HTTP Request Smuggling Using Chunk Extensions (CVE-2025-55315)
Executive Summary HTTP request smuggling remains one of the nastier protocol-level surprises: it happens when different components in the HTTP chain disagree about where one request ends and the next begins. A recent, high-visibility ASP.NET Core disclosure brought one particular flavor of this problem into the spotlight: attackers abusing chunk extensions in chunked transfer encoding to craft ambiguous request boundaries. The vulnerability was assigned a very high severity (CVSS 9.9) by Microsoft, their highest for ASP.NET Core to date. This article explains what chunk extensions are, why they can be abused for smuggling, how the recent ASP.NET Core issue fits into the bigger picture, and what defenders, implementers, and F5 customers should consider: particularly regarding HTTP normalization, compliance settings, and protection coverage across F5 Advanced WAF, NGINX App Protect, and Distributed Cloud. Background: What Are Chunk Extensions? In HTTP/1.1, chunked transfer encoding (via Transfer-Encoding: chunked) allows the body of a message to be sent in a sequence of chunks, each preceded by its size in hex, terminated by a zero-length chunk. The specification also allows chunk extensions to be appended after the chunk length, e.g.: In theory, chunk extensions were meant for metadata or transfer-layer options: for example, integrity checks or special directives. But in practice, they’re almost never used by legitimate clients or servers: many HTTP libraries ignore or inconsistently handle them, and this inconsistency across intermediaries (proxies and servers) can serve as a source of request smuggling vulnerabilities. But if a lot of servers and proxies ignore it, why would that even be an issue? Let’s see. Root Cause Analysis for CVE-2025-55315 The CVE description reads: “Inconsistent interpretation of HTTP requests (‘HTTP request/response smuggling’) in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.” Examining the GitHub commit reveals a relatively straightforward fix. In essence, the patch adjusts the chunk-extension parser to correctly handle \r\n line endings and to throw an error if either \r or \n appears unpaired. Additionally, a new flag was introduced for backward compatibility. As expected, the vulnerable logic resides in the ParseExtension function. The new InsecureChunkedParsing flag preserves legacy behavior - but it must be explicitly enabled, since that mode reflects the prior (and now considered insecure) implementation. Previously, the parser looked only for the carriage return (\r) character to determine the end of a line. In the updated implementation, it now checks for either a line feed (\n) or a carriage return (\r). Next, we encounter the following condition: The syntax may look a bit dense, but the logic is straightforward. In short, they retained the old insecure behavior when the InsecureChunkedParsing flag is enabled, which is checking the presence of \n only after encountering \r . This is problematic because it allows injecting a single \r or \n inside the chunk extension. In depth, the vulnerable condition, suffixSpan[1] == ByteLF, mirrors the old behavior - it verifies that the second character is \n. We reach this part only if we previously saw \r. The new condition validates that the last two characters of the chunk extension are \r\n. Remember that in the new version, we reach this part when encountering either \r or \n. The fixed condition ensures that if an attacker tries to inject a single \r or \n somewhere within the chunk extension, the check will fail - the condition will evaluate to false. When that happens, and if the backward-compatibility flag is not enabled, the parser throws an exception: Bad chunk extension. And what happened before the patch if the character following \r wasn’t \n? They simply continued parsing, making the following characters part of the chunk extension. That means that a chunk extension could include line terminator characters. The attack affecting unpatched ASP.NET Core applications is HTTP request smuggling via chunk extensions, a technique explained clearly and in depth in this article, which we’ll briefly summarize in this post. Request smuggling using chunk extensions variants Before diving into the different chunk-extension smuggling variants, it’s worth recalling the classic Content-Length / Transfer-Encoding (CL.TE and TE.CL) request smuggling techniques. These rely on discrepancies between how proxies and back-end servers interpret message boundaries: one trusts the Content-Length, the other trusts Transfer-Encoding, allowing attackers to sneak an extra request inside a single HTTP message. If you’re not familiar with CL.TE and TE.CL and other variants, this article gives an excellent overview of how these desync vulnerabilities work in practice. TERM.EXT (terminator - extension mismatch): The proxy treats a line terminator (usually \n) inside a chunk extension as the end of the chunk header, while the backend treats the same bytes as part of the extension. EXT.TERM (extension - terminator mismatch) The proxy treats only \r\n sequence as the end of the chunk header, while the backend treats the line terminator character inside the chunk extension as the end of the chunk header. The ASP.NET Core issue Previously, ASP.NET Core allowed lone \r or \n characters to appear within a chunk extension if the line ended with \r\n, placing it in the EXT category. If a proxy ahead has TERM behavior (treating \n as line end), their parsing mismatch can enable request smuggling. The figure shows an example malicious request that exploits this parsing mismatch. The proxy treats a lone \n as the end of the chunk extension. As a result, the bytes xx become the start of the body and 47 is interpreted as the size of the following chunk. If the proxy forwards the request unchanged (i.e., it does not strip the extension), those next chunks can effectively carry a second, smuggled request destined for an internal endpoint that the proxy would normally block. When Kestrel (the ASP.NET Core backend) receives that same raw stream, it enforces a strict \r\n terminator for extensions. Because the backend searches specifically for the \r\n sequence, it parses the received stream differently - splitting the forwarded data into two requests (the extension content, 2;\nxx is treated as a chunk header + chunk body). The end result: a GET /admin request can reach the backend, even though the proxy would have blocked such a request if it had been observed as a separate, external request. F5 