Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cozy Bear. Show all posts
Cyber Security
APT-29 CISA Cookies Cozy Bear Cyber Security

How F5 BIG-IP Cookies Are Being Exploited for Network Snooping: A CISA Warning

 



US Government's Cybersecurity and Infrastructure Security Agency released a warning regarding cyberattackers use of unencrypted cookies managed by the F5 BIG-IP Local Traffic Manager, by which they gather information about private networks. In this manner, these attackers identify the internal, non-public devices through the use of this cookie, thereby potentially targeting the vulnerabilities on that network. While CISA does not disclose who is behind this attack and for what reasons, the activity surely indicates serious threat potential to organisational security.

Confidence and Data Integrity Exposed

According to CISA's advisory, these cookies would probably allow attackers to understand the network structures and discover some areas where the attack can be performed. It is true that cybersecurity has compared with physical security, some delicate balances of trust on which companies dealing with sensitive information depend. The attackers may go through the data contained in these cookies while studying it and realise and use key resources in a network to escalate access or tamper with data.

Recommendations for the Protection of F5 BIG-IP Cookies

CISA recommends that all the organisations that use the F5 BIG-IP equipment encrypt those cookies. The encryption can be set up on these devices through HTTP profile settings so it can act as an added layer of protection against unauthorised access. CISA further recommends use of the BIG-IP iHealth diagnostic tool by F5, which conducts full system evaluation against potential weaknesses and vulnerabilities. The tool offers tailored recommendations for bettering security circumstances, including configuration issues or outdated code.

Warnings of Broader Cyber Threats

The U.S. and the U.K. cybersecurity agencies have simultaneously warned about the Russian-backed hacking group APT29, which is also known as Cozy Bear or Midnight Blizzard. This group has consistently targeted areas in the areas of diplomatic, defence, tech, and financial sectors to obtain sensitive foreign intelligence. APT29, which links back to Russia's Foreign Intelligence Service (SVR), practises low-key in conducting operations and utilises TOR and other tools of similar nature to mask its operations.

APT29: Tactics of Persistence, Stealth, Strategy

APT29's infrastructure is complicated, and the actors often lease servers through fake identities and low-reputation email addresses in North America. This makes detecting the activity in the network more challenging because it imitates legitimate network traffic. In addition to intelligence gathering, APT29 often tries to create enduring access within targeted systems through spear-phishing or exploiting widely known, but unpitched, vulnerabilities. Other notable vulnerabilities of interest recently include CVE-2022-27924 in Zimbra Collaboration and CVE-2023-42793, a TeamCity Server authentication bypass flaw that could help facilitate remote code execution.

Defending Against APT29 Threats

APT29 is famous for changing its tactics to evade detection and will destroy its infrastructure if it detects that it is under surveillance. To mitigate this, organisations are encouraged to implement and track baseline network activity, which makes it easier to recognize aberrant access patterns. The hackers' strategies include proxy networks and mobile and residential IP addresses to mirror legitimate users. Thus, companies should look at access attempts with a magnifying glass to identify deviations from normal behaviour.

Importance of Regular Security Patches

Tenable, a cybersecurity firm, claims that the only way to win against APT29 and other advanced persistent threats (APTs) is by having recent versions of the software. The main way of countering such attacks is by keeping security updates and patches on known vulnerabilities. Tenable Senior Research Engineer Satnam Narang said that the long-term targeting of organisations operating within the U.S. and Europe by APT29 underlines its foreign intelligence gathering and ensures long-term access to compromised systems.

It is a necessity both for the advisory put out by CISA and the joint bulletin by the U.S. and U.K. in light of the evolution of these threats. For organisations, keeping sensitive information safe and establishing trust becomes of utmost importance. The use of security measures like encrypting F5 BIG-IP cookies and keeping updated on threat intelligence can stop attackers from exploiting their weaknesses. Proactive defences have to be built up in these systems because they are becoming increasingly complex in nature and ensuring the integrity of data and avoiding malicious intrusion into it.


Read more »
State-backed cybercriminals
Cozy Bear Data Breach HP enterprise Microsoft software Russian Hackers State-backed cybercriminals

HP Enterprise Reveals Hack Conducted by State-backed Russian Hackers


Hewlett Packard (HP) enterprise reported on Wednesday that alleged state-backed Russian hackers have attacked its cloud-based email system and stolen security and employees’ data.

In a Security and Exchange filing, the IT product provider noted that the attack occurred on January 12. They suspect that Russia’s foreign intelligence service ‘Cozy Bear’ was behind the attack.

“Based on our investigation, we now believe that the threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions,” HPE, which is based in Spring, Texas, said in the filing.

HP’s spokesperson, Adam R. Bauer, was contacted through his email, however, he did not make it clear who exactly informed HPE of the breach. “We’re not sharing that information at this time,” Bauer noted the compromised email boxes were running Microsoft software.

In the filing, HPE said the intrusion was “likely related to earlier activity by this threat actor, of which we were notified in June 2023, involving unauthorized access to and exfiltration of a limited number of SharePoint files.” SharePoint is a component of Microsoft's Office 365 suite, which also contains word processing, spreadsheet, and email tools.

SharePoint is part of Microsoft’s 365 suite, formerly known as Office, which includes email, word-processing and spreadsheet apps.

HPE is unable to say whether the network compromise was connected to the intrusion that Microsoft revealed last week, since "we do not have the details of the incident Microsoft disclosed," according to Bauer.

Also, he did not specify where the affected employee, whose accounts the hackers had access to, belonged in the company’s hierarchy. 

According to the sources, “The total scope of mailboxes and emails accessed remains under investigation.” 

As per the report, HPE has ascertained that the intrusion has not had any significant effect on the company's financial stability or operations. Both announcements coincide with the implementation one month ago of a new rule by the U.S. Securities and Exchange Commission requiring publicly traded corporations to report security breaches that may hurt their operations. Unless they are granted a national security waiver, they have four days to comply with this.  

Read more »
Subscribe to: Posts (Atom)