F5’s Commitment to CISA Secure by Design: Measurable Security Outcomes & Lower Operational Risk
Secure By Design Pledge The CISA Secure by Design Pledge is a voluntary commitment for enterprise software products and services (on-premises, cloud services, and SaaS). As a signatory, F5 commits to making a good-faith effort to work toward these seven goals: Measurably increase MFA usage Reduce default passwords Reduce entire classes of vulnerability (not just individual issues) Increase customer installation of security patches Publish a Vulnerability Disclosure Policy (VDP) that authorizes good-faith testing, provides a clear reporting channel, and aligns to coordinated disclosure best practices Improve CVE transparency, including accurate CWE and CPE fields, and timely issuance—especially for critical/high-impact issues Increase evidence of intrusions, improving customers’ ability to gather proof of cybersecurity intrusions affecting products Complex Modern Environments Modern enterprises are operating in pervasive complexity: multi-cloud environments, expanded tooling, and growing operational burden. In that reality, security cannot depend on perfect configuration or best-effort processes—it must be designed into products and services. For CIOs and CISOs, the CISA Secure by Design Pledge is valuable because it emphasizes measurable outcomes that reduce operational risk: increase MFA adoption, limit or eliminate default passwords, reduce entire vulnerability classes, boost customer patch installations, provide clearer vulnerability disclosure, increase transparency for CVE records, and improve ability to gather evidence of intrusions. At F5, these outcomes align with how we already handle vulnerability intake, scoring, disclosure, and customer communication. The F5 Portfolio F5’s portfolio is designed to solve customers’ toughest hybrid and multicloud pain points. But that value only holds if it is delivered with strong security controls. The pledge reinforces a baseline of security our customers and partners should already expect—especially as security leaders face growing pressure to demonstrate control effectiveness, not just intention. For CIOs and CISOs, these commitments map to tangible risk reduction and operational efficiency: fewer preventable exposures, faster remediation, clearer governance, and stronger audit and incident readiness. Secure By Design Secure by Design is about shifting security “left” into the product and service experience—so that your teams spend less time compensating for weak defaults and more time driving business outcomes. Secure by Design requires predictable, disciplined security operations that customers can integrate into their own risk- and change-management cycles. F5 discloses vulnerabilities and security exposures via a scheduled Quarterly Security Notification (QSN) process. When needed to protect customer systems, F5 may issue Security Alerts outside that cadence. F5 investigates and prioritizes reports based on potential exploitability and communicates impact using CVSS v3.1 severity categories. F5 assigns CVE identifiers and publishes security advisories for all severity levels. Portfolio History Starting with the August 2024 Quarterly Security Notification, F5 also provides a CVSS v4.0 base score for first-party issues (shown alongside CVSS v3.1). For third-party issues, F5 continues with CVSS v3.1 while building experience with CVSS v4.0. For CIOs and CISOs, this matters because it enables repeatable internal motions: patch windows, risk acceptance processes, exception handling, and audit-ready documentation. Summary Secure by Design is about lowering enterprise risk while reducing the operational cost of security: fewer risky defaults to hunt down, fewer recurring vulnerability patterns, clearer disclosure processes, faster patch adoption, and better evidence when investigating incidents. By implementing the principles laid out in CISA’s Secure by Design Pledge, F5 is reinforcing that these are not aspirational principles—they are outcomes we intend to drive and make measurable across our products and services, so customers can operate with confidence in the complex hybrid and multi-cloud environments they depend on. F5 security vulnerability response policy: https://my.f5.com/manage/s/article/K4602 CISA Secure by Design Pledge: https://www.cisa.gov/securebydesign/pledgeF5’s Memory-Safe Roadmap
At F5, we believe a strong security posture starts by reducing risk before it reaches our customers. That means engineering products that are harder to exploit in the first place. This is reflected in our decision to join more than 150 companies in taking CISA’s Secure by Design pledge. The pledge formalizes a set of security outcomes customers should be able to expect from technology providers, including: increasing the adoption and success rate of security patch installation improving the evidence customers can use to investigate intrusions, and achieving a measurable reduction in the prevalence of one or more classes of vulnerabilities. A memory-safe roadmap A memory-safe roadmap means steadily shrinking the amount of high-risk, memory-unsafe code in our products and toolchains, while adding protections that prevent entire categories of defects from being