WAF Protections NGINX App Protect and F5 Distributed Cloud NGINX App Protect and F5 Distributed Cloud (XC) normalize incoming HTTP requests and do not support chunk extensions. This means that any request arriving at NAP or XC with chunk extensions will have those extensions removed before being forwarded to the backend server. As a result, both NAP and XC are inherently protected against this class of chunk-extension smuggling attacks by design. To illustrate this, let’s revisit the example from the referenced article. NGINX, which treats a lone \n as a valid line terminator, falls under the TERM category. When this request is sent through NAP, it is parsed and normalized accordingly - effectively split into two separate requests: What does this mean? NAP does not forward the request the same as it arrived. It normalizes the message by stripping out any chunk extensions, replacing the Transfer-Encoding header with a Content-Length, and ensuring the body is parsed deterministically - leaving no room for ambiguity or smuggling. If a proxy precedes NAP and interprets the traffic as a single request, NAP will safely split and sanitize it. F5 Distributed Cloud (XC) doesn’t treat lone \n as line terminators and also discards chunk extensions entirely. Advanced WAF Advanced WAF does not support chunk extensions. Requests containing a chunk header that is too long (more than 10 bytes) are treated as unparsable and trigger an HTTP compliance violation. To improve detection, we’ve released a new attack signature, “ASP.NET Core Request Smuggling - 200020232", which helps identify and block malicious attempts that rely on chunk extensions. Conclusions HTTP request smuggling via chunk extensions remains a very real threat, even in modern stacks. The disclosure of CVE-2025-55315 in the Kestrel web server underlines this: a seemingly small parsing difference (how \r, \n, and \r\n are treated in chunk extensions) can allow an attacker to conceal a second request within a legitimate one, enabling account takeover, code injection, SSRF, and many other severe attacks. This case offers a great reminder: don’t assume that because “nobody uses chunk extensions” they cannot be weaponized. And of course - use HTTP/2. Its binary framing model eliminates chunked encoding altogether, removing the ambiguity that makes these attacks possible in HTTP/1.1.F5 Threat Report - November 12th, 2025
New LandFall Spyware Exploited Samsung Zero-Day via WhatsApp Messages A previously unknown spyware, "LandFall," exploited a critical zero-day vulnerability (CVE-2025-21042) in Samsung's Android image processing library (`libimagecodec.quram.so`) to target select Samsung Galaxy users in the Middle East. Active since at least July 2024, the spyware was delivered via malicious .DNG raw images with appended .ZIP archives sent over WhatsApp, leveraging an out-of-bounds write flaw that allowed remote arbitrary code execution. The LandFall spyware, likely a commercial surveillance framework, targets Galaxy S22, S23, S24 series, Z Fold 4, and Z Flip 4 devices, enabling extensive data exfiltration including microphone and call recordings, location tracking, and access to photos, contacts, SMS, call logs, files, and browsing history. Its components include a loader (`b.so`) and a SELinux policy manipulator (`l.so`) for persistence and privilege escalation, and it can fingerprint devices using hardware and SIM IDs. While C2 infrastructure shows similarities to Stealth Falcon operations and component naming conventions resemble those of NSO Group and other vendors, a definitive attribution remains unconfirmed. Samsung patched the vulnerability in April 2025, and users are advised to apply security updates, disable automatic media downloading in messaging apps, and consider advanced protection features. Severity: Critical Sources https://buaq.net/go-374181.html https://cyberpress.org/landfall-android-malware/ https://meterpreter.org/landfall-spyware-zero-click-image-exploit-spied-on-samsung-phones-for-a-year/ https://www.bleepingcomputer.com/news/security/new-landfall-spyware-exploited-samsung-zero-day-via-whatsapp-messages/ https://www.hendryadrian.com/new-landfall-spyware-exploited-samsung-zero-day-via-whatsapp-messages/ https://www.newsbytesapp.com/news/science/landfall-android-spyware-targeted-samsung-galaxy-phones-for-a-year/story https://www.securityweek.com/landfall-android-spyware-targeted-samsung-phones-via-zero-day/ Threat Details and IOCs Malware: Deadglyph, Landfall, LandFall, LANDFALL CVEs: CVE-2025-21042, CVE-2025-21043, CVE-2025-43300, CVE-2025-55177 Technologies: Apple iOS, Google Android, Samsung Galaxy, Samsung One UI, WhatsApp Threat Actors: Cytrox, FruityArmor, Intellexa, LANDFALL, NSO, NSOGroup, StealthFalcon Attacker Countries: Israel, Spain, United Arab Emirates Attacker IPs: 192.36.57.56, 194.76.224.127, 45.155.250.158, 46.246.28.75, 91.132.92.35, 92.243.65.240 Attacker Domains: brightvideodesigns.com, healthyeatingontherun.com, hotelsitereview.com, projectmanagerskills.com Attacker URLs: https://brightvideodesigns.com/is/, https://healthyeatingontherun.com/is/, https://hotelsitereview.com/is/, https://projectmanagerskills.com/is/ Attacker Hashes: 211311468f3673f005031d5f77d4d716e80cbf3c1f0bb1f148f2200920513261, 2425f15eb542fca82892fd107ac19d63d4d112ddbfe698650f0c25acf6f8d78a, 29882a3c426273a7302e852aa77662e168b6d44dcebfca53757e29a9cdf02483, 384f073d3d51e0f2e1586b6050af62de886ff448735d963dfc026580096d81bd, 69cf56ac6f3888efa7a1306977f431fd1edb369a5fd4591ce37b72b7e01955ee, 9297888746158e38d320b05b27b0032b2cc29231be8990d87bc46f1e06456f93, a62a2400bf93ed84ebadf22b441924f904d3fcda7d1507ba309a4b1801d44495, b06dec10e8ad0005ebb9da24204c96cb2e297bd8d418bc1c8983d066c0997756, b45817ffb0355badcc89f2d7d48eecf00ebdf2b966ac986514f9d971f6c57d18, b975b499baa3119ac5c2b3379306d4e50b9610e9bba3e56de7dfd3927a96032d, c0f30c2a2d6f95b57128e78dc0b7180e69315057e62809de1926b75f86516b2e, d2fafc7100f33a11089e98b660a85bd479eab761b137cca83b1f6d19629dd3b0, ffeeb0356abb56c5084756a5ab0a39002832403bca5290bb6d794d14b642ffe2 Victim Industries: Digital Media, Government, Information Technology, Technology Hardware, Telecommunications Victim Countries: Iran, Iraq, Morocco, Saudi Arabia, South Korea, Turkey, United Arab Emirates Mitigation Advice Update all corporate-managed Samsung Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4 devices to the April 2025 security patch level or a later version to remediate CVE-2025-21042. Issue a directive for all employees to disable automatic media downloading within their WhatsApp application settings on both corporate and