October 11, 2024 at 05:27AM
CISA warns of threat actors exploiting unencrypted persistent cookies in F5 BIG-IP Local Traffic Manager for network reconnaissance. Organizations are advised to encrypt these cookies and use the BIG-IP iHealth diagnostic tool. Meanwhile, joint U.S.-U.K. agencies highlight threats from APT29, a Russian military intelligence group targeting various sectors.
**Meeting Takeaways – Oct 11, 2024: Vulnerability / Network Security**
1. **CISA Warning**: CISA has identified cyber threats utilizing unencrypted persistent cookies in the F5 BIG-IP LTM module to conduct network reconnaissance.
2. **Potential Threat**: Malicious actors could exploit information from these cookies to discover additional network resources and vulnerabilities.
3. **Recommended Actions**:
– Organizations should **encrypt persistent cookies** on F5 BIG-IP devices by configuring cookie encryption within the HTTP profile.
– Use the **BIG-IP iHealth diagnostic utility** to detect potential configuration issues and vulnerabilities.
4. **Russian State-sponsored Activities**: A joint bulletin from U.K. and U.S. cybersecurity agencies has been issued regarding the activities of **APT29** (also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard), targeting key sectors for foreign intelligence gathering.
5. **APT29 Characteristics**:
– Focus on maintaining anonymity through TOR and using low-reputation email accounts.
– Utilize supply chain compromises and exploit known vulnerabilities or weak credentials.
6. **Vulnerabilities of Note**:
– **CVE-2022-27924**: Command injection flaw in Zimbra Collaboration.
– **CVE-2023-42793**: Critical authentication bypass bug on TeamCity Server leading to remote code execution.
7. **Mitigation Strategies**: Organizations are advised to:
– **Establish a baseline** for authorized devices.
– Apply heightened scrutiny to non-compliant systems accessing network resources.
8. **Emerging Techniques**: APT29 is noted for evolving tactics, including destruction of infrastructure to erase traces after detection, and use of proxy networks to mask interactions.
**Suggested Actions for Organizations**: Review and enhance network security protocols, ensure proper cookie encryption, run diagnostics, and monitor network access closely to mitigate risks from identified threats.
For further updates and information, follow our channels on Twitter and LinkedIn.