introduced or going undetected. We view this as an evolutionary journey: combining immediate mitigations that reduce exploitability today with architectural shifts that reduce the probability of such vulnerabilities existing tomorrow. Moving toward memory-safe engineering practices involves multiple parallel tracks: Prevention Reducing introduction of memory safety bugs through safer abstractions, securing coding patterns, and—where appropriate—adopting memory-safe languages for new components or major rewrites. Detection Extending automated detection to earlier in the lifecycle using modern application security practices during development Containing Reducing the blast radius when defects occur through hardening, least privilege, and runtime protections. Proving and measurement Tracking vulnerability patterns and demonstrating a reduction in risk over time. F5 will continue working with customers and the security community to improve product security, provide clear support, and help protect their environments. Our approach delivers steady risk reduction while ensuring reliable performance.HTTP Request Smuggling Using Chunk Extensions (CVE-2025-55315)
Executive Summary HTTP request smuggling remains one of the nastier protocol-level surprises: it happens when different components in the HTTP chain disagree about where one request ends and the next begins. A recent, high-visibility ASP.NET Core disclosure brought one particular flavor of this problem into the spotlight: attackers abusing chunk extensions in chunked transfer encoding to craft ambiguous request boundaries. The vulnerability was assigned a very high severity (CVSS 9.9) by Microsoft, their highest for ASP.NET Core to date. This article explains what chunk extensions are, why they can be abused for smuggling, how the recent ASP.NET Core issue fits into the bigger picture, and what defenders, implementers, and F5 customers should consider: particularly regarding HTTP normalization, compliance settings, and protection coverage across F5 Advanced WAF, NGINX App Protect, and Distributed Cloud. Background: What Are Chunk Extensions? In HTTP/1.1, chunked transfer encoding (via Transfer-Encoding: chunked) allows the body of a message to be sent in a sequence of chunks, each preceded by its size in hex, terminated by a zero-length chunk. The specification also allows chunk extensions to be appended after the chunk length, e.g.: In theory, chunk extensions were meant for metadata or transfer-layer options: for example, integrity checks or special directives. But in practice, they’re almost never used by legitimate clients or servers: many HTTP libraries ignore or inconsistently handle them, and this inconsistency across intermediaries (proxies and servers) can serve as a source of request smuggling vulnerabilities. But if a lot of servers and proxies ignore it, why would that even be an issue? Let’s see. Root Cause Analysis for CVE-2025-55315 The CVE description reads: “Inconsistent interpretation of HTTP requests (‘HTTP request/response smuggling’) in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.” Examining the GitHub commit reveals a relatively straightforward fix. In essence, the patch adjusts the chunk-extension parser to correctly handle \r\n line endings and to throw an error if either \r or \n appears unpaired. Additionally, a new flag was introduced for backward compatibility. As expected, the vulnerable logic resides in the ParseExtension function. The new InsecureChunkedParsing flag preserves legacy behavior - but it must be explicitly enabled, since that mode reflects the prior (and now considered insecure) implementation. Previously, the parser looked only for the carriage return (\r) character to determine the end of a line. In the updated implementation, it now checks for either a line feed (\n) or a carriage return (\r). Next, we encounter the following condition: The syntax may look a bit dense, but the logic is straightforward. In short, they retained the old insecure behavior when the InsecureChunkedParsing flag is enabled, which is checking the presence of \n only after encountering \r . This is problematic because it allows injecting a single \r or \n inside the chunk extension. In depth, the vulnerable condition, suffixSpan[1] == ByteLF, mirrors the old behavior - it verifies that the second character is \n. We reach this part only if we previously saw \r. The new condition validates that the last two characters of the chunk extension are \r\n. Remember that in the new version, we reach this part when encountering either \r or \n. The fixed condition ensures that if an attacker tries to inject a single \r or \n somewhere within the chunk extension, the check will fail - the condition will evaluate to false. When that happens, and if the backward-compatibility flag is not enabled, the parser throws an exception: Bad chunk extension. And what happened before the patch if the character following \r wasn’t \n? They simply continued parsing, making the following characters part of the chunk extension. That means that a chunk extension could include line terminator characters. The attack affecting unpatched ASP.NET Core applications is HTTP request smuggling via chunk extensions, a technique explained clearly and in depth