personal devices used for work. Instruct users of corporate Android devices to enable the 'Advanced Protection' feature in their device's security settings for enhanced protection against novel spyware. Obtain the indicators of compromise (IOCs) for the six LandFall C2 servers from the Unit 42 report and add them to the network firewall and DNS blocklists. Compliance Best Practices Implement and enforce a Mobile Device Management (MDM) policy to mandate and automate the installation of critical OS security updates on all managed mobile devices within a 72-hour window of their release. Develop and deploy a mandatory, recurring security awareness training program that specifically addresses mobile-based social engineering, the risks of unsolicited attachments from unknown contacts, and safe practices for messaging apps like WhatsApp. Evaluate and deploy a Mobile Threat Defense (MTD) solution on corporate devices to actively monitor for and alert on suspicious activities indicative of spyware, such as permission escalation, use of recording hardware, and anomalous network connections. Establish and enforce a hardened security configuration baseline for all corporate mobile devices that enables high-security features, such as Android's 'Advanced Protection' or iOS's 'Lockdown Mode', by default. Whisper Leak: A Novel Side-Channel Attack on Remote Language Models A novel side-channel attack, termed "Whisper Leak," has been identified, enabling adversaries to infer language model conversation topics from encrypted network traffic by analyzing packet sizes and timings, despite Transport Layer Security (TLS) encryption. This attack exploits the token-by-token, streaming nature of large language model (LLM) responses, allowing network observers (e.g., internet service providers, local network attackers) to compromise user privacy, particularly for sensitive subjects like political dissent. Researchers demonstrated this by training a binary classifier on network traffic patterns for a specific topic ("legality of money laundering"), achieving over 98% accuracy (AUPRC). A simulated real-world scenario involving 10,000 conversations showed the attack could achieve 100% precision in identifying sensitive topics, even with low recall (5-50%), with effectiveness improving as more training data is collected. To mitigate this vulnerability, LLM providers like OpenAI and Azure have implemented "obfuscation" by adding random variable-length text to responses, while Mistral introduced a similar "p" parameter, significantly reducing attack effectiveness. Users can further protect their privacy by avoiding sensitive discussions on untrusted networks, utilizing VPN services, selecting providers with implemented mitigations, and opting for non-streaming models. The source code and a detailed technical report are publicly available. Severity: Critical Sources https://gbhackers.com/whisper-based-attack/ https://securityonline.info/whisper-leak-attack-infers-encrypted-ai-chat-topics-with-98-accuracy/ https://thehackernews.com/2025/11/microsoft-uncovers-whisper-leak-attack.html https://www.microsoft.com/en-us/security/blog/2025/11/07/whisper-leak-a-novel-side-channel-cyberattack-on-remote-language-models/ Threat Details and IOCs Malware: LANDFALL, PrimeCache, PROMPTFLUX, SesameOp, Veaty, Whisper Technologies: Alibaba Cloud Large Language Models, DeepSeek Large Language Model, Google Large Language Models, Meta Large Language Models, Microsoft Azure, Microsoft Azure AI Services, Mistral AI Mistral, OpenAI, xAI, xAI Large Language Models, Zhipu AI Large Language Models Attacker URLs: http://github.com/yo-yo-yo-jbo/whisper_leak Victim Industries: Digital Media, Financial Services, Government, Healthcare, Health Care Technology, Information Technology, Legal Services, Media and Entertainment, Technology Hardware, Telecommunications Victim Countries: China, France, United States Mitigation Advice Require all employees to use the corporate VPN when accessing AI services from untrusted networks, such as public Wi-Fi, to add a layer of traffic encryption and obfuscation. Distribute a security advisory to all staff, prohibiting the use of public or corporate AI chatbots for processing sensitive, confidential, or proprietary business data. Audit all currently used third-party AI services to confirm they have implemented mitigations against traffic analysis attacks. Prioritize and approve the use of services that have deployed such protections. Instruct all teams using LLM APIs to disable 'streaming' mode in their applications and configurations where the feature is not essential for the user experience. Compliance Best Practices Develop and implement a formal Acceptable Use Policy (AUP) for AI tools, defining approved platforms, data sensitivity classifications, and prohibited use cases to govern their safe adoption. Update the third-party risk management program to include specific security requirements for AI vendors, mandating they provide evidence of mitigations against side-channel attacks like traffic analysis. Initiate a research project to evaluate the cost, security benefits, and feasibility of deploying a private LLM for internal use cases involving sensitive company data. Malicious NuGet Packages Plant Time Bomb Malware in Industrial Systems, Siemens S7 PLCs Malicious NuGet packages, published by the user shanhai666 between 2023 and 2024, were discovered by Socket's researchers, containing destructive code designed to activate years in the future. Nine of the twelve packages, downloaded nearly 10,000 times, included payloads that were 99% benign to evade detection and build trust. Several packages targeted major database providers like SQL Server, PostgreSQL, and SQLite, with their malicious logic set to trigger on specific dates in 2027 and 2028. Upon activation, these packages introduce a 20 percent probability of terminating the host application process during database queries. The most critical package, Sharp7Extend, used typosquatting to mimic the legitimate Sharp7 library and targeted Siemens S7 Programmable Logic Controllers (PLCs) widely used in manufacturing. Unlike the database-targeting malware, Sharp7Extend activates immediately upon installation, though its malicious functions cease after June 6, 2028. It employs two mechanisms: a 20 percent chance of terminating the application during Siemens S7 communication operations, and after an initial 30-90 minute grace period, it causes 80 percent of critical commands to fail, potentially leading to safety system failures and data corruption in industrial settings. All identified