TSA Drops Shoes, IoT and Roundup
Kyle Fox is back this week with a couple of writeups and the roundup. This week, we look at the current situation with changes to security measures at the TSA and what more needs to change. We also look at some ongoing problems with IoT long-term support. TSA Drops Shoe Removals For years, people in the United States have had to take off their shoes while going through security at the airport. A new policy was announced on July 8th that will no longer require people to take off their shoes. Unless they're me and travel wearing steel toe boots. This surprising reversal comes after 20 years of this policy enacted after shoe bomber Richard Reid attempted to blow up American Airlines Flight 63 in December of 2001 with PETN explosive smuggled in his shoes. Often lambasted as security theatre, we have to remember that the TSA, or something like it, is mandated by Annex 17 to the Chicago Convention on International Civil Aviation, which states "4.4.1 Each Contracting State shall establish measures to ensure that originating passengers of commercial air transport operations and their cabin baggage are screened prior to boarding and aircraft departing from a security restricted area." (the PDF does not allow copying, so I had to type that all up) And we generally don't want explosives on planes or guns and dangerous knives making their way into the passenger cabin. So we still in-part need what the TSA is doing. The original intention of creating the TSA was to standardize what they do, which was also something we were in dire need of at the time. So what measures are security theatre? According to Bruce Schneier, the coiner of the term, his top three are now: Liquid restrictions, body scanners and the Screening Passengers by Observation Techniques (SPOT) program now called Behavior Detection and Analysis (BDA). Lets start by first examining the liquid rule. The group was established after a 2006 plot to blow up planes using liquid explosives. The explosives would be made up using component liquids the plotters would bring onboard in innocuous looking containers. Since then, the ICAO has issued guidance on screening liquids and the results are the liquid restrictions. Since this is an international rule, it may be difficult to completely get rid of it without international cooperation, despite having holes. The next item on the list is body scanners, these do not appear to be required by ICAO regulations and are not used in many countries. These devices, even when working optimally are capable of missing some very large weapon like objects. The scanners have improved. When they first started, they were x-ray backscatter units that would be exposing travelers to unnecessary ionizing radiation. The new ones use millimeter-wave radar technology that should not be a possible health risk. They still take up a lot of floor space and time in screening passengers. Schneier's last item is the Screening Passengers by Observation Techniques (SPOT) program, which since 2016 has been called Behavior Detection and Analysis (BDA). This program is alleged to work by training TSA officers to observe passengers stress levels and behavior to spot passengers that are concealing something or otherwise being deceptive. From that description it seems to be a human lie-detector program. Like the polygraph lie-detector, its efficacy has been disputed quite a bit. With airports and air travel often a high-stress situation for most of the traveling public, it seems to lead to the individual officers' biases showing through. This one seems to be the most ripe for getting rid of, so I expect it to hang on for a long time. Belkin, IKEA and Nest and the Struggle to Find Long Term Support in IoT Several announcements have come through in the last few weeks, first Belkin announced it was discontinuing support for some Smart Home devices that it previously sold. Then IKEA announced that it was transitioning off Zigbee and to Thread, and finally Nest will discontinue support for some older devices. This has all highlighted the issues now surrounding a lot of IoT, mainly that as time goes on, support of these devices becomes an issue. The first issue is that a lot of manufacturers want their IoT enabled appliances to link back to servers that they run. While this helps with allowing users to access the devices from anywhere and allows the manufacturers to push software updates to help improve the devices and deal with security vulnerabilities. However, this also adds ongoing costs to supporting the devices and ties them to the manufacturer's continued support. The next issue is these devices contain software that needs to be updated periodically to resolve security issues. Often that still depends on the manufacturer to maintain the software and push updates. In some cases, this has been sidestepped by projects creating open firmware