Oracle hack, North Korean Hackers, Critical Flaw in Apache
This week in cybersecurity, it seems both hackers and defenders have been working overtime, While hackers have been creatively causing chaos, cybersecurity professionals have been equally busy patching up the digital world. It's a never-ending game of whack-a-mole, but with higher stakes and fewer mallets.IngressNightmare, Next.js critical, More Agents, pwned
Introduction Hello! ArvinF is your editor covering 23 to 29 March 2025 for this edition of F5 SIRT This Week in Security. Credit to the original sources. IngressNightmare Wiz has discovered serious vulnerabilities in the admission controller component of Ingress-Nginx Controller that could allow the total takeover of Kubernetes clusters – and thinks more than 6,000 deployments of the software are at risk on the internet. This vulnerability is fixed in Ingress NGINX Controller versions 1.12.1 and 1.11.5, so do update to the latest version. Ensure the admission webhook endpoint is not exposed externally. Other mitigations if an upgrade is not yet possible are: Enforce strict network policies so only the Kubernetes API Server can access the admission controller. Temporarily disable the admission controller component of Ingress-NGINX F5 published K000150538: Kubernetes ingress-nginx vulnerabilities CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, and CVE-2025-24514 as F5 NGINX has a similarly named but different product NGINX Ingress Controller. The product has been assessed and it is not vulnerable to IngressNightmare related CVEs. https://my.f5.com/manage/s/article/K000150538 F5 also released in the March 27 2025 attack signature update (ASU) an attack signature to address IngressNightmare, namely, 200103569. K000150594: Attack Signatures for IngressNightmare: CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974 https://my.f5.com/manage/s/article/K000150594 High 200103569 New Kubernetes NGINX Ingress Admission Controller Command Execution Command Execution CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24514 Kubernetes Ingress NGINX controller is vulnerable to remote command execution via a malicious AdmissionReview request https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/ Next.js critical CVE-2025-29927 A critical severity vulnerability has been discovered in the Next.js open-source web development framework, potentially allowing attackers to bypass authorization checks. The flaw, tracked as CVE-2025-29927, enables attackers to send requests that reach destination paths without going through critical security checks. Next.js is a popular React framework with more than 9 million weekly downloads on npm. It is used for building full-stack web apps and includes middleware components for authentication and authorization. Next.js uses a header called 'x-middleware-subrequest' that dictates if middleware functions should be applied or not. The header is retrieved by the 'runMiddleware' function responsible for processing incoming requests. If it detects the 'x-middleware-subrequest' header, with a specific value, the entire middleware execution chain is bypassed and the request is forwarded to its destination. In the original research paper, the header and value "x-middleware-subrequest: /pages/_middleware" and "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" and its variations were the examples and are potential "Indication of Attack" and will be useful with monitoring and logging systems and threat hunting. F5 released in the March 23 2025 ASU, an attack signature to address CVE-2025-29927, namely, 200013111. High 200013111 New Next.js Middleware Authorization Bypass Authentication/Authorization Attacks CVE-2025-29927 Next.js is vulnerable to an authorization check bypass on middleware via a specially crafted request https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware https://www.bleepingcomputer.com/news/security/critical-flaw-in-nextjs-lets-hackers-bypass-authorization/ https://www.ncsc.gov.uk/news/vulnerability-affecting-nextjs-web-development-framework https://nextjs.org/blog/cve-2025-29927 https://jfrog.com/blog/cve-2025-29927-next-js-authorization-bypass/ Chrome emergency patches zero-day Google pushed out an emergency patch for Chrome on Windows this week to stop attackers from exploiting a sandbox-breaking zero-day vulnerability, seemingly used by snoops to target certain folks in Russia. Now Mozilla’s doing damage control, too, after spotting a similar flaw – albeit unexploited, as far as we’re aware – lurking in the code of its Firefox browser. "The vulnerability CVE-2025-2783 really left us scratching our heads, as, without doing anything obviously malicious or forbidden, it allowed the attackers to bypass Google Chrome’s sandbox protection as if it didn’t even exist," wrote Kaspersky researchers Igor Kuznetsov and Boris Larin. https://securelist.com/operation-forumtroll/115989/ https://www.theregister.com/2025/03/28/google_kaspersky_mozilla/ More Security Copilot Agents Microsoft revealed an expanded flight plan for Security Copilot, which is now assisted by 11 task-specific AI agents that interact with products like Defender, Purview, Entra, and Intune. Of the 11 Security Copilot agents introduced, five came from Microsoft Security partners. The Microsoft-made agents include: Phishing Triage Agent in Microsoft Defender, for sorting phishing reports. Alert Triage Agents in Microsoft Purview, for triaging data loss prevention and insider risk alerts. Conditional Access Optimization Agent in