malicious packages have since been removed from NuGet, and organizations are advised to immediately audit their dependencies for these compromised packages. Severity: Critical Sources https://buaq.net/go-374596.html https://gbhackers.com/nuget-supply-chain/ https://securityonline.info/nuget-sabotage-time-delayed-logic-in-9-packages-risks-total-app-destruction-on-hardcoded-dates/ https://thehackernews.com/2025/11/hidden-logic-bombs-in-malware-laced.html https://www.bleepingcomputer.com/news/security/malicious-nuget-packages-drop-disruptive-time-bombs/ https://www.esecurityplanet.com/threats/malicious-nuget-packages-hide-time-delayed-sabotage-code/ https://www.hendryadrian.com/9-malicious-nuget-packages-deliver-time-delayed-destructive-payloads/ https://www.theregister.com/2025/11/07/cybercriminals_plant_destructive_time_bomb/ Threat Details and IOCs Malware: Sharp7Extend Technologies: Microsoft .NET Framework, Microsoft NuGet, Microsoft SQL Server, NuGet, PostgreSQL, Sharp7, Siemens S7, Siemens SIMATIC S7, SQLite Threat Actors: Shanhai666 Attacker Countries: China Attacker Domains: hendryadrian.com Victim Industries: Automotive, Chemical, Energy, Financial Services, Healthcare, Health Care Technology, Industrial Control Systems, Industrials, Information Technology, Logistics, Manufacturing, Retail Victim Countries: Germany Mitigation Advice Scan all .NET project dependencies to identify if any of the following malicious NuGet packages are present: Sharp7Extend, MyDbRepository, MCDbRepository, SqlDbRepository, SqlRepository, SqlUnicornCoreTest, SqlUnicornCore, SqlUnicorn.Core, or SqlLiteRepository. If any of the malicious NuGet packages are found on a system, immediately isolate that system from the network to begin incident response procedures. Configure your NuGet package manager sources to explicitly block any packages published by the user 'shanhai666'. Immediately investigate any systems using Siemens S7 PLCs for unexplained application crashes or communication failures, as these may be symptoms of the Sharp7Extend malware. Compliance Best Practices Establish a formal policy and process for vetting and approving all third-party software dependencies, including NuGet packages, before they are permitted for use in production code. Implement a private, internal package repository to host only vetted and approved third-party dependencies, and configure developer environments to use this repository as the primary source. Implement tooling and processes to generate and maintain a Software Bill of Materials (SBOM) for all developed and deployed applications to enable rapid dependency auditing. Develop and implement a recurring security training program for all developers focusing on software supply chain risks, including how to identify typosquatting and vet open-source package publishers. Review and enhance network segmentation to ensure that Operational Technology (OT) networks, especially those with PLCs, are isolated from the corporate IT network to prevent cross-domain compromises. MUT-4831 Deploys Vidar Infostealer via 17 Malicious npm Packages Targeting Windows A sophisticated supply chain attack, attributed to the MUT-4831 threat actor cluster, targeted the npm ecosystem with 17 malicious packages across 23 releases, designed to deploy the Vidar v2 infostealer malware on Windows systems. Discovered by Datadog Security Research on October 21, 2025, these packages, masquerading as legitimate SDKs and libraries, remained active for approximately two weeks, accumulating over 2,240 downloads, with `react-icon-pkg` alone accounting for 503. The attack chain involved postinstall scripts downloading an encrypted ZIP archive from `bullethost[.]cloud`, decrypting it, and executing a Windows PE binary named `bridle.exe`. This Go-compiled Vidar variant aggressively harvests sensitive data, including browser credentials, cookies, and cryptocurrency wallets, exfiltrating it after dynamically discovering command-and-control servers via hardcoded Telegram and Steam accounts, then deleting all traces from the compromised system. Severity: Critical Sources https://buaq.net/go-374147.html https://cyberinsider.com/vidar-stealer-2-0-marks-major-evolution-in-infostealer-landscape/ https://cyberpress.org/vidar-malware-analysis/ https://cyberpress.org/weaponized-npm-packages/ https://gbhackers.com/malicious-npm-packages/ https://www.techradar.com/pro/point-of-use-theft-vidars-shift-to-api-level-interception https://www.trendmicro.com/en_us/research/25/j/how-vidar-stealer-2-upgrades-infostealer-capabilities.html Threat Details and IOCs Malware: Arkei, Arkei Stealer, ArkeiStealer, Lumma, LummaC2, Lumma Stealer, Mohazo, Raccoon Stealer, Racealer, RedLine, RedLine Stealer, Spyware.Vidar, StealC, Vidar, Vidar Stealer CVEs: CVE-2023-20118, CVE-2025-34090 Technologies: Amazon Web Services, Apple macOS, Discord, FileZilla, Google Chrome, Microsoft 365, Microsoft Azure, Microsoft Edge, Microsoft Visual Studio, Microsoft Windows, Monero, Mozilla Firefox, Node.js, npm, Opera, Pale Moon, React, Steam, Telegram, Vivaldi, Waterfox, WinSCP Threat Actors: AngryLikho, Bitter, Loadbaks, MUT4831, Storm-2477, WaterKurita Attacker Countries: Azerbaijan, Moldova, Russia Attacker IPs: 65.100.80.190, 65.108.80.90 Attacker Emails: aartrabens@gmail.com, saliii229911@gmail.com Attacker Domains: a.t.rizbegadget.shop, bullethost.cloud, cvt.technicalprorj.xyz, files.catbox.moe, ftp.nadimgadget.shop, gor.technicalprorj.xyz, gra.khabeir.com, gra.nadimgadget.shop, gz.technicalprorj.xyz, iu.server24x.com, mas.to, nv.d.khabeir.com, p.x.rizbegadget.shop, steamcommunity.com, stg.mistonecorp.net, stg.server24.com, stg.server24x.com, telegram.me, t.y.server24x.com, upload.bullethost.cloud Attacker URLs: https://files.catbox.moe/awktpw.zip, https://nv.d.khabeir.com, https://steamcommunity.com/profiles/76561198777118079, https://telegram.me/s/sre22qe, https://upload.bullethost.cloud/download/68f5503834645ddd64ba3e17, https://upload.bullethost.cloud/download/68f55d7834645ddd64ba3e3e, https://upload.bullethost.cloud/download/68f775f734645ddd64ba99f4, https://upload.bullethost.cloud/download/68f77d1134645ddd64ba9a5e, https://upload.bullethost.cloud/download/68f7b14734645ddd64ba9b6e, https://upload.bullethost.cloud/download/68f7c68a34645ddd64ba9b9d, https://upload.bullethost.cloud/download/68f7de3834645ddd64ba9c00, hxxp://mas.to/@oleg98, hxxps://steamcommunity.com/profiles/76561198780411257 Attacker Hashes: 0e90c63363265f75f8637c1a3e9ec277a1ea1a8436dd7561fff59cfb722c6612, 1230f3382910e84d542d64e859fb3064958b47bc50508045cbb5b597b987c65b, 