Headline
CISA Warns of Threat Actors Exploiting F5 BIG-IP Cookies for Network Reconnaissance
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that it has observed threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to conduct reconnaissance of target networks. It said the module is being used to enumerate other non-internet-facing devices on the network. The agency, however, did not disclose who
Vulnerability / Network Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that it has observed threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to conduct reconnaissance of target networks.
It said the module is being used to enumerate other non-internet-facing devices on the network. The agency, however, did not disclose who is behind the activity, or what the end goals of the campaign are.
“A malicious cyber actor could leverage the information gathered from unencrypted persistence cookies to infer or identify additional network resources and potentially exploit vulnerabilities found in other devices present on the network,” CISA said in an advisory.
It has also recommended organizations encrypt persistent cookies employed in F5 BIG-IP devices by configuring cookie encryption within the HTTP profile. Furthermore, it’s urging users to verify the protection of their systems by running a diagnostic utility provided by F5 called BIG-IP iHealth to identify potential issues.
“The BIG-IP iHealth Diagnostics component of the BIG-IP iHealth system evaluates the logs, command output, and configuration of your BIG-IP system against a database of known issues, common mistakes, and published F5 best practices,” F5 notes in a support document.
“The prioritized results provide tailored feedback about configuration issues or code defects and provide a description of the issue, [and] recommendations for resolution.”
The disclosure comes as cybersecurity agencies from the U.K. and the U.S. have published a joint bulletin detailing Russian state-sponsored actors’ attempts to target diplomatic, defense, technology, and finance sectors to collect foreign intelligence and enable future cyber operations.
The activity has been attributed to a threat actor tracked as APT29, which is also known as BlueBravo, Cloaked Ursa, Cozy Bear, and Midnight Blizzard. APT29 is understood to be a key cog in the Russian military intelligence machine and is affiliated with the Foreign Intelligence Service (SVR).
“SVR cyber intrusions include a heavy focus on remaining anonymous and undetected. The actors use TOR extensively throughout intrusions – from initial targeting to data collection – and across network infrastructure,” the agencies said.
“The actors lease operational infrastructure using a variety of fake identities and low reputation email accounts. The SVR obtains infrastructure from resellers of major hosting providers.”
Attacks mounted by APT29 have been categorized as those designed to harvest intelligence and establish persistent access so as to facilitate supply chain compromises (i.e., targets of intent), as well as those that allow them to host malicious infrastructure or conduct follow-on operations from compromised accounts by taking advantage of publicly known flaws, weak credentials, or other misconfigurations (i.e., targets of opportunity).
Some of the significant security vulnerabilities highlighted include CVE-2022-27924, a command injection flaw in Zimbra Collaboration, and CVE-2023-42793, a critical authentication bypass bug that allows for remote code execution on TeamCity Server.
APT29 is a relevant example of threat actors continuously innovating their tactics, techniques and procedures in an attempt to stay stealthy and circumvent defenses, even going to the extent of destroying their infrastructure and erasing any evidence should it suspect their intrusions have been detected, either by the victim or law enforcement.
Another notable technique is the extensive use of proxy networks, comprising mobile telephone providers or residential internet services, to interact with victims located in North America and blend in with legitimate traffic.
“To disrupt this activity, organizations should baseline authorized devices and apply additional scrutiny to systems accessing their network resources that do not adhere to the baseline,” the agencies said.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
JetBrains is alerting customers of a critical security flaw in its TeamCity On-Premises continuous integration and continuous deployment (CI/CD) software that could be exploited by threat actors to take over susceptible instances. The vulnerability, tracked as CVE-2024-23917, carries a CVSS rating of 9.8 out of 10, indicative of its severity. "The vulnerability may enable an unauthenticated
By Waqas Polish authorities and FortiGuard Labs have issued a warning to customers about a new wave of cyberattacks associated with TeamCity. This is a post from HackRead.com Read the original post: Russian APT29 Hacked US Biomedical Giant in TeamCity-Linked Breach
Threat actors affiliated with the Russian Foreign Intelligence Service (SVR) have targeted unpatched JetBrains TeamCity servers in widespread attacks since September 2023. The activity has been tied to a nation-state group known as APT29, which is also tracked as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes. It's notable for the supply chain
A North Korean state-sponsored threat actor tracked as Diamond Sleet is distributing a trojanized version of a legitimate application developed by a Taiwanese multimedia software developer called CyberLink to target downstream customers via a supply chain attack. "This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads,
Known threat groups Diamond Sleet and Onyx Sleet focus on cyber espionage, data theft, network sabotage, and other malicious actions, Microsoft says.
North Korean threat actors are actively exploiting a critical security flaw in JetBrains TeamCity to opportunistically breach vulnerable servers, according to Microsoft. The attacks, which entail the exploitation of CVE-2023-42793 (CVSS score: 9.8), have been attributed to Diamond Sleet (aka Labyrinth Chollima) and Onyx Sleet (aka Andariel or Silent Chollima). It's worth noting that both the
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation, while removing five bugs from the list due to lack of adequate evidence. The vulnerabilities newly added are below - CVE-2023-42793 (CVSS score: 9.8) - JetBrains TeamCity Authentication Bypass Vulnerability
This Metasploit module exploits an authentication bypass vulnerability to achieve unauthenticated remote code execution against a vulnerable JetBrains TeamCity server. All versions of TeamCity prior to version 2023.05.4 are vulnerable to this issue. The vulnerability was originally discovered by SonarSource.
By Deeba Ahmed JetBrains has fixed this flaw in version 2023.05.4 of the product released on September 18. It also released a security advisory but didn't disclose technical details of the vulnerability for now. This is a post from HackRead.com Read the original post: JetBrains Patches Severe TeamCity Flaw Allowing RCE and Server Hijacking
A critical security vulnerability in the JetBrains TeamCity continuous integration and continuous deployment (CI/CD) software could be exploited by unauthenticated attackers to achieve remote code execution on affected systems. The flaw, tracked as CVE-2023-42793, carries a CVSS score of 9.8 and has been addressed in TeamCity version 2023.05.4 following responsible disclosure on September 6,
An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preauth.jsp component.
Attackers are targeting Zimbra systems in the public and private sectors, looking to exploit multiple vulnerabilities, CISA says.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two flaws to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. The two high-severity issues relate to weaknesses in Zimbra Collaboration, both of which could be chained to achieve unauthenticated remote code execution on affected email servers - CVE-2022-27925 (CVSS score: 7.2)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a recently disclosed high-severity vulnerability in the Zimbra email suite to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. The issue in question is CVE-2022-27924 (CVSS score: 7.5), a command injection flaw in the platform that could lead to the execution of arbitrary
Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove ca" command). It is visible in cleartext on port UDP 514 (aka the syslog port).
Attackers could also potentially gain access to various internal services, researcher warns
A new high-severity vulnerability has been disclosed in the Zimbra email suite that, if successfully exploited, enables an unauthenticated attacker to steal cleartext passwords of users sans any user interaction. "With the consequent access to the victims' mailboxes, attackers can potentially escalate their access to targeted organizations and gain access to various internal services and steal