Microsoft Entra, for monitoring and preventing identity and policy issues. Vulnerability Remediation Agent in Microsoft Intune, for prioritizing vulnerability remediation. Threat Intelligence Briefing Agent in Security Copilot, for curating threat intelligence. Microsoft Security partners have also contributed to the agent pool: Privacy Breach Response Agent (OneTrust), for distilling data breaches into reporting guidance. Network Supervisor Agent (Aviatrix), for doing root-cause analysis on network issues. SecOps Tooling Agent (BlueVoyant), for assessing security operations center controls. Alert Triage Agent (Tanium), for helping security analysts prioritize alerts. Task Optimizer Agent (Fletch), for forecasting and prioritizing threat alerts. The eleventh agent resides in Microsoft Purview Data Security Investigations (DSI), an AI-based service designed to help data security teams deal with data exposure risks. Essentially, these agents use the natural language capabilities of generative AI to automate the summarization of high-volume data like phishing warnings or threat alerts so that human decision makers can focus on signals deemed to be the most pressing. F5 has reference literature on Agentic AI. The MS Security Pilot are "AI Agents" - focused on executing specific tasks based on predefined rules. "Agentic AI" has "autonomy and adaptive decision making" and is a combination of GenAI and AI Agents. Agentic AI combines extremely specific directive code that executes jobs with AI inference to generate or predict rich and contextual answers. Agentic AI is not magic, but it is more powerful than agents or GenAI operating alone. These two building blocks can be assembled in various amounts and combinations, automating a flow of work to produce tremendously valuable results. Here is a simple diagram depicting an automated agentic AI workflow. It uses multiple types of specialized agents and AI models to complete a set of actions. The solution executes until an acceptable outcome is achieved, and then it is fed back to the user. https://www.theregister.com/2025/03/24/microsoft_security_copilot_agents/ https://www.f5.com/company/blog/ai-agents-vs-agentic-ai-understanding-the-difference https://www.f5.com/company/blog/security-context-matters-for-agentic-ai https://community.f5.com/kb/technicalarticles/agentic-rag---securing-genai-with-f5-distributed-cloud-services/339571 https://www.youtube.com/watch?v=Pwb8k3LPKgI HaveIbeenPwned mail list leaked Infosec veteran Troy Hunt of HaveIBeenPwned fame is notifying thousands of people after phishers scooped up his Mailchimp mailing list. The list comprises around 16,000 records, and every active subscriber will be receiving a notification and apology email soon. Around half of these records (7,535), however, pertain to individuals who had unsubscribed from the list. Based on the original blog post, tiredness was a factor in the momentary lapse in judgment. The brief moment where the credentials were captured, the attacker was able to export the HaveIbeenPwned mailing list, suspecting an automated attack. In general, we should protect our digital fingerprints as extensively as we can. Having a 2nd factor of authentication may not be sufficient anymore with the advancement in phishing attacks. Use phishing-resistant MFAs where possible and stick to basics - if you are not sure, don’t click. https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/ https://www.theregister.com/2025/03/25/troy_hunt_mailchimp_phish/ https://www.pcmag.com/news/creator-of-haveibeenpwned-data-breach-site-falls-for-phishing-email https://www.cisa.gov/news-events/news/phishing-resistant-mfa-key-peace-mind NCSC taps influencers to make 2FA go viral In related news covering a much wider audience, the UK’s National Cyber Security Centre (NCSC) has hopped on the bandwagon to preach two-factor authentication (2FA) to the masses. It's the latest effort to improve the nation's cyber resilience as part of Stop! Think Fraud campaign launched in February 2024 under Rishi Sunak’s government, drafting in comedic sketch artists and Instagram personal finance gurus to promote wider uptake of security technologies. "To boost public awareness about the crucial benefits of enabling two-step verification on their most important accounts, we’ve partnered with popular social media influencers to amplify this vital message and encourage a wider audience to adopt secure online habits," https://www.theregister.com/2025/03/26/ncsc_influencers_2fa/ https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/activate-2-step-verification-on-your-email BlackLock ransomware gang pwned Cybersecurity vendor Resecurity is admitting to breaking into a notorious ransomware crew's infrastructure and gathering data it relayed to national agencies to help victims. Dubbed “BlackLock” (aka "El Dorado" or "Eldorado"), the ransomware-as-a-service (RaaS) outfit has existed since March 2024. In Q4 of last year, it increased its number of data leak posts by a staggering 1,425% quarter-on-quarter. According to independent reporting, a relatively new group has rapidly accelerated attacks and could become the most dominant RaaS group in 2025. Resecurity identified a vulnerability present at the Data Leak Site (DLS) of BlackLock in the TOR network - successful exploitation of which allowed our analysts to collect substantial intelligence about their activity outside of the public domain. The Resecurity blog is a good read as they walk thru their exploit, findings and communications with the