for discontinued devices. But as a rule, you'll only get updates till the manufacturer decides to shelve maintaining the code. While this would be perfectly fine if these were widgets that would last 5 years, it becomes a concern when your talking stuff installed in a house. For example, my house was built in 1978, my breaker panel is from that era, but I have a Emporia Vue panel monitor. The last issue is that as time goes on, companies may change the basic rules that their devices work with. With IoT, this often means going from Zigbee to Wifi or Bluetooth or some other combination of changes. Once these changes are made, the manufacturer could maintain compatibility, if they use a system with hubs, or they can dump the entire previous ecosystem. The IKEA transition is an example of this issue. It's currently not clear how the future support model for their existing Zigbee devices will work, but I expect some level of support to continue. Roundup: Not really security related but this week's YouTube recommendation is Patrick (H) Willems. From analyzing pop music soundtracks to ranking the most 80's movie, he has you covered in long from cinema analysis. Plague's back in town. AI company leaks McDonald's job applications. Comcast Wifi Motion Detection? Apparently this field grew up. ChatGPT hallucinated features are getting added to software. Because Bluetooth is complicated, another week, another Bluetooth attack.Copenhagen, Cisco, Korea, Cybercrime, and Criminals
It's all just a little bit of history repeating - and MegaZone is back in control again. This time we're looking at news from June 29th through July 5th, 2025. For my fellow USians, I hope you had a happy Fourth of July. And I hope you still have all your fingers. It is a bit light this week, as I was out of the office for a few days last week and this week, dealing with a family health crisis, so my time to read and digest the news, and then compile this issue, is a bit compressed. But the show must go on! Anyway, let's jump into it...CitrixBleed2 and Cisco Criticals, Action on and by Crooks, Cost of Cyberattacks
Hello! ArvinF is your editor of the F5 SIRT This Week in Security, covering 22 to 28 June 2025. It happens this week's edition has lots of Cs in them - CitrixBleed2 and Cisco Criticals, Action on and by Crooks and the Cost of Cyberattacks. Let's get to it. CitrixBleed2, a high severity cve and plus one more Critical on Citrix Citrix and their customers were very likely busy the past week patching and resetting VDI sessions to remediate 3 CVEs, two were Critical and one High severity. CVE-2025-5349 Improper access control on the NetScaler Management Interface - High CVE-2025-5777 Insufficient input validation leading to memory overread - Critical CVE-2025-6543 Memory overflow vulnerability leading to unintended control flow and Denial of Service - Critical CVE-2025-5777, dubbed CitrixBleed2, described as an "out-of-bounds read flaw" "can be exploited remotely and without any authentication, is due to insufficient input validation. It could allow an attacker to read session tokens or other sensitive information in memory from NetScaler devices that are configured as a Gateway (such as a VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.". Documented along with CVE-2025-5349 in the same advisory, Citrix customers should reset VDI connections/sessions. kill icaconnection -all kill pcoipConnection -all The other Critical, CVE-2025-6543, a potential RCE based more than a DoS, based on reports, was exploited in the wild as a Zero Day. Citrix published a blog "NetScaler Critical Security Updates for CVE-2025-6543 and CVE-2025-5777" and noted the following: "Some commentators have drawn comparisons between CVE 2025-5777 and CVE 2023-4966. While the vulnerabilities share some characteristics, Cloud Software Group has found no evidence to indicate that they are related. " Nonetheless, Citrix customers should follow the advisories and upgrade to a fix version and ensure to reset VDI connections/sessions. CISAs Known Exploited Vulnerabilities Catalog now lists Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability CVE-2025-6543 - all the more reason to patch/upgrade and secure Citrix installations. Don't panic, but it's only a matter of time before critical 'CitrixBleed 2' is under attack https://www.theregister.com/2025/06/24/critical_citrix_bug_citrixbleed/ Citrix bleeds again: This time a zero-day exploited - patch now https://www.theregister.com/2025/06/25/citrix_netscaler_critical_bug_exploited/ NetScaler Critical Security Updates for CVE-2025-6543 and CVE-2025-5777 https://www.netscaler.com/blog/news/netscaler-critical-security-updates-for-cve-2025-6543-and-cve-2025-5777/ Known Exploited Vulnerabilities Catalog https://www.cisa.gov/known-exploited-vulnerabilities-catalog Cisco got Criticals too.. two of them on Identity Services Engine API Cisco ISE