12934992bb65953861b4dfd7a67d3256eae8da19ee86609aa29b68fb77258e98, 1eff512c9b003b08464e071774bd85e43464cce6ad1373463b1f67683d03b956, 288ecc39cdde51783dbb171758ec760652bb929ad17d239a43629449a22429c1, 29b6a1c08e96ce714f9e1f54a4edde3f5e6b41477db5f89f1bd41d931508bdbf, 37d62d7983f7e0012f88e81ba28ad02a839b4d8804851a401b19058ca8cc2cf4, 3dc09740ded920e5899a5386c6731de0c89d6bd182fb89073e910b619980899f, 5f68157e486413ab276fad629d7af21a53b399c5fa8b1a0cfbd37851ceca0381, 8934056f93516a33c4e9eeb2f50aea160860cf229ca6f6ec302bd2c404ebfe59, 95368954efa9618c586bdd8978f41f465450caf268d07ca316cf6975f6e15848, aa49d14ddd6c0c24febab8dce52ce3835eb1c9280738978da70b1eae0d718925, bcf8a6911bf4033cf4d55caf22d7da9d97275bbb3b0f8fefd1129e86bd4b49f8 Victim Industries: Business Services, Cloud Infrastructure, Cryptocurrency, Education, Financial Services, Gaming, Government, Healthcare, Information Technology, Manufacturing, Real Estate, Retail, Social Media, Software, Sports and Entertainment, Technology Hardware, Utilities Mitigation Advice Add the domain `bullethost[.]cloud` to the network firewall and DNS blocklists to prevent connections to the malware distribution server. Use EDR or system scanning tools to search all Windows endpoints and servers for the file `bridle.exe` to identify potential infections. Instruct developers to immediately audit all project `package.json` and lock files for dependencies named `custom-tg-bot-plan`, `react-icon-pkg`, or any packages published by npm users `aartje` and `saliii229911`. Review network logs for unusual outbound connections from developer workstations or build servers to Telegram or Steam APIs, as this is a C2 channel used by this Vidar variant. Compliance Best Practices Establish a new security policy to disable automatic execution of npm `postinstall` scripts by default using the `--ignore-scripts` flag, and create a process to vet and explicitly allow scripts only for trusted packages. Deploy a private npm registry or a caching proxy, such as Sonatype Nexus or JFrog Artifactory, to host only vetted and approved third-party packages for internal developer use. Integrate a Software Composition Analysis (SCA) tool into the CI/CD pipeline to automatically scan npm packages for known vulnerabilities and malicious code signatures on every build. Enforce a policy requiring all projects to use lockfiles (e.g., `package-lock.json`) and mandate the use of `npm ci` instead of `npm install` in all automated build environments to ensure reproducible and vetted dependency installation. On all Windows developer workstations and build servers, enable PowerShell Script Block Logging and Module Logging and forward logs to your SIEM for analysis. Configure the PowerShell execution policy on all Windows developer workstations and build servers to `RemoteSigned` or stricter via Group Policy to prevent the execution of unsigned, untrusted scripts. Sandworm (GRU) Wiper Attacks Target Ukraine's Critical Infrastructure Russian state-controlled Sandworm, identified as part of the GRU, has consistently deployed destructive wiper malware against Ukraine, with recent attacks reported in April, June, and September. These attacks targeted a Ukrainian university with Sting and Zerlot wipers, and later expanded to critical infrastructure, including government, energy, logistics, and notably, the grain industry, aiming to weaken the country's war economy. This continues a pattern of Russian cyber warfare, which previously included the NotPetya worm in 2012, attacks on Ukraine's electricity grid in 2016-2017, and 2022 incidents affecting satellite modems and a Kyiv TV station, alongside other wipers like WhisperGate. Other Russian-aligned groups like RomCom, which exploited a WinRar zero-day, and Gamaredon have also conducted wiper attacks, with UAC-0099 sometimes providing initial access through spear phishing, underscoring wipers' enduring role as a preferred tool for Russian threat actors. Severity: Critical Sources https://arstechnica.com/security/2025/11/wipers-from-russias-most-cut-throat-hackers-rain-destruction-on-ukraine/ https://buaq.net/go-372169.html https://buaq.net/go-372777.html https://buaq.net/go-373967.html https://cyberpress.org/russian-hackers-2/ https://cyberpress.org/weaponized-zip-documents/ https://gbhackers.com/living-off-the-land-tactics/ https://gbhackers.com/ssh-tor-backdoor/ https://industrialcyber.co/ransomware/sandworm-linked-webshell-and-lotl-tactics-found-in-russian-cyberattacks-targeting-ukrainian-networks/ https://securityonline.info/russian-apts-exploit-lotl-techniques-in-ukraine-cyber-attacks-deploying-sandworm-linked-webshell-and-credential-dumping/ https://securityonline.info/sandworm-apt-attacks-belarus-military-with-lnk-exploit-and-openssh-over-tor-obfs4-backdoor/ https://socprime.com/blog/russian-hackers-target-ukrainian-organizations/ https://thehackernews.com/2025/10/russian-hackers-target-ukrainian.html https://thehackernews.com/2025/11/trojanized-eset-installers-drop.html https://www.bleepingcomputer.com/news/security/sandworm-hackers-use-data-wipers-to-disrupt-ukraines-grain-sector/ https://www.esecurityplanet.com/threats/russian-linked-cyberattacks-continue-to-target-ukrainian-organizations/ https://www.helpnetsecurity.com/2025/11/03/russian-belarusian-military-spear-phishing/ https://www.hendryadrian.com/living-off-the-land-allowed-russia-linked-group-to-breach-ukrainian-entities-this-summer/ https://www.hendryadrian.com/ukrainian-organizations-still-heavily-targeted-by-russian-attacks/ https://www.metacurity.com/cisa-plans-to-fire-54-employees-despite-court-injunction/ https://www.securityweek.com/destructive-russian-cyberattacks-on-ukraine-expand-to-grain-sector/ Threat Details and IOCs Malware: Acid Pour, AcidPour, AcidRain, BACKORDER, BE2, BE3, Black Energy, BlackEnergy, Blakken, BPFDoor, CaddyWiper, Chisel, CRASHOVERRIDE, Diskcoder.C, EternalPetya, ExPetr, FoxBlade, FruitShell, GoldenEye, GootKit Loader, GootLoader, HermeticWiper, Industroyer, IsaacWiper, Kalambur, KillDisk, LAMEHUG, Localolive, LocalOlive, NEARMISS, NotPetya, Nyetna, Nyetya, NyetYa, PathWiper, PEAPOD, Petna, Petya 2.0, Petya.A, Pnyetya, PromptSteal, Pterodo, PteroPSDoor, PteroVDoor, QuietVault, RomCom, RomCom RAT, RomCom RAT 5.0, RustyClaw, SingleCamper, SnipBot, Sting, SUMBUR, VPNFilter, WhisperGate, Zerlot, Zerolot, ZeroLot, ZEROLOT CVEs: CVE-2013-3906, CVE-2014-4114, CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, CVE-2017-0148, CVE-2017-0199, CVE-2019-10149, CVE-2021-32648, CVE-2021-34473, CVE-2022-41352, CVE-2023-23397, CVE-2023-32315, CVE-2023-32784, CVE-2023-42793, CVE-2023-48788, CVE-2024-1709, CVE-2025-53770, CVE-2025-8088 