F5 May 2025 QSN, Big dollar cough up, buggy-spy chat apps
Hello! ArvinF is your editor for this edition of the F5 SIRT's This Week in Security, covering May 4 - 10. Let's get to it!
F5 May 2025 QSN - 12 issues, 11 Highs, and 1 Medium Severity CVEs, BIG-IP 17.5 not affected.
On May 5th, F5 disclosed 12 issues, 11 Highs, and 1 Medium Severity CVEs for the F5 May 2025 Quarterly Security Notifications. Most of the issues disclosed were classic DoS on BIG-IP products and the BIG-IP NEXT products and are fixed in the latest BIG-IP 17.5, 16.1.6, and most in15.1.10.7 versions and the latest BIG-IP NEXT versions. There were two F5OS issues and are both fixed in F5OS-A on rSeries and F5OS-C on VELOS version 1.8.0. There was one BIG-IP CVE that affects Appliance Mode in the Control Plane and requires Authenticated Administrator role privileges before an attempt can be made to abuse the flaw.
It is recommended to install the fixed BIG-IP and BIG-IP NEXT and F5OS versions to fully fix the vulnerabilities. Mitigation and workarounds are provided when applicable. As for the BIG-IP Appliance Mode control plane issue that requires Authenticated Administrator role privileges (and as for other BIG-IP Control plane issues), follow best practices and ensure to secure access to the BIG-IP management interfaces and allow access only to trusted users and networks.
K000151008: Quarterly Security Notification (May 2025)
https://my.f5.com/manage/s/article/K000151008
"Spy" Chat app maker will have to cough up $168M
NSO must pay Meta $168M as they win in court for Whatsapp flaw exploitation. The WhatsApp zero-day, zero-click vulnerability was used to deploy spyware, Pegasus, with just a single phone call and no requirement on the victim to do anything other than have their handheld switched on. The spyware can access all the data on the devices, including phone records, emails, messages, and video. It can also see where the device is. It can even let its operator turn on the handset's camera and microphone for clandestine recording. The spyware targeted over a thousand WhatsApp users, including human rights activists, journalists, diplomats, and others in civil society. Meta worked with Citizen Lab to look into the attack and warn the people being attacked. They wanted to learn more about the attack and find ways to protect their devices. The eight-person jury handed out a fine that amounts to nearly three times the NSO’s annual R&D budget, according to Meta's estimates.
Super spyware maker NSO must pay Meta $168M in WhatsApp court battle
https://www.theregister.com/2025/05/06/nso_group_meta_verdict/
https://about.fb.com/news/2025/05/winning-the-fight-against-spyware-merchant-nso/
"TM SGNL" Chat app - stores chat logs in plain text in TeleMessage archive servers
Per the researcher findings, the TeleMessage fake Signal app, called TM SGNL, shows how it works and why it's so insecure. It also analyzed the source code for TM SGNL's Android app, and what led to the conclusion that TeleMessage can access plaintext chat logs. This "TM SGNL" Chat app is embroiled in scandal as it was used in the "Signalgate" where "secret military plans were shared in a group text chat that inadvertently included a journalist." Analysis of the source code also noted hard-coded credentials and chat logs archives were stored in plain text, and were not re-encrypted.
Signal chat app clone used by Signalgate's Waltz was apparently an insecure mess
https://www.theregister.com/2025/05/05/telemessage_investigating/
Google coughed up $1.375 Billion over Unauthorized Tracking and Biometric Data Collection
"The case, originally filed in 2022, related to unlawful tracking and collection of user data, regarding geolocation, incognito searches, and biometric data, tracking users' whereabouts even when the Location History setting was disabled and collecting the biometric data without informed consent."
"For years, Google secretly tracked people's movements, private searches, and even their voiceprints and facial geometry through their products and services," Texas Attorney General Ken Paxton said in a statement.
"This $1.375 billion settlement is a major win for Texans' privacy and tells companies that they will pay for abusing our trust."
Last year, Google announced plans to store Maps Timeline data locally on users' devices instead of their Google accounts. The company has also rolled out other privacy controls that allow users to auto-delete location information when the Location History setting is enabled.
The payment also rivals a $1.4 billion fine that Meta paid Texas to settle a lawsuit over allegations that it illegally collected the biometric data of millions of users without their permission.
The development comes at a time when Google is the subject of intense regulatory scrutiny on both sides of the Atlantic, facing calls to break up parts of its business to satisfy antitrust concerns."
https://thehackernews.com/2025/05/google-pays-1375-billion-to-texas-over.html
Big Bucks Crypto eXch shut down over $1.9B Laundering, €34M in Crypto, and 8TB of Data seized
"Germany's Federal Criminal Police Office (aka Bundeskriminalamt or BKA) has seized the online infrastructure and shutdown linked to the eXch cryptocurrency exchange over allegations of money laundering and operating a criminal trading platform. The operation was carried out on April 30, 2025, authorities said, adding they also confiscated 8 terabytes worth of data and cryptocurrency assets worth €34 million ($38.25 million) in Bitcoin, Ether, Litecoin, and Dash.
eXch "specifically advertised on platforms of the criminal underground economy (UE) that it did not implement any anti-money laundering measures," the BKA said in a statement.