API has a pair of CVSS Score 10 CVEs with no workarounds. CVE-2025-20281: Cisco ISE API Unauthenticated Remote Code Execution Vulnerability, gaining root access thru unauthenticated crafted API CVE-2025-20282: Cisco ISE API Unauthenticated Remote Code Execution Vulnerability, unauthenticated file upload leading to code execution Affected installations should be upgraded as appropriate. There are some valid use case of exposing this ISE API to the internet - a quick search notes "Cloud-based Guest Access", "Integration with External Systems" and "Remote Administration". Fronting a vulnerable API with a "Web Application and API Protection" product, such as in F5 Application Delivery and Security Platform could help and provide mitigation. As there are potential of undiscovered vulnerabilities in APIs (and software in general), having the protection in place could prevent or slow down the exploitation attempt. Cisco fixes two critical make-me-root bugs on Identity Services Engine components https://www.theregister.com/2025/06/26/patch_up_cisco_fixes_two/ https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6 https://www.f5.com/solutions/web-app-and-api-protection Crooks in Action: Educated Manticore Targeted Phishing Iranian APT group Educated Manticore ( activities similar to APT42, Charming Kitten, or Mint Sandstorm ) phishing campaign targeted cyber security experts, computer science professors and journalists. This APT group sends phishing messages through WhatsApp or email. They pretend to be cyber security researchers and get victims to go to a Google Authentication custom phishing site. This site lets MFA relay attacks happen and also has a passive keylogger to record keystrokes from the victim. Another method used by the APT is using a fake Google Meet invite. Checkpoint's research noted IoCs such as IP addresses and domains used in the phishing campaign. That WhatsApp from an Israeli infosec expert could be an Iranian phish https://www.theregister.com/2025/06/26/that_whatsapp_from_an_israeli/ https://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics/ Unmaintained gov't or corporate site? Hijack and sneak in AI slop and unrelated Ads A government website used to campaign against "end to end encryption" was hijacked and a section of the site was modified to advertise on loans. "end to end encryption" (E2EE) is a very important topic as messaging apps implement it "jumbles" the exchanged messages to prevent snooping, however, this could also help abusers to hide their communication from being audited, and may hinder law enforcement investigation. E2EE can also introduce vulnerabilities for users. However, E2EE is not the specific concern, rather, the hijacking of the site to include these loan advertisements. The site was created by a 3rd party advertising firm and as the campaign has ended, the site is abandoned, unmaintained and hijacked. The publicly funded campaign site reportedly was budgeted with 534K. There were other instances of corporate and government sites and pages that were also observed to have been hijacked and hosting AI slop. "AI slop" refers to low-quality, often misleading or inaccurate content generated by artificial intelligence, particularly large language models (LLMs). It's characterized by its tendency to replicate human speech realistically but without regard for truthfulness or accuracy. This can manifest as poorly written articles, fake images, or inaccurate information, often designed to optimize for search engines or engage users without genuine value. UK govt dept website that campaigns against encryption hijacked to advertise ... payday loans https://www.theregister.com/2025/06/25/home_office_antiencryption_campaign_website/ https://heatherburns.tech/2025/06/24/somehow-that-home-office-campaign-got-even-worse/# Action on Crooks: Four REvil ransomware crooks walk free, some, face penal colony This one is a 50-50, 4 of the 8 arrested REvil ransomware group walk away as they were sentenced approximately 3 years after their arrest, pled guilty and already served time in detention in Russian "general regime penal colony". The sentence was for the crime "illegal circulation of funds by an organized group and creation and use of malicious computer programs". Two of the four REvil convicts were only charged with carding offenses. "The term "carding" refers to the illegal use and trafficking of payment card details. Although REvil was primarily known for ransomware attacks, some of its members also moonlighted in the financial fraud space too." The court ordered one of the prisoners to give up two 2020 BMWs. The court will also take a 2019 Mercedes C 200 from another prisoner. The same can't be said for the other four suspected REvil members, though, who were each sentenced in October 2024 to various stints in a general regime penal colony ranging from 4.5 to six years. Following an