in this article, which we’ll briefly summarize in this post. Request smuggling using chunk extensions variants Before diving into the different chunk-extension smuggling variants, it’s worth recalling the classic Content-Length / Transfer-Encoding (CL.TE and TE.CL) request smuggling techniques. These rely on discrepancies between how proxies and back-end servers interpret message boundaries: one trusts the Content-Length, the other trusts Transfer-Encoding, allowing attackers to sneak an extra request inside a single HTTP message. If you’re not familiar with CL.TE and TE.CL and other variants, this article gives an excellent overview of how these desync vulnerabilities work in practice. TERM.EXT (terminator - extension mismatch): The proxy treats a line terminator (usually \n) inside a chunk extension as the end of the chunk header, while the backend treats the same bytes as part of the extension. EXT.TERM (extension - terminator mismatch) The proxy treats only \r\n sequence as the end of the chunk header, while the backend treats the line terminator character inside the chunk extension as the end of the chunk header. The ASP.NET Core issue Previously, ASP.NET Core allowed lone \r or \n characters to appear within a chunk extension if the line ended with \r\n, placing it in the EXT category. If a proxy ahead has TERM behavior (treating \n as line end), their parsing mismatch can enable request smuggling. The figure shows an example malicious request that exploits this parsing mismatch. The proxy treats a lone \n as the end of the chunk extension. As a result, the bytes xx become the start of the body and 47 is interpreted as the size of the following chunk. If the proxy forwards the request unchanged (i.e., it does not strip the extension), those next chunks can effectively carry a second, smuggled request destined for an internal endpoint that the proxy would normally block. When Kestrel (the ASP.NET Core backend) receives that same raw stream, it enforces a strict \r\n terminator for extensions. Because the backend searches specifically for the \r\n sequence, it parses the received stream differently - splitting the forwarded data into two requests (the extension content, 2;\nxx is treated as a chunk header + chunk body). The end result: a GET /admin request can reach the backend, even though the proxy would have blocked such a request if it had been observed as a separate, external request. F5 WAF Protections NGINX App Protect and F5 Distributed Cloud NGINX App Protect and F5 Distributed Cloud (XC) normalize incoming HTTP requests and do not support chunk extensions. This means that any request arriving at NAP or XC with chunk extensions will have those extensions removed before being forwarded to the backend server. As a result, both NAP and XC are inherently protected against this class of chunk-extension smuggling attacks by design. To illustrate this, let’s revisit the example from the referenced article. NGINX, which treats a lone \n as a valid line terminator, falls under the TERM category. When this request is sent through NAP, it is parsed and normalized accordingly - effectively split into two separate requests: What does this mean? NAP does not forward the request the same as it arrived. It normalizes the message by stripping out any chunk extensions, replacing the Transfer-Encoding header with a Content-Length, and ensuring the body is parsed deterministically - leaving no room for ambiguity or smuggling. If a proxy precedes NAP and interprets the traffic as a single request, NAP will safely split and sanitize it. F5 Distributed Cloud (XC) doesn’t treat lone \n as line terminators and also discards chunk extensions entirely. Advanced WAF Advanced WAF does not support chunk extensions. Requests containing a chunk header that is too long (more than 10 bytes) are treated as unparsable and trigger an HTTP compliance violation. To improve detection, we’ve released a new attack signature, “ASP.NET Core Request Smuggling - 200020232", which helps identify and block malicious attempts that rely on chunk extensions. Conclusions HTTP request smuggling via chunk extensions remains a very real threat, even in modern stacks. The disclosure of CVE-2025-55315 in the Kestrel web server underlines this: a seemingly small parsing difference (how \r, \n, and \r\n are treated in chunk extensions) can allow an attacker to conceal a second request within a legitimate one, enabling account takeover, code injection, SSRF, and many other severe attacks. This case offers a great reminder: don’t assume that because “nobody uses chunk extensions” they cannot be weaponized. And of course - use HTTP/2. Its binary framing model eliminates chunked encoding altogether, removing the ambiguity that makes these attacks possible in HTTP/1.1.Red Hat in the news, £5.5B in Bitcoin recovered from scammer, more Breaches