Technologies: ESET Endpoint Security, KeePass, Linux, Microsoft Active Directory, Microsoft Internet Information Services, Microsoft Windows, MikroTik RouterOS, MikroTik WinBox, OpenSSH, Python, RARLAB WinRAR, SonicWall Secure Mobile Access, Tor Threat Actors: Actinium, AngryLikho, APT28, APT44, AquaBlizzard, Armageddon, AwakenLikho, BlackEnergy, CoreWerewolf, DEV-0861, EarthBluecrow, ELECTRUM, FROZENBARENTS, Gamaredon, InedibleOchotense, IRIDIUM, IronTilden, IRONVIKING, MuddyWater, PrimitiveBear, Quedagh, RedMenshen, RomCom, Sandworm, SeashellBlizzard, Shuckworm, StickyWerewolf, Storm-0978, Storm0978, TA450, TA453, TA455, Telebots, TridentUrsa, TropicalScorpius, Turla, UAC0002, UAC-0010, UAC0010, UAC-0082, UAC0082, UAC-0099, UAC0113, UAC-0125, UAC0125, Uac0145, UNC2565, UNC2596, UNC530, Unit74455, UNKSmudgedSerpent, VoidRabisu, VoodooBear, Winterflounder Attacker Countries: China, Iran, Myanmar, North Korea, Russia Attacker IPs: 156.67.24.239, 185.145.245.209, 77.20.116.133 Attacker Domains: ciscoheartbeat.com, eliteheirs.org, esetremover.com, esetscanner.com, esetsmart.com, melamorri.com, taibdsgqlwvnizgipp4sn7xee72qys3pufih3rjzhx3e5b5t245kafid.onion, yuknkap4im65njr3tlprnpqwj4h7aal4hrn2tdieg75rpp6fx25hqbyd.onion Attacker URLs: 185.145.245.209:22065/service.aspx Attacker Hashes: 08db5bb9812f49f9394fd724b9196c7dc2f61b5ba1644da65db95ab6e430c92b, 30a5df544f4a838f9c7ce34377ed2668e0ba22cc39d1e26b303781153808a2c4, 44b1f3f06607cd3ee16517d31b30208910ce678cb69ba7a0514546dff183dfce, 5d3a6340691840d1a87bfab543faec77b4a9d457991dd938834de820a99685f7, 636e04f0618dd578d107f440b1cf6c910502d160130adae5e415b2dd2b36abcb, 70a5492db39585ec18de512058a5389c9a4043fba13ca8ad7d057ead66298626, 710e8c96875d6a3c1b4f08f4b2094c800658551065b20ef3fd450b210dcc7b9a, 7269b4bc6b3036e5a2f8c2a7908a439202cee9c8b9e50b67c786c39f2500df8f, 7946a2275c1c232eebed6ead95ea4723285950175586db1f95354b910b0a3cce, 821362a484908e93f8ba748b600665ae6444303d, 8c07c37ac84d4c6fd76de3d966e26b65e401bc641a845baf6f73ad0d6a10fc6b, 99ec6437f74eec19e33c1a0b4ac8826bcc44848f87cd1a1c2b379fae9df62de9, 9f3d8252e8f3169751a705151bdf675ac194bfd8457cbe08e1f3c17d7e9e9be2, a0eed0e1ef8fc4129f630e6f68c29c357c717df0fe352961e92e7f8c93e5371b, a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92, b701272e20db5e485fe8b4f480ed05bcdba88c386d44dc4a17fe9a7b6b9c026b, ba5f7e2fa9be1cb3fc7ae113f41c36e4f2c464b6, c853d91501111a873a027bd3b9b4dab9dd940e89fcfec51efbb6f0db0ba6687b, cbb94dd87c3ce335c75e57621412eedce013fcc77ac92ec57f7e74ac70dde119, cf8e09f013fcb5f34c8c274bf07d9047956ba441dabf2d3de87ea025e14058b7, e03b8c54ac916b363f956e4e4e04a19eb4119455d8006c92e9328e16a8cee52f Victim Industries: Agriculture, Automotive, Business Services, Critical Manufacturing, Defense, Digital Media, Education, Energy, Engineering, Financial Services, Government, Hospitality, Information Technology, Legal and Professional Services, Logistics, Manufacturing, Professional Services, Retail, Telecommunications, Transportation, Transportation & Logistics, Utilities Victim Countries: Austria, Belarus, Belgium, Bulgaria, Canada, China, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Israel, Italy, Latvia, Lithuania, Luxembourg, Malta, Myanmar, Netherlands, Norway, Poland, Portugal, Romania, Russia, Slovakia, Slovenia, South Korea, Spain, Sweden, Ukraine, United States Mitigation Advice Use endpoint management or scripting tools to scan all Windows systems for a scheduled task named "DavaniGulyashaSdeshka" and alert on or remove any findings. Identify all installations of WinRar in the environment and ensure they are updated to a version that is not vulnerable to the zero-day exploit mentioned. Configure email security gateways to block or quarantine emails from external sources that contain executable files or compressed archives like .rar and .zip. Scan the network to identify all systems running SMBv1 and disable the protocol wherever it is not essential for business operations. Compliance Best Practices Implement and regularly test a 3-2-1 backup strategy, ensuring at least one copy of critical data is stored offline, air-gapped, or in an immutable storage repository to protect it from wiper malware. Develop and roll out a continuous security awareness training program that includes phishing simulations to educate employees on how to identify and report suspicious emails. Implement network segmentation to create isolated zones for critical servers and services, restricting communication paths from user workstations to limit the lateral movement of malware. Deploy an application control or allowlisting solution on endpoints, particularly servers, to restrict software execution to only known and approved applications.Red Hat in the news, £5.5B in Bitcoin recovered from scammer, more Breaches
Hello! ArvinF is your editor of the F5 SIRT This Week in Security, covering 28 September to 4 October 2025. This week, Red Hat is in the news for their Consulting GitLab instance breach and an "Important" rated vulnerability in their OpenShift AI Service product. A win - UK's Metropolitan police have arrested a scammer and recovered £5.5B (!) in Bitcoin. Then came the breach disclosures from Alianz, Westjet, Motility and a "US tech company”. Finally, the ransomware and extortion gangs - Scattered LAPSUS$ Hunters 1B Salesforce record under ransom and Radiant Group's extortion attempt getting slammed by another extortion group. Let’s get to it! Red Hat's Consulting GitLab instance has been breached by an extortion group named Crimson Collective. The group initially bragged about the breach on Telegram, showing file listings and other sensitive data in Customer Engagement Reports (CERs) that are related to Redhat customers environments. Redhat published a security incident advisory: We recently detected unauthorized access to a GitLab instance used for internal Red Hat Consulting collaboration in select engagements. Upon detection, we promptly launched a thorough investigation, removed the unauthorized party’s access, isolated the instance, and contacted the appropriate authorities. Our investigation, which is ongoing, found that an unauthorized third party had accessed and copied some data from this instance. Crimson Collective threat group notes that they found authentication tokens inside these repos and have “already used these to compromise downstream Red Hat customers.” In an advisory from the Belgian government, it notes the incident is “High Risk” for Belgian organizations and has “potential supply chain impact if service providers or IT partners worked with Red Hat Consulting” From the same advisory, it