appeal in March, their sentence was upheld, perhaps due to their refusal to enter into a guilty plea. REvil's ransomware exploits were among the most high-profile in history, and it was arguably the first truly "big" ransomware-as-a-service group. Russian lawmakers say that he ran REvil from 2015 to 2022. During that time, the group attacked US nuclear weapons contractors, fashion houses, and perhaps most famously, IT service provider Kaseya. Although only eight arrests were mentioned as part of the trial, a total of 14 people with alleged ties to REvil were arrested on that day in January 2022. Four REvil ransomware crooks walk free, escape gulag fate, after admitting guilt https://www.theregister.com/2025/06/24/four_revil_ransomware_suspects_time_served/ IntelBroker caught due to bitcoin wallet record and linked accounts Kai West, a 25-year-old British national, has been identified as the infamous hacker "IntelBroker," according to newly unsealed court documents. IntelBroker is said to have accessed the computers of over 40 victims around the world. These victims include well-known companies like Apple, AMD, Europol, Nokia, and the US Army. IntelBroker is said to have caused damages that are more than $25 million. After stealing sensitive data, IntelBroker and his associates reportedly sold it on BreachForums, a notorious cybercrime marketplace where West was also an administrator. West was implicated when FBI agents traced a bitcoin wallet used in the sale of stolen data back to him. The wallet was linked to a Ramp account registered with West’s UK driver’s license, which was also tied to a Coinbase account under his alias "Kyle Northern." Both accounts reportedly used West's personal email address, solidifying the FBI's case against him. In related developments, police in Paris have arrested four other BreachForums administrators using the aliases Hollow, Noct, Depressed, and ShinyHunters. The US is now seeking West's extradition to face charges, two of which carry a maximum sentence of 20 years each. This case underscores how law enforcement leverages cryptocurrency transaction records and other digital breadcrumbs to apprehend cybercriminals. FBI used bitcoin wallet records to peg notorious IntelBroker as UK national https://www.theregister.com/2025/06/26/fbi_used_bitcoin_wallet_id_intelbroker/ https://regmedia.co.uk/2025/06/26/us_kai_west_complaint.pdf Britain's Cyber Monitoring Centre (CMC) on cost of recent UK cyberattacks - £270-440 million The UK's Cyber Monitoring Centre (CMC) estimates that recent cyberattacks crippling major UK retail chains like Marks & Spencer (M&S), the Co-op, and Harrods could cost between £270-440 million ($362-591 million). These attacks, categorized as a "level 2 systemic event" by the CMC, represent a significant impact on both retailers and affected communities. CMC's Cyber Monitoring Matrix ranks cyber incidents on a 0-5 scale based on financial and societal impact. Marks & Spencer suffered substantial losses, with online sales disrupted until July and partially restored afterward. Daily losses from unfulfilled orders were estimated at £1.3 million ($1.74 million). Co-op, while impacted less in terms of financial losses—daily spending dropped by 11% in the first 30 days—had a different kind of impact. The retailer is a crucial provider for remote areas like the Scottish Highlands and surrounding islands, heightening the societal consequences of the cyberattack. Luxury retailer Harrods was also attacked but experienced minimal operational disruption, as both its flagship store and online sales remained active, though detailed data on its attack was limited and excluded from CMC’s analysis. The CMC’s evaluations highlight the critical costs of lost sales, IT restoration, legal fees, and incident response for businesses targeted in cyberattacks. This underscores the importance of cybersecurity preparedness, particularly for organizations core to community supply chains, such as Co-op. The events serve as a stark reminder of the economic and social vulnerabilities posed by increasingly sophisticated cyber threats. Experts count staggering costs incurred by UK retail amid cyber attack hell https://www.theregister.com/2025/06/23/experts_count_the_staggering_costs/ https://www.theregister.com/2025/02/07/uk_cyber_monitoring_centre/ That's it for now This week, we have news on the APT group phishing campaign and targeting cyber security experts. Phishing has become more sophisticated and is getting harder to distinguish. I'll recommend going back to basics, if the emails or messages you receive seem “off” or unusual, be skeptical and don't simply trust the sender. Verify the sender of the message if they are really who they claim to be, though, this is easier said than done. APTs and Malware ransomware groups usually use the same techniques, and spear phishing is at the top of the list of