BlackLock group. Another group mentioned was DragonForce - very similar in techniques and also pwned the BlackLock Data Leak Site. https://www.resecurity.com/blog/article/blacklock-ransomware-a-late-holiday-gift-with-intrusion-into-the-threat-actors-infrastructure https://www.theregister.com/2025/03/27/security_shop_pwns_ransomware_gang/ https://www.infosecurity-magazine.com/news/blacklock-2025s-most-prolific/ And that's the week that was I hope you find the security news I picked educational. We have a mix of vulnerabilities, a zero day, Security CoPilot AI agents and F5 Agentic AI, phishing, UK NCSC 2FA public awareness campaign and for the cherry on top, a ransomware gang getting pwned. For vulnerabilities and zero days, update your system and software as soon as possible to mitigate these. Implement WAF, Bot Defense or DDoS mitigations where possible and in anticipation of future vulnerabilities and application attacks. Ensure only trusted users and networks have access to your systems. If a system does not need to be exposed for public access, ensure that it is not. For phishing, stand up the human firewall - be vigilant on received emails and links. If unsure, don’t click. Use MFA/phishing resistant MFA. An MFA is better than "no MFA”. AI agents and Agentic AI - we might have been using it and we may not have known. If you own one, ensure to protect it and implement security controls - Think F5 Distributed Cloud. Till next time - Stay Safe and Secure! As always, if this is your first TWIS, you can always read past editions. We also encourage you to check out all of the content from the F5 SIRT.AppSec, Camels, Typhoons, and Backdoors
Welcome back to the F5 SIRT's weekly roundup of whatever news caught the editor's eye, and whatever else we feel like covering. It's our soapbox, and we're going to use it! This week MegaZone is once against at the keyboard, and we'll be covering news for the week of March 2-8, 2025.A Very Chinese New Year
Happy New Year everyone! It's a new year, with new news, and the same old(er) MegaZone. This time we're looking at the news that I found worthy from the week of January 5-11, 2025. (Have you gotten used to typing 2025 yet?) I found it to be a fairly slow news week, and not much really grabbed my attention enough that I felt it was worth commenting on. That's not too unusual for the start of a new year, as there is often a bit of a post-holiday lull. Not that there was no news at all, it is never truly quiet in cybersecurity, just that most of it was run-of-the-mill stuff, IMHO. Oh, and as for the title of this 'issue', I know the Lunar New Year (aka Chinese New Year) isn't until January 29th, but I couldn't pass up the play on words given the topic below. And with that, let's dive in.AppWorld 2025 Security Insights - ADC 3.0, AI Security, and more
Welcome to this week’s notable security news (Feb 24–Mar 2, 2025), brought to you by Jordan_Zebor from F5 SIRT. Although our main focus is usually on emerging threats and protective measures, I recently attended F5 AppWorld 2025 in person and found it invaluable for understanding what’s next in secure application delivery. For those who aren’t familiar, F5 AppWorld is an in-person conference packed with sessions, hands-on labs, and networking opportunities—an ideal forum for discussing real-world challenges in securing and optimizing applications. F5 AppWorld was especially exciting this year, with one major announcement immediately standing out: ADC 3.0—the industry’s first converged platform for application delivery and security in hybrid multicloud infrastructures. At its core, ADC 3.0 features the F5 AI Gateway, which mitigates threats like sensitive information disclosure and prompt injection, directly addressing the OWASP LLM Top 10 vulnerabilities. From our F5 SIRT perspective, this integrated traffic management and AI-specific threat protection is a big step forward in stopping sophisticated attacks before they reach critical assets. Another key development was the new AI assistant for F5 NGINX One. Powered by a large language model trained specifically for NGINX, it offers real-time, context-aware guidance for DevOps, SecOps, NetOps, and Platform Ops teams. By reducing manual troubleshooting and configuration time, it promises noticeable improvements in both performance and security operations. F5’s expanded VELOS hardware—including the CX1610 6-Tbps chassis and BX520 400-Gbps blade—also drew significant attention. With the ability to handle 224 million Layer 7 requests per second, VELOS provides robust defenses against large-scale DDoS attacks and other disruptive threats. In an era of escalating assaults, its high throughput and low latency are invaluable for maintaining availability. Outside of these technical highlights, astronaut Scott Kelly’s keynote was a memorable conference moment. He offered both humor and insight on resilience and learning from failure, showing how teams can excel under pressure. Overall, F5 AppWorld underscored the importance of having direct conversations about strong security practices and real-world application needs. Hearing customers’ challenges firsthand inspires us at F5 SIRT to continuously refine our countermeasures and strategies. For anyone looking to stay ahead of the evolving threat landscape, the innovations unveiled at AppWorld provide a glimpse into what’s possible. If you’d like to learn more, visit F5’s website or contact us directly to explore how these solutions might improve your security posture.U.S. Government cuts, Majorana 1 Chip, CVEs for Mongoose and OpenSSH