provided recommendations: Revoke & Rotate all tokens, keys, and credentials shared with Red Hat or used in integrations. Engage Third-Parties – ask your IT providers or partners whether they have used Red Hat Consulting and assess your potential exposure. Contact Red Hat for guidance on your specific exposure. Increase monitoring of authentication events, API calls, and system access for anomalies. https://www.theregister.com/2025/10/03/red_hat_gitlab_breach/ https://www.redhat.com/en/blog/security-update-incident-related-red-hat-consulting-gitlab-instance https://www.theregister.com/2025/10/02/cybercrims_claim_raid_on_28000/ https://ccb.belgium.be/news/hackers-crimson-collective-use-leaked-authentication-tokens-access-customer-systems From standard user to Full Cluster Admin in Red Hat Openshift AI Service via CVE-2025-10725 Red Hat OpenShift AI Service has a 9.9 out of 10 CVSS Score CVE, tracked as CVE-2025-10725, thinly avoiding a 10 out of 10, due to a requirement of a Low-Privileged attacker. https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H In the advisory: A flaw was found in Red Hat OpenShift AI Service. A low-privileged attacker with access to an authenticated account, for example as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator. This allows for the complete compromise of the cluster’s confidentiality, integrity, and availability. The attacker can steal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it. To resolve the vulnerability, upgrade to RHOAI 2.16.3 or if Kueue features are not required, the Kueue component management state can be set to “Removed” in the RHOAI DataScienceCluster resource. For RHOAI 2.19+, a workaround is Prevent the RHOAI operator from managing the kueue-batch-user-rolebinding then Disable the ClusterRoleBinding by updating its subject to a different, non-existent, group. Once updates providing fixes have been applied, it's recommended to remove the clusterrolebinding. This “Important” rated CVE came out approx the same time as the Red Hat Consulting GitLab breach. https://www.theregister.com/2025/10/01/critical_red_hat_openshift_ai_bug/ https://access.redhat.com/security/cve/cve-2025-10725#cve-affected-packages £5.5B in Bitcoin recovered from scammer A scammer caught by the London Metropolitan Police after a seven-year investigation and recovered a record-busting Bitcoin seizure worth £5.5B. .. carried out what the police describe as a "large-scale fraud in China" between 2014 and 2017, and then attempted to launder the significant proceeds after arriving in the UK. The three-year fraud affected more than 128,000 people and netted 61,000 Bitcoin, which at current prices is worth more than £5.5 billion ($7.4 billion). At the point the crypto tokens were seized, they would have been worth around $404 million. The scammer fled using false documents and entered the UK and attempted to launder the stolen money by buying property, said the Met. An associate helped in attempting to cash in on the laundering by buying properties in the UK and Dubai. This associate was caught last year and was jailed/sentenced. The scammer may get additional time if they fail to pay up and return more than £3.1 million. The Crown Prosecution Service said the associate benefited by £3.5 million (c $4.7 million) from the fraud, led by the scammer, and the £3.1 million figure was the total sum of her available assets at the time. Reforms to crime legislation under the previous Conservative government aimed to make it easier for the UK authorities to seize, freeze and recover crypto assets, external. The changes would also allow some victims to apply for the release of their assets held in accounts. https://www.theregister.com/2025/09/30/met_police_bitcoin_fraud/ https://www.bbc.com/news/articles/cy0415kk3rzo https://news.met.police.uk/news/woman-convicted-following-worlds-largest-seizure-501569 https://www.gov.uk/government/news/new-powers-to-seize-cryptoassets-used-by-criminals-go-live 3.7M breach notification letters - The mailman and mail servers will be busy sending breach notification letters. From the Maine AG breach disclosure pages on affected persons: Insurance biz Allianz Life - 1,497,036 WestJet - 1.2 million Motility - 766670 From the news ... "US tech company" - 250,000 The Impact: Allianz Life - The attackers accessed the data of the insurer's customers, staff, and financial professionals WestJet - affected its online services and mobile app, exposed customer data - could include names, contact details, information and documents provided in connection with their reservation and travel, and data regarding victims' Motility Software Solutions - "unauthorized actor deployed malware that encrypted a portion of our systems. Although the malware primarily restricted our access to internal data, the forensic evidence suggests that, before encryption, the actor may have removed limited files containing customers' personal data ... could include full names, home and email addresses, telephone numbers, dates of birth, SSNs, and driver's license numbers." That’s a lot of names, SSNs, CCs, email addresses, addresses, IDs. All three businesses offered identity protection and credit monitoring services – Allianz Life and WestJet two years of coverage, Motility 12 months. https://www.theregister.com/2025/10/01/north_american_data_breaches/ Scattered LAPSUS$ Hunters 1B Salesforce Records under ransom Scattered LAPSUS$ Hunters gave Salesforce until October 10, a deadline to negotiate payment or leak their customer’s data. Scattered LAPSUS$ Hunters are 3 threat / ransomware groups - Scattered Spider, ShinyHunters, and Lapsus$ - that had a moment of solidarity "to break into businesses' networks, steal their data, and force an extortion payment." Per Salesforce advisory: "We are aware of recent extortion attempts by threat actors, which we have investigated in partnership with external experts and authorities," "Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support," "At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology." In August of 2025, there was the Salesloft drift breach that affected Salesforce customers. https://www.theregister.com/2025/10/03/scattered_lapsus_hunters_latest_leak/ https://www.theregister.com/2025/09/14/in_brief_infosec/ https://www.theregister.com/2025/09/08/drift_breach_entry_salesloft_github/ https://www.theregister.com/2025/08/12/scattered_spidershinyhunterslapsus_cybercrime_collab/ https://status.salesforce.com/generalmessages/20000224?locale=en-US Radiant Group extortion gang crosses the line and gets schooled by other ransomware groups