techniques they use. If unsure, do not engage. Follow your organization’s IT Security Policies on suspected phishing attempts. Critical vulnerabilities should be addressed immediately, especially if a fix is available. The effects of cybersecurity attacks on organizations financially are no small matter. For their customers, it could be an erosion of trust and potential exposure of personal information. As defenders, we should implement protections to prevent web-based vulnerabilities - use WAFs, API protections such as BIG-IP ASM/Adv WAF, NGINX App protect and F5 Application Delivery and Security Platform security policies and DoS and Bot Defense features to add layers of defense and mitigations. Having a F5 BIG-IP in the environment opens opportunities to apply protections to applications. Secured sunsetting and decommissioning of web sites used in limited campaigns that are already over should be a process that organizations and governments should follow to prevent leaving unnecessary access or dangling configurations or DNS records open for abuse. I hope the news I picked is informative and educational. Till next time - Stay Safe and Secure! As always, if this is your first TWIS, you can always read past editions. We also encourage you to check out all of the content from the F5 SIRT.GPS spoofing, 16 billion passwords exposed, Operation RoundPress, and Active Cyber Defense
Notable news for the week of June 15-21, 2025. This week, your editor is Koichi from F5 Security Incident Response Team. In this edition, I have security news about GPS spoofing, 16 million passwords exposed, Operation RoundPress, and Active Cyber Defense We at F5 SIRT invest a lot of time to understand the frequently changing behavior of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency, please contact F5 SIRT. GPS spoofing is observed on a live map Cyber attacks have intensified in the wake of the armed conflict between Israel and Iran. Israeli hackers cyber-attacked Iran's state-owned Bank Sepah and the Iran-based cryptocurrency exchange Nobitex.Meanwhile, Iran also cyber-attacked Israeli infrastructure. Although those cyber-attacks cannot be seen directly from abroad, there have been forms of cyber-attacks that can be observed via online. Aircraft and ship tracking services can observe strange movements of aircraft and ships around Iran. Aircraft and vessels receive radio signals from GNSS (i.e. GPS) satellites to determine their location/position, and they broadcast their position via the ADS-B (aircraft) and AIS (vessel) systems. Aircraft and vessel tracking services receive those broadcasted signals and can display the positions of aircraft and vessels on a live-map. However, due to the military conflict between Israel and Iran, radio signals from GNSS (i.e. GPS) satellites have been jammed (GPS jamming), making it impossible to display the positions of aircraft and ships. The position information has been changed (GPS spoofing), this causes the positions of ships and aircraft on maps to be shown in locations where they should not be. Around the time of this collision, GPS spoofing, probably of Iranian origin, was observed in the Persian Gulf. As a result, it has been observed that the vessel's position is circular. Source: Phantom Tankers: GPS Interference Roils Gulf Shipping 16 billion login credentials are exposed Cybernews Researchers announced on June 18th that more than 16 billion login credentials had been compromised this year. This is believed to be one of the largest data breaches ever. Ongoing investigations by researchers since earlier this year have suggested that the massive breach was the work of multiple Infostealer (information-stealing) malware. The leaked data also includes credentials for Apple, Facebook, Google, GitHub, Telegram and government services in various countries, which risks enabling access to almost every major online service. According to the researchers, large sets of exposed data are being discovered every few weeks, raising strong concerns about the rapid spread of infostealers. For mitigating this, Google suggests to change their Gmail account passwords as soon as possible, use password managers, and to use passkeys as much as possible. Source: 16 billion passwords exposed in record-breaking data breach, opening access to Facebook, Google, Apple, and any other service imaginable Source: 16 Billion Apple, Facebook, Google And Other Passwords Leaked Operation RoundPress ESET Research has revealed Operation RoundPress, an advanced cyber-espionage operation by the pro-Russian Sednit group, which is known as APT28, targeting high-value targets like the government and major defense companies in Europe, Africa and South America. Operation RoundPress uses variants of the SpyPress malware to attack webmail, including Roundcube and Zimbra. It sends spear-phishing emails to the target web mail servers, which disguises