Hello! ArvinF is your editor of the F5 SIRT This Week in Security, covering 28 September to 4 October 2025. This week, Red Hat is in the news for their Consulting GitLab instance breach and an "Important" rated vulnerability in their OpenShift AI Service product. A win - UK's Metropolitan police have arrested a scammer and recovered £5.5B (!) in Bitcoin. Then came the breach disclosures from Alianz, Westjet, Motility and a "US tech company”. Finally, the ransomware and extortion gangs - Scattered LAPSUS$ Hunters 1B Salesforce record under ransom and Radiant Group's extortion attempt getting slammed by another extortion group. Let’s get to it! Red Hat's Consulting GitLab instance has been breached by an extortion group named Crimson Collective. The group initially bragged about the breach on Telegram, showing file listings and other sensitive data in Customer Engagement Reports (CERs) that are related to Redhat customers environments. Redhat published a security incident advisory: We recently detected unauthorized access to a GitLab instance used for internal Red Hat Consulting collaboration in select engagements. Upon detection, we promptly launched a thorough investigation, removed the unauthorized party’s access, isolated the instance, and contacted the appropriate authorities. Our investigation, which is ongoing, found that an unauthorized third party had accessed and copied some data from this instance. Crimson Collective threat group notes that they found authentication tokens inside these repos and have “already used these to compromise downstream Red Hat customers.” In an advisory from the Belgian government, it notes the incident is “High Risk” for Belgian organizations and has “potential supply chain impact if service providers or IT partners worked with Red Hat Consulting” From the same advisory, it provided recommendations: Revoke & Rotate all tokens, keys, and credentials shared with Red Hat or used in integrations. Engage Third-Parties – ask your IT providers or partners whether they have used Red Hat Consulting and assess your potential exposure. Contact Red Hat for guidance on your specific exposure. Increase monitoring of authentication events, API calls, and system access for anomalies. https://www.theregister.com/2025/10/03/red_hat_gitlab_breach/ https://www.redhat.com/en/blog/security-update-incident-related-red-hat-consulting-gitlab-instance https://www.theregister.com/2025/10/02/cybercrims_claim_raid_on_28000/ https://ccb.belgium.be/news/hackers-crimson-collective-use-leaked-authentication-tokens-access-customer-systems From standard user to Full Cluster Admin in Red Hat Openshift AI Service via CVE-2025-10725 Red Hat OpenShift AI Service has a 9.9 out of 10 CVSS Score CVE, tracked as CVE-2025-10725, thinly avoiding a 10 out of 10, due to a requirement of a Low-Privileged attacker. https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H In the advisory: A flaw was found in Red Hat OpenShift AI Service. A low-privileged attacker with access to an authenticated account, for example as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator. This allows for the complete compromise of the cluster’s confidentiality, integrity, and availability. The attacker can steal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it. To resolve the vulnerability, upgrade to RHOAI 2.16.3 or if Kueue features are not required, the Kueue component management state can be set to “Removed” in the RHOAI DataScienceCluster resource. For RHOAI 2.19+, a workaround is Prevent the RHOAI operator from managing the kueue-batch-user-rolebinding then Disable the ClusterRoleBinding by updating its subject to a different, non-existent, group. Once updates providing fixes have been applied, it's recommended to remove the clusterrolebinding. This “Important” rated CVE came out approx the same time as the Red Hat Consulting GitLab breach. https://www.theregister.com/2025/10/01/critical_red_hat_openshift_ai_bug/ https://access.redhat.com/security/cve/cve-2025-10725#cve-affected-packages £5.5B in Bitcoin recovered from scammer A scammer caught by the London Metropolitan Police after a seven-year investigation and recovered a record-busting Bitcoin seizure worth £5.5B. .. carried out what the police describe as a "large-scale fraud in China" between 2014 and 2017, and then attempted to launder the significant proceeds after arriving in the UK. The three-year fraud affected more than 128,000 people and netted 61,000 Bitcoin, which at current prices is worth more than £5.5 billion ($7.4 billion). At the point the crypto tokens were seized, they would have been worth around $404 million. The scammer fled using false documents and entered the UK and attempted to launder the stolen money by buying property, said the Met. An associate helped in attempting to cash in on the laundering by buying properties in the UK and Dubai. This associate was caught last year and was jailed/sentenced. The scammer may get additional time if they fail to pay up and return more than £3.1 million. The Crown Prosecution Service said the associate benefited by £3.5 million (c $4.7 million) from the fraud, led by the scammer, and the £3.1 million figure was the total sum of her available assets at the time. Reforms to crime legislation under the previous Conservative government aimed to make it easier for the UK authorities to seize, freeze and recover crypto assets, external. The changes would also allow some victims to apply for the release of their assets held in accounts. https://www.theregister.com/2025/09/30/met_police_bitcoin_fraud/ https://www.bbc.com/news/articles/cy0415kk3rzo https://news.met.police.uk/news/woman-convicted-following-worlds-largest-seizure-501569 