"Users were neither required to identify themselves to the service, nor was user data stored there. Crypto swapping via eXch was therefore particularly suitable for concealing financial flows."
Cryptocurrency assets worth an estimated $1.9 billion are estimated to have been transferred using the service since its launch. This also includes a portion of the illicit proceeds gained by North Korean threat actors following the Bybit hack earlier this year.
The development comes as eXch announced its own plans on April 17 to cease operations effective this month, prompting the authorities to secure "numerous pieces of evidence and leads."
There are more nefarious activities that is masked through the exchanges that happened on eXch - excellent work by the authorities on the shut-down of its operations.
Germany Shuts Down eXch Over $1.9B Laundering, Seizes €34M in Crypto and 8TB of Data
https://thehackernews.com/2025/05/germany-shuts-down-exch-over-19b.html
US DoD SWFT tackling outdated software procurement
"The US Department of Defense (DoD) is overhauling its "outdated" software procurement systems, and insists it's putting security at the forefront of decision-making processes.
The DoD established the department's Software Fast Track (SWFT) initiative via a memo, which promised to reform how software is acquired, tested, and authorized.
Department of Defense Cybersecurity and Supply Chain Risk Management (SCRM) practices within the Department must adapt and keep pace with software development and the increasing complexity and evolution of supply chain risk.
The DoD's security has been tested in recent times, from malware campaigns targeting procurement systems to defense partners leaking sensitive information for almost two years.
In various other cases across local and national governments, and the aforementioned case of a sensitive partner breach, software vulnerabilities were singled out as the initial intrusion vector. It's likely that one of the main goals of the SWFT initiative is to ensure fewer and fewer of these stories become reality.
Also campaigning for more secure government software is the Cybersecurity and Infrastructure Security Agency (CISA)"
Pentagon declares war on 'outdated' software buying, opens fire on open-source
https://www.theregister.com/2025/05/06/us_dod_software_procurement/
https://www.theregister.com/2022/10/05/military_contractor_hack/
https://blog.lumen.com/hiatusrat-takes-little-time-off-in-a-return-to-action/
https://dodcio.defense.gov/Portals/0/Documents/Library/Memo-AcceleratingSecureSoftware.pdf
https://www.defense.gov/News/Releases/Release/Article/4174350/software-fast-track-initiative/
It’s terrifying to be on the other end of a "swatting"
"A trio alleged to have made various swatting calls in the US and Canada between October 2022 and April 2023. "The charges are the culmination of an extensive investigation by Merseyside Police working with US law enforcement, including the FBI," the FBI launched a public awareness campaign urging the general public to swot up on swattings in case they ever have the misfortune of being on the receiving end of one. Seen by some as a funny prank, these dead-serious calls can lead to untoward incidents with innocent people.
"Advanced preparation, including the proactive measures listed below, can help mitigate risks associated with doxing and SWATting attempts.
- Exercise effective cyber-security practices online to help protect your sensitive information and mitigate risks associated with your digital footprint.
• Consider discussing doxing and SWATting with your family members and have a plan in place in the event of LE contact at your residence.
As always, should you receive any threats to your safety, report these concerns immediately to your local law enforcement agency. In the event you are involved in a doxing or SWATting incident, please notify your local FBI field office as soon as it is feasible. "
Three Brits charged over 'active shooter threats' swattings in US, Canada.
https://www.theregister.com/2025/05/02/three_brits_charged_over_us_swattings/
https://www.theregister.com/2025/04/30/fbi_crackdown_on_swatting_not/
https://socxfbi.org/SFSA/SFSA/Featured-Articles/Urgent-Safety-Message-from-FBI.aspx
That's it for now
This week, we had the F5 May 2025 QSN. It is recommended to upgrade to the fixed F5 versions and implement mitigations and workarounds when applicable. As a general security advise, as seen on the "Pegasus" and "TM SGNL" news, always update your mobile applications and ensure that the update came from the actual vendor. Mobile phone software is always under scrutiny and research by malicious actors for vulnerabilities that can be taken advantage of to deploy malware that may have financial and privacy impact. Keep your personal information secure by limiting exposure in business and social media sites and read the fine print on sites that intend to gather your data - you can use the "reject all" option if it exists. I hope the news I picked is informative and educational. Till next time - Stay Safe and Secure!
As always, if this is your first TWIS, you can always read past editions. We also encourage you to check out all of the content from the F5 SIRT.
