Attack Surface Management , Network Firewalls, Network Access Control , Network Performance Monitoring & Diagnostics
Hackers Prowling for Unencrypted BIG-IP Cookies, Warns CISA
Agency Says Cookies Could Help Attackers Find Network Assets, VulnerabilitiesUnencrypted cookies tied to a suite of secure gateway technology from F5 are gateways for hackers to reach internal devices on corporate networks, warns the Cybersecurity and Infrastructure Security Agency.
See Also: Network Security Buyer’s Guide: The Definitive Guide to Creating Security RFPs That Get Results
The U.S. federal cybersecurity agency said Thursday it spotted hackers using persistent F5 BIG-IP cookies inserted by Local Traffic Manager software - an application the Seattle company describes as foundational for its application delivery and security product.
"A malicious cyber actor could leverage the information gathered from unencrypted persistence cookies to infer or identify additional network resources and potentially exploit vulnerabilities found in other devices present on the network," CISA warned.
BIG-IP uses persistent cookies as a traffic load-balancing convenience. The persistent cookie assigns each device into a server pool, avoiding having to recalculate optimal routing for each session. "Of course, the trade-off for speed is security, since the server is sending an internal IP address and port to the client," Security Risk Advisors warned in a 2018 blog post, underscoring how unencrypted cookies in the BIG-IP suite have long been a vector for hacking.
CISA recommended enterprises follow F5 guidance on configuring BIG-IP to encrypt HTTP cookies before sending them to the client system.
It also highlighted a tool developed by F5 dubbed BIG-IP iHealth for running diagnostics and identifying configuration issues.
Network edge devices, which often have patchy endpoint protection and proprietary software that complicates vulnerability detection, have increasingly become a target of state-sponsored hackers and global cybercriminals (see: The Peril of Badly Secured Network Edge Devices).
F5 - along with network edge appliance manufactures Cisco, Citrix, Fortinet, Ivanti and Zyxel - is no stranger to the exploits of skilled hackers. Researchers at Eclypsium in May found vulnerabilities in the next generation of BIP-IP, which F5 calls BIG-IP Next (see: Report: Undetectable Threats Found in F5's Central Manager).
"Management systems for network infrastructure such as F5 BIG-IP are prime targets for attackers and require extra vigilance," Eclypsium stressed.