https://www.gov.uk/government/news/new-powers-to-seize-cryptoassets-used-by-criminals-go-live 3.7M breach notification letters - The mailman and mail servers will be busy sending breach notification letters. From the Maine AG breach disclosure pages on affected persons: Insurance biz Allianz Life - 1,497,036 WestJet - 1.2 million Motility - 766670 From the news ... "US tech company" - 250,000 The Impact: Allianz Life - The attackers accessed the data of the insurer's customers, staff, and financial professionals WestJet - affected its online services and mobile app, exposed customer data - could include names, contact details, information and documents provided in connection with their reservation and travel, and data regarding victims' Motility Software Solutions - "unauthorized actor deployed malware that encrypted a portion of our systems. Although the malware primarily restricted our access to internal data, the forensic evidence suggests that, before encryption, the actor may have removed limited files containing customers' personal data ... could include full names, home and email addresses, telephone numbers, dates of birth, SSNs, and driver's license numbers." That’s a lot of names, SSNs, CCs, email addresses, addresses, IDs. All three businesses offered identity protection and credit monitoring services – Allianz Life and WestJet two years of coverage, Motility 12 months. https://www.theregister.com/2025/10/01/north_american_data_breaches/ Scattered LAPSUS$ Hunters 1B Salesforce Records under ransom Scattered LAPSUS$ Hunters gave Salesforce until October 10, a deadline to negotiate payment or leak their customer’s data. Scattered LAPSUS$ Hunters are 3 threat / ransomware groups - Scattered Spider, ShinyHunters, and Lapsus$ - that had a moment of solidarity "to break into businesses' networks, steal their data, and force an extortion payment." Per Salesforce advisory: "We are aware of recent extortion attempts by threat actors, which we have investigated in partnership with external experts and authorities," "Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support," "At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology." In August of 2025, there was the Salesloft drift breach that affected Salesforce customers. https://www.theregister.com/2025/10/03/scattered_lapsus_hunters_latest_leak/ https://www.theregister.com/2025/09/14/in_brief_infosec/ https://www.theregister.com/2025/09/08/drift_breach_entry_salesloft_github/ https://www.theregister.com/2025/08/12/scattered_spidershinyhunterslapsus_cybercrime_collab/ https://status.salesforce.com/generalmessages/20000224?locale=en-US Radiant Group extortion gang crosses the line and gets schooled by other ransomware groups Radiant Group stole data from Kido International, a school for young children with branches in the UK, US, and India. They then posted unblurred pictures of 10 children, along with their addresses, parents’ names, and other personal data, and threatened to expose more if a ransom wasn't paid. Parents of some children claimed to have received threatening calls after Radiant published the data. London's Metropolitan Police investigators are following up on the case. But now, Radiant says it removed the child data it had posted after receiving pressure from other ransomware groups. It seems they crossed a line in the criminal world and backed down when called out for it. Rebecca Taylor, a threat intelligence knowledge manager at security biz Sophos, tells The Register that the crew was called out by the well-established ransomware-as-a-service Nova gang on the Russian Anonymous Market Place (RAMP), an online souk for cybercriminals. One of Nova's affiliate members, going under the handle BlackBeard, told Radiant, "reputation important, don't attack child right." "We have disabled any attacks relating to them, is not allowed anymore," Radiant answered, and added, "Any data relating to under 18s who attended have been deleted." BlackBeard congratulated them and wished the extortionists good luck for the future and Nova offered to help in future raids. Radiant claimed to have information on over 8,000 children enrolled at Kido, as well as their family, teachers, and staff. Taylor told us that the Radiant Group seems to be new script kiddies on the block and have overstepped themselves, and are now trying to make nice with the rest of the criminal community. https://www.theregister.com/2025/10/02/ransomware_radiant_delete_kids_info/ https://www.theregister.com/2025/09/25/ransomware_gang_publishes_toddlers_images/ https://www.theguardian.com/technology/2025/oct/02/kido-nursery-hackers-say-they-have-deleted-stolen-data Outro The amount of breach news from this week was something - the leaked personal and financial information will surely be the foundation of future breaches and extortions. These breaches were perpetrated by ransomware and extortion gangs that utilized social engineering and known and unknown vulnerabilities in their campaigns. As defenders, we should advise our organizations to keep our systems updated, implement levels and layers of security defenses and keep ourselves and our peers educated on good security practices. The silver lining is the recovery of the £5.5B worth of Bitcoin from scammers caught in the UK. The many victims of scammers have an opportunity to recover their lost assets. Credit to the original source and posts! I hope the news I picked is informative and educational. Till next time - Stay Safe and Secure! As always, if this is your first TWIS, you can always read past editions. We also encourage you to check out all of the content from the F5 SIRT.European airport software attack and zero day ‘s are here