Radiant Group stole data from Kido International, a school for young children with branches in the UK, US, and India. They then posted unblurred pictures of 10 children, along with their addresses, parents’ names, and other personal data, and threatened to expose more if a ransom wasn't paid. Parents of some children claimed to have received threatening calls after Radiant published the data. London's Metropolitan Police investigators are following up on the case. But now, Radiant says it removed the child data it had posted after receiving pressure from other ransomware groups. It seems they crossed a line in the criminal world and backed down when called out for it. Rebecca Taylor, a threat intelligence knowledge manager at security biz Sophos, tells The Register that the crew was called out by the well-established ransomware-as-a-service Nova gang on the Russian Anonymous Market Place (RAMP), an online souk for cybercriminals. One of Nova's affiliate members, going under the handle BlackBeard, told Radiant, "reputation important, don't attack child right." "We have disabled any attacks relating to them, is not allowed anymore," Radiant answered, and added, "Any data relating to under 18s who attended have been deleted." BlackBeard congratulated them and wished the extortionists good luck for the future and Nova offered to help in future raids. Radiant claimed to have information on over 8,000 children enrolled at Kido, as well as their family, teachers, and staff. Taylor told us that the Radiant Group seems to be new script kiddies on the block and have overstepped themselves, and are now trying to make nice with the rest of the criminal community. https://www.theregister.com/2025/10/02/ransomware_radiant_delete_kids_info/ https://www.theregister.com/2025/09/25/ransomware_gang_publishes_toddlers_images/ https://www.theguardian.com/technology/2025/oct/02/kido-nursery-hackers-say-they-have-deleted-stolen-data Outro The amount of breach news from this week was something - the leaked personal and financial information will surely be the foundation of future breaches and extortions. These breaches were perpetrated by ransomware and extortion gangs that utilized social engineering and known and unknown vulnerabilities in their campaigns. As defenders, we should advise our organizations to keep our systems updated, implement levels and layers of security defenses and keep ourselves and our peers educated on good security practices. The silver lining is the recovery of the £5.5B worth of Bitcoin from scammers caught in the UK. The many victims of scammers have an opportunity to recover their lost assets. Credit to the original source and posts! I hope the news I picked is informative and educational. Till next time - Stay Safe and Secure! As always, if this is your first TWIS, you can always read past editions. We also encourage you to check out all of the content from the F5 SIRT.Mobile Security: Current Challenges & A Vision For The Future
In today’s hyper-connected world, smartphones are far more than communication devices. They are personal assistants, financial hubs, health trackers, and corporate gateways. With over billions of smartphone users globally, these devices have become indispensable tools for work, entertainment, and daily life. However, their commonness has not gone unnoticed by cybercriminals, making mobile security one of the most pressing challenges of our time. From malicious apps to phishing attacks and zero-day vulnerabilities, threats targeting mobile devices are evolving rapidly. This article will explore the current mobile security landscape, the future of this field, and best practices for safeguarding mobile devices against growing cyber risks. The Current Mobile Threat Landscape Mobile devices have become lucrative targets for attackers, owing to their use in both personal and professional capacities. Nowadays, threats targeting mobile devices are more sophisticated, leveraging advanced technologies such as AI and automation. 1. Mobile Malware and Spyware: Malicious software crafted for smartphones has surged in recent years. Attacks like FluBot and Joker malware have compromised thousands of mobile devices globally. They steal sensitive information such as banking credentials and personal data. Spyware, such as Pegasus, has shown how attackers can exploit zero-day vulnerabilities to take control of a device remotely and exfiltrate information, including encrypted communications. 2. Smishing & Phishing Attacks: Phishing attacks have migrated from email to mobile messaging. Smishing (SMS phishing) and phishing through messaging apps like WhatsApp, Telegram, or Facebook Messenger are highly effective because users tend to trust these platforms. Attackers use tactics like fake package delivery notifications or password reset requests to trick victims into revealing sensitive information. 3. Mobile Payments Under Siege: The widespread adoption of mobile payment platforms (Google Pay, Apple Pay, PayPal) and QR-code-based payments has introduced unprecedented convenience. However, these systems are now lucrative targets for attackers. For example, malicious QR codes redirect users to phishing sites or download malware to compromise financial accounts. 4. IoT and 5G Vulnerabilities: As smartphones increasingly function as controllers for IoT ecosystems (smart homes, wearables, connected cars), attackers see an opportunity to exploit vulnerabilities across interconnected devices. With the rise of 5G networks, data is being transmitted faster than ever. This speed also introduces risks related to network attacks, unauthorized access, and greater attack surfaces. 5. Emerging AI-Powered Threats: Artificial intelligence has revolutionized how attackers create and execute cyberattacks. AI can be used to automate phishing campaigns, generate realistic text for scams, or even create deepfake audio and video to impersonate individuals in real time. These hyperrealistic attacks are harder to detect and even more effective at deceiving victims. Future of Mobile Security The challenges we face today are only the beginning. As mobile technology advances and becomes further integrated with every facet of human life, mobile security will define the frontlines of cybersecurity. 1. AI-Enhanced Defenses Just as attackers leverage AI for malicious purposes, defenders are increasingly using AI for anomaly detection and behavioral analytics. Machine learning tools can analyze user behavior in real time. They can detect unusual patterns such as unauthorized app activity or data exfiltration attempts. As AