infrastructure on compromised devices, making future attacks easily possible.
Reports claim that using the diagnostic tool as recommended in the CISA warning is one initiative. However, users should ensure that they are using the latest version of the software, given that it’s the primary line of defense against hackers carrying out such attacks.
Conclusion
The CISA warning emphasizes the critical importance of securing F5 BIG-IP LTM cookies and utilizing diagnostic tools like BIG-IP iHealth. By staying vigilant, updating software, and applying recommended mitigation measures, organizations can better protect their networks from threat actors exploiting vulnerabilities for reconnaissance and future cyberattacks.
The sources for this piece include articles in The Hacker News and Bleeping Computer.