themselves with current news-related text, but a review of the HTML code shows that malicious JavaScript is embedded in the body. When the victim user opens a malicious email, the SpyPress JavaScript payload is reloaded and executed, which steals webmail credentials, body content and contact information from the victim’s email inbox. Source: Surge in XSS Cyberattacks Targets Popular Webmail Platforms, ESET Reports Source: ESET Research uncovers Operation RoundPress: Russia-aligned Sednit targets entities linked to the Ukraine war to steal confidential data "Active Cyber Defense" Part 5 In former TWIS articles (like this and this), I wrote about the “Active Cyber Defense” which is going to be introduced in Japan, and there was another progress at a cabinet meeting on June 20th. Japanese government decided to establish the National Cyber Headquarters (NCH, or National Cyber Office) on July 1st. This will be done as a re-organization of the current National Center of Incident Readiness and Strategy for Cybersecurity (NISC), and the NCH will serve as a command post for “Active Cyber Defense” to prevent cyber attacks before they happen. The ”Active Cyber Defense" bill would allow the Government to get agreements with operators of critical infrastructure and obtain communications information to monitor for the Cyber Attack threat. Source: https://www3.nhk.or.jp/news/html/20250620/k10014839811000.html (Japanese)Welcome to Fletch.ai, Fake DeepSeek Downloads, & Operation Secure
This week, your editor is Jordan_Zebor from the F5 Security Incident Response Team, diving into key advances in cybersecurity. From F5’s acquisition of Fletch.ai and its agentic AI, to INTERPOL’s takedown of infostealer malware, and Kaspersky’s discovery of BrowserVenom, the rapidly evolving threat landscape highlights the need for smarter defenses and global collaboration to safeguard the digital world. Let’s jump in! F5 acquires Fletch.ai F5 has acquired Fletch.ai, integrating its agentic AI technology into the F5 Application Delivery and Security Platform (ADSP). Fletch’s AI transforms complex threat intelligence and logs into actionable insights, helping security teams prioritize critical threats, reduce alert fatigue, and act proactively. By delivering real-time recommendations like blocking malicious IPs or mitigating vulnerabilities, this integration equips organizations to manage sophisticated threats more effectively. The acquisition underscores F5’s push toward AI-driven security innovation, enabling faster, smarter responses in an increasingly complex cybersecurity landscape. This integration not only strengthens security teams but also contributes to a better digital world by ensuring safer and more reliable application experiences for businesses and users alike. By combining agentic AI with F5’s expertise in securing apps, APIs, and infrastructure, organizations can mitigate threats before they impact operations, reducing downtime, preventing data breaches, and building trust in their digital services. As cyber threats get more advanced, F5’s improved platform lets businesses deliver faster, smarter, and safer digital solutions. This helps businesses innovate while protecting the global digital ecosystem. Operation Secure Between January and April 2025, INTERPOL spearheaded Operation Secure, a global initiative that dismantled over 20,000 malicious IPs and domains linked to 69 information-stealing malware variants. Collaborating with 26 countries, the operation successfully took down 79% of identified malicious IPs, seized 41 servers and 100GB of data, and arrested 32 individuals across various nations including Vietnam, Sri Lanka, and Nauru. The Hong Kong Police identified 117 command-and-control (C2) servers used for phishing and fraud campaigns. The targeted threats, such as Vidar, Lumma, and MetaStealer, are notorious for exfiltrating credentials, payment data, and cryptocurrency wallets, often sold via Malware-as-a-Service to facilitate ransomware, data breaches, and business email compromise (BEC). Private cybersecurity firms like Group-IB, Trend Micro, and Kaspersky contributed intelligence on compromised data and malware infrastructure. For CISOs and security engineers, this operation underscores the importance of proactive defense strategies. Organizations that prioritize credential protection, implement multi-factor authentication (MFA), and strengthen anti-phishing measures are better equipped to combat infostealer threats. By investing in robust security mechanisms and user awareness initiatives, teams can reduce exposure, block attack vectors, and limit the effectiveness of malware campaigns. Fake DeepSeek Downloads Deliver Proxy Malware Kaspersky discovered a new malware distributed via phishing sites posing as a DeepSeek-R1 installer, promoted through Google Ads targeting LLM users. "BrowserVenom" reroutes browser traffic through