A cyberattack disrupted automatic check in, boarding pass issuance, and baggage dispatch systems at several major European airports. The affected software was provided by Collins Aerospace (RTX subsidiary), and the attack left many airports resorting to manual operations (handwritten boarding passes, use of laptops, etc.). A critical vulnerability (CVE 2025 10035) in Fortra’s GoAnywhere Managed File Transfer (MFT) software was actively exploited as a zero day before the vendor publicly disclosed it. The flaw lies in the License Servlet and allows command injection via unsafe deserialization under certain conditions.Mobile Security: Current Challenges & A Vision For The Future
In today’s hyper-connected world, smartphones are far more than communication devices. They are personal assistants, financial hubs, health trackers, and corporate gateways. With over billions of smartphone users globally, these devices have become indispensable tools for work, entertainment, and daily life. However, their commonness has not gone unnoticed by cybercriminals, making mobile security one of the most pressing challenges of our time. From malicious apps to phishing attacks and zero-day vulnerabilities, threats targeting mobile devices are evolving rapidly. This article will explore the current mobile security landscape, the future of this field, and best practices for safeguarding mobile devices against growing cyber risks. The Current Mobile Threat Landscape Mobile devices have become lucrative targets for attackers, owing to their use in both personal and professional capacities. Nowadays, threats targeting mobile devices are more sophisticated, leveraging advanced technologies such as AI and automation. 1. Mobile Malware and Spyware: Malicious software crafted for smartphones has surged in recent years. Attacks like FluBot and Joker malware have compromised thousands of mobile devices globally. They steal sensitive information such as banking credentials and personal data. Spyware, such as Pegasus, has shown how attackers can exploit zero-day vulnerabilities to take control of a device remotely and exfiltrate information, including encrypted communications. 2. Smishing & Phishing Attacks: Phishing attacks have migrated from email to mobile messaging. Smishing (SMS phishing) and phishing through messaging apps like WhatsApp, Telegram, or Facebook Messenger are highly effective because users tend to trust these platforms. Attackers use tactics like fake package delivery notifications or password reset requests to trick victims into revealing sensitive information. 3. Mobile Payments Under Siege: The widespread adoption of mobile payment platforms (Google Pay, Apple Pay, PayPal) and QR-code-based payments has introduced unprecedented convenience. However, these systems are now lucrative targets for attackers. For example, malicious QR codes redirect users to phishing sites or download malware to compromise financial accounts. 4. IoT and 5G Vulnerabilities: As smartphones increasingly function as controllers for IoT ecosystems (smart homes, wearables, connected cars), attackers see an opportunity to exploit vulnerabilities across interconnected devices. With the rise of 5G networks, data is being transmitted faster than ever. This speed also introduces risks related to network attacks, unauthorized access, and greater attack surfaces. 5. Emerging AI-Powered Threats: Artificial intelligence has revolutionized how attackers create and execute cyberattacks. AI can be used to automate phishing campaigns, generate realistic text for scams, or even create deepfake audio and video to impersonate individuals in real time. These hyperrealistic attacks are harder to detect and even more effective at deceiving victims. Future of Mobile Security The challenges we face today are only the beginning. As mobile technology advances and becomes further integrated with every facet of human life, mobile security will define the frontlines of cybersecurity. 1. AI-Enhanced Defenses Just as attackers leverage AI for malicious purposes, defenders are increasingly using AI for anomaly detection and behavioral analytics. Machine learning tools can analyze user behavior in real time. They can detect unusual patterns such as unauthorized app activity or data exfiltration attempts. As AI improves, it will play a central role in combating AI-generated threats and various forms of malware. 2. Quantum-Safe Cryptography While quantum computing is still in its early stages, its eventual application will have profound implications for data encryption. Organizations are already exploring post-quantum cryptography. This ensures that mobile communications and sensitive information remain secure against the enormous processing power of quantum computers. 