Hackers Prowling For Unencrypted BIG-IP Cookies, Warns CISA
Unencrypted cookies, associated with F5’s suite of secure gateway technology, have become lucrative targets for hackers aiming to access internal devices on corporate networks. This alarming trend comes to light through warnings issued by the Cybersecurity and Infrastructure Security Agency (CISA).
The U.S. federal cybersecurity agency recently highlighted its observations of malicious actors manipulating F5 BIG-IP cookies. These cookies, embedded by Local Traffic Manager software, play a critical role in the application delivery and security solutions that Seattle-based F5 offers.
“A malicious cyber actor could leverage the information gathered from unencrypted persistence cookies to infer or identify additional network resources and potentially exploit vulnerabilities found in other devices present on the network,” CISA warned in its advisory.
BIG-IP employs persistent cookies as a means of efficiently balancing traffic loads. These cookies assign devices to a server pool, which helps streamline the process by eliminating the need to recalculate optimal routing for each individual session. However, as highlighted by Security Risk Advisors in a 2018 blog post, the security tradeoffs associated with these unencrypted cookies pose significant threats. The server communicates an internal IP address and port to the client, thereby creating a potential opening for cyber intrusions.
CISA advises enterprises to consult F5’s guidance regarding how to configure BIG-IP to encrypt HTTP cookies prior to transmission to client systems. Additionally, CISA emphasized the utility of a diagnostic tool developed by F5, aptly named BIG-IP iHealth, which can be employed to detect configuration issues and run comprehensive diagnostics.
In the broader context of cybersecurity, network edge devices—often plagued by inadequate endpoint protection and proprietary software that complicates vulnerability detection—have emerged as prime targets for state-sponsored hackers as well as cybercriminals operating on a global scale. This persistent issue was underscored by reports discussing the peril posed by poorly secured network edge devices.
F5 is not isolated in experiencing the relentless scrutiny of skilled hackers. Companies like Cisco, Citrix, Fortinet, Ivanti, and Zyxel, all manufacturers of network edge appliances, have similarly been targeted. In May, Eclypsium researchers identified vulnerabilities within the next generation of F5’s BIP-IP, known as BIG-IP Next. The vulnerabilities highlight ongoing security challenges within central management systems, which are often prime targets for malicious attacks.
“Management systems for network infrastructure such as F5 BIG-IP are prime targets for attackers and require extra vigilance,” Eclypsium researchers stressed, emphasizing the critical need for enhanced security measures.
Organizations that rely on F5 technologies must heed these warnings and take proactive steps to secure their network infrastructure against potential threats. Encrypting cookies, utilizing diagnostic tools, and maintaining a vigilant approach to cyber defense are essential strategies in safeguarding corporate networks from emerging vulnerabilities.