an actor-controlled proxy, enabling attackers to monitor, manipulate, and inject content into user sessions. The malware modifies proxy settings in Chromium and Gecko-based browsers for persistence, disguising its delivery with fake CAPTCHA challenges. The attack infrastructure suggests ties to Russian-speaking actors and has infected systems in Brazil, Cuba, India, and more. The campaign underscores the rising use of social engineering and search engine abuse to distribute malware. CISOs should focus on user education, browser security controls, and network traffic monitoring to detect unauthorized changes. Proactively blocking malicious ads, enforcing strict proxy management policies, and investing in tools to identify persistence mechanisms are critical steps to mitigate such threats. That's it for This Week In Security. Thanks for reading and hope you enjoyed the content!Google Calendar Exploits, Fake AI Packages, Malware Arrests, and a Newly Proposed Exploit Metric
Notable security news for the week of May 25 –June 1. Your editor this week is Chris from the F5 Security Incident Response Team. This week I will highlight Google Calendar exploits by an Advanced Persistent Threat (APT), malware installers disguised as popular AI tools, the arrest of 21 people in Pakistan operating a malware service, and a new exploit equation aimed at aiding KEV and EPSS. Google Calendar Exploits The Chinese state-sponsored threat actor APT41 has been using a malware called TOUGHPROGRESS to leverage Google Calendar for command-and-control (C2) operations. Google discovered this activity in late October of 2024. The malware was hosted on a compromised government website targeting multiple other government entities. The malware consists of three distinct components: PLUSDROP: A DLL used to decrypt and execute the next-stage payload in memory. PLUSINJECT: Performs process hollowing on a legitimate "svchost.exe" process to inject the final payload. TOUGHPROGRESS: The primary malware that uses Google Calendar for C2. The malware reads and writes events with an attacker-controlled Google Calendar, storing harvested data in event descriptions and executing encrypted commands. Google has taken down the malicious Google Calendar and terminated the associated Workspace projects, neutralizing the campaign. https://thehackernews.com/2025/05/chinese-apt41-exploits-google-calendar.html Fake AI Tool Packages Since mid-October 2024, cybercriminals have been using fake installers for popular AI tools like OpenAI ChatGPT and InVideo AI to spread different types of malware. These include CyberLock ransomware, Lucky_Gh0$t ransomware, and a new malware called Numero. Developed using PowerShell, CyberLock encrypts specific files on the victim's system and demands a $50,000 ransom in Monero, claiming the funds will support humanitarian causes. A variant of the Yashma ransomware, Lucky_Gh0$t targets files smaller than 1.2GB for encryption and deletes backups, demanding ransom payments via the Session messaging app. This destructive malware manipulates the graphical user interface components of Windows, rendering the machines unusable. It continuously runs on the victim's machine through an infinite loop. The fake AI tool websites use SEO poisoning techniques to boost their rankings and lure victims into downloading malware-loaded installers. The campaign targets individuals and organizations in the B2B sales and marketing sectors, using the popularity of AI tools to spread malware. There are multiple ways you can reduce the risk of malware threats: Use Security Software: Install reputable antivirus and anti-malware software. Ensure it is regularly updated to protect against the latest threats. Be Cautious with Emails: Avoid clicking on links or opening attachments from unknown or suspicious emails. Phishing emails are a common way to spread malware. Download from Trusted Sources: Only download software from official websites or reputable sources. Avoid third-party platforms that might disguise malware as legitimate software. Keep Software Updated: Regularly update your operating system and all installed software to patch vulnerabilities that could be exploited by malware. Use Strong Passwords: Implement strong, unique passwords for all your accounts and consider using a password manager to keep them secure. Enable Two-Factor Authentication: Add an extra layer of security to your accounts by enabling two-factor authentication wherever possible. These are all good practices to use at any time. It is always a good idea to stay diligent when it comes to security. https://thehackernews.com/2025/05/cybercriminals-target-ai-users-with.html Heartsender Malware Service Arrests Pakistani authorities have arrested 21 individuals accused of operating "Heartsender," a spam and malware dissemination service active for over a decade. The alleged ringleader, Rameez Shahzad, and