3. Zero-Trust Architecture for Mobile Devices Zero Trust principles, which by default trust no device, application, or user regardless of their network location, are being used more on mobile devices. Continuous verification, device posture checks, and contextual information (e.g., user behavior, location) will further tighten security for mobile endpoints accessing sensitive systems. 4. Hardware-Backed Security By 2025, most modern devices will come pre-equipped with secure enclaves (such as Apple’s Secure Enclave or Android’s Titan M chips). These hardware modules are isolated from the operating system. This keeps sensitive data like cryptographic keys, payment information, and biometric data secure from OS-level exploits. 5. Stricter Regulation and Compliance Privacy regulations like GDPR, CCPA, and other global frameworks will continue to evolve, ensuring that users' data is handled responsibly. Mobile app developers will embed compliance-by-design practices. They will focus on transparency, limited data collection, and permission management to align with user rights. 6. Interconnected Ecosystems and Broader Risks As IoT ecosystems mature, the smartphone will act as the central controller for a growing range of devices. Cybersecurity solutions for mobile devices will need to address the cascading risks posed by compromised IoT devices, interconnected networks, and 5G-enabled technologies. Best Practices to Protect Mobile Devices Both individuals and organizations must adopt proactive mobile security strategies. Here are some of the best practices for reducing exposure to threats: For Individuals: Enable Biometric, and Multi-Factor Authentication (MFA): Use biometrics like fingerprints or facial recognition alongside MFA for critical accounts such as banking, email, and corporate logins. Keep Devices and Apps Updated: Regularly update operating systems and apps to patch critical vulnerabilities. Many attacks target older, unpatched versions of software. Review App Permissions Carefully: Avoid granting unnecessary permissions to apps, especially for access to sensitive data like location, contacts, or storage. Use Trusted App Stores: Stick to verified marketplaces like Google Play and Apple’s App Store to avoid downloading malicious apps. Adopt Secure Communication Tools: Use encrypted messaging apps like Signal or WhatsApp for confidential communication. Beware of Smishing and Phishing Attacks: Avoid clicking on suspicious links in SMS or messaging apps. If something seems too urgent or too good to be true, validate its authenticity via official channels. Use Mobile VPNs: A Virtual Private Network (VPN) ensures secure browsing, especially on public Wi-Fi networks. Install Anti-Malware Apps: Consider a trustworthy mobile security app to monitor your device for malware and other threats. For Organizations: Adopt Mobile Threat Defence (MTD): Deploy MTD solutions that integrate with Mobile Device Management (MDM) and Enterprise Mobility Management (EMM) platforms. These tools provide real-time monitoring of mobile endpoints and threat mitigation. Implement Zero Trust Network Access (ZTNA): Use a zero-trust approach for mobile device access to corporate networks, continually verifying devices for access permissions. Enforce App Containerization: Use tools that separate corporate data from personal applications on mobile devices to prevent cross-contamination of information. Train Employees on Mobile Security: Regular awareness campaigns and training on recognizing smishing scams, fake apps, and account takeover attempts are critical. Monitor for SIM-Swap Attacks: Leverage tools capable of detecting and flagging suspicious account activity associated with SIM-swapping fraud. Restrict BYOD Access: For Bring Your Own Device (BYOD) policies, enforce strict security policies, such as requiring up-to-date OS and apps, to minimize risks. Conclusion There is no doubt that the future of cybersecurity is mobile-centric. As smartphones continue to act as gateways to digital assets, IoT ecosystems, and corporate networks, they will remain a primary battleground for attackers and defenders alike. The good news is that both individuals and organizations are empowered to improve their resilience. By adopting stronger authentication measures, AI-powered defenses, zero trust principles, and remaining vigilant with updates and monitoring, mobile security can evolve to meet even the most sophisticated challenges ahead. In the race to safeguard the digital future, proactive preparation, collaboration, and innovation in mobile security ensures that technology continues to empower, not endanger its users.Apple’s MIE, Fake Chrome Ext, and C2PA Content Credentials in Google Pixel
Notable security news for the week of Sept 7-13th, 2025, brought to you by the F5 Security Incident Response Team. This week, your editor is Dharminder. In this edition, I have security news covering Apple's new built-in memory safety system called Memory Integrity Enforcement, the emergence of fake Chrome extensions used to hijack Meta business accounts, Google's introduction of Trusted Photography with C2PA Content Credentials in Google Pixel a significant step towards digital media transparency and CISA's alert regarding the actively exploited Dassault DELMIA Apriso RCE vulnerability