Notable news for the week of February 17th through February 24th. Your editor this week is Chris from the F5 Security Incident Response Team. For this edition, we discuss U.S. government cuts to cyber security and consumer protections; Microsoft’s advancement in the field of quantum computing, and new flaws found in both MongoDB as well as OpenSSH. Cuts to Cyber and Consumer Protections With the new administration in the US, there have been a large amount of job cuts throughout the federal government. This also includes at least 130 employees being fired from the Cybersecurity and Infrastructure Security Agency (CISA). These cuts are reported to include staff dedicated to election security, fighting misinformation, and foreign influence operations. Along with the cuts, the Department of Government Efficiency (DOGE) arrived at CISA and were given access to the agency’s email and files. DOGE has been gaining access to many sensitive federal agencies that contain a large amount of personal and financial information on Americans. These agencies include the Social Security Administration (SSA), the Department of Homeland Security, the Office of Personnel Management (OPM), and the Treasury Department. DOGE has also been trying to gain access to the systems of the Internal Revenue Service (IRS). From a security standpoint, this is extremely alarming because it appears to be bypassing many security safeguards and measures. This sentiment is reported by many security experts. Another aspect that does not inspire confidence is that the doge.gov website administrators had left their database wide open, allowing someone to publish messages making fun of the insecurity that the site has. On the aspect of consumer protection, the Consumer Financial Protection Bureau (CFPB) was ordered to stop most work. The CFPB was created in 2011 to protect consumers from financial institutions that violate consumer protection laws. The newly appointed CFPB director, Russell Vought, has publicly favored abolishing the agency which is alarming since it would remove some of the regulations that exist. https://krebsonsecurity.com/2025/02/trump-2-0-brings-cuts-to-cyber-consumer-protections/ Microsoft's Majorana 1 Chip Microsoft has announced the world's first quantum processor that uses topological qubits. They have named this the Majorana 1. They have designed this to scale to a million qubits on a single chip. Typical qubits are highly sensitive to noise in the environment. This can cause them to lose their quantum state introducing errors. This is known as decoherence. To counter this there needs to be many more qubits added for error correction which means a lot more room needed for just one qubit to work. Topological qubits work by encoding information in the topology of the physical system which in theory, makes each qubit more fault tolerant. Essentially, this means few are needed in the long run to produce a quantum computer. This is a huge achievement but along with it comes the security concerns. The main concern being the ability to do quantum decryption. This technology brings the reality of a fault tolerant protype to years instead of decades. Many believe this will be within 5 to 10 years. https://www.securityweek.com/what-microsofts-majorana-1-chip-means-for-quantum-decryption/ Critical MongoDB Library Flaws Two critical vulnerabilities in a third-party library that MongoDB relies on was found which can lead to stolen data or code to be ran. Mongoose is an Object Data Modeling (ODM) library used by MongoDB to enable database integrations in Node.js applications. Researchers at OPSWAT revealed two critical security flaws that threaten the integrity of data stored in MongoDB as well as opening it up to theft, manipulation, or destruction. This first CVE is CVE-2024-53900 which is given a CVSS score of 9.1. This is an SQL injection bug which allows a specially crafted query to bypass MongoDB's server-side JavaScript restrictions potentially leading to a remote code execution (RCE). This was reported in November and patched in version 8.8.3. The second CVE is CVE-2025-23061 with a CVSS score of 9.0. This was found by the same researcher and is actually a bypass in the patched version that still allowed for RCE. This was addressed in version 8.9.5. https://www.theregister.com/2025/02/20/mongoose_flaws_mongodb/ New OpenSSH Flaws Two new security vulnerabilities have been found in the OpenSSH suite which could result in an active Machine-in-the-Middle (MitM) or a Denial-of-Service (DoS) attack under specific conditions. The first is CVE-2025-26465 with a CVSS score of 6.8. The OpenSSH client contains a logic error between versions 6.8p1 to 9.9p1 (inclusive) that makes it vulnerable to a MitM attack if the VerifyHostKeyDNS option is enabled. The second is CVE-2025-26466 with a CVSS score of 5.9. The OpenSSH client and server are vulnerable to a pre-authentication DoS attack between versions 9.5p1 to 9.9p1 (inclusive) that causes memory and CPU consumption. A successful exploitation of the first one could permit malicious actors to compromise and hijack SSH sessions and possibly gain access to sensitive data. The VerifyHostKeyDNS is disabled by default. Exploitation of the second CVE can result in availability issues as indicated by labeling as a DoS vulnerability. Both of these CVEs have been addressed in version 9.9p2 of OpenSSH which was released on February 18th. https://thehackernews.com/2025/02/new-openssh-flaws-enable-man-in-middle.html