other core developers were publicly identified in 2021 after making several operational security mistakes, such as inadvertently infecting their own computers with malware, which exposed their identities and operations. Heartsender's tools were linked to over $50 million in losses in the U.S., with European authorities investigating 63 additional cases. Heartsender provided spam and malware dissemination tools, primarily targeting users of various Internet services like Microsoft 365, Yahoo, AOL, Intuit, iCloud, and ID.me. The main clients were organized crime groups that used these tools for business email compromise (BEC) schemes. These schemes tricked companies into making payments to third parties by impersonating legitimate business contacts. The service was marketed under multiple brands, including Heartsender, Fudpage, and Fudtools. "Fud" stands for "Fully Un-Detectable," indicating that the tools were designed to evade detection by security software. The FBI and Dutch Police seized the technical infrastructure for Heartsender in January 2025. https://krebsonsecurity.com/2025/05/pakistan-arrests-21-in-heartsender-malware-service/ Likely Exploited Vulnerabilities (LEV) Researchers from CISA and NIST have proposed a new cybersecurity metric called Likely Exploited Vulnerabilities (LEV). This metric will help us figure out how likely a vulnerability has been used in the wild. LEV aims to enhance existing tools like Known Exploited Vulnerabilities (KEV) lists and the Exploit Prediction Scoring System (EPSS) by providing more accurate prioritization for vulnerability remediation. KEV (Known Exploited Vulnerabilities) Lists: Purpose: Catalog vulnerabilities that have been confirmed to be exploited in the wild. Usage: Helps organizations prioritize patching and remediation efforts by focusing on vulnerabilities that attackers are actively using. EPSS (Exploit Prediction Scoring System): Purpose: Provides a 30-day probability that a vulnerability will be exploited. Usage: Assists in predicting which vulnerabilities are likely to be targeted, helping organizations prioritize their security efforts. Both tools are essential for effective vulnerability management, with KEV lists focusing on known exploits and EPSS providing predictive insights. LEV uses equations that consider variables such as the first date an EPSS score is available, the date of the most recent KEV list update, inclusion in KEV, and the EPSS score measured across multiple days. LEV probabilities can help measure the expected number and proportion of vulnerabilities exploited by threat actors and estimate the comprehensiveness of KEV lists. NIST is seeking industry partners with relevant datasets to empirically measure the performance of LEV probabilities. In vulnerability management, LEV can be used for enhancement in several ways: Prioritization: LEV helps organizations prioritize vulnerabilities that are most likely to be exploited, ensuring that critical patches are applied first. LEV is more accurate because it uses data from KEV lists and EPSS scores. This means it can find vulnerabilities that are not being exploited as often. Resource Allocation: LEV enables better allocation of resources by focusing efforts on vulnerabilities with the highest exploitation probability, optimizing security operations. Risk Management: LEV probabilities help measure the expected number and proportion of vulnerabilities exploited by threat actors, aiding in comprehensive risk management. Collaboration: LEV encourages collaboration between industry partners and researchers to empirically measure and improve vulnerability management practices. The hope is that by integrating LEV into existing tools and processes, organizations can improve their ability to identify, prioritize, and mitigate vulnerabilities effectively. https://www.securityweek.com/vulnerability-exploitation-probability-metric-proposed-by-nist-cisa-researchers/Massive DDoS, DanaBot Dismantled, Scraped Discord Messages and Signal Blocks Windows Recall
Notable security news for the week of May 18th-24th May 2025, brought to you by the F5 Security Incident Response Team. This week, your editor is Dharminder. In this edition, I have security news about ‘Signal messenger, which has blocked Windows Recall to protect its user privacy. Massive 6.3Tbps of DDoS attack on KrebsOnsecurity, CrowdStrike and DOJ collaborated to Dismantle DanaBot Malware Network and user messages from Discord’s app are dumped online by the researchersF5 May 2025 QSN, Big dollar cough up, buggy-spy chat apps
On May 5th, F5 disclosed 12 issues, 11 Highs, and 1 Medium Severity CVEs for the F5 May 2025 Quarterly Security Notifications. Most of the issues disclosed were classic DoS on BIG-IP products and the BIG-IP NEXT products and are fixed in the latest BIG-IP 17.5, 16.1.6, and most in15.1.10.7 versions and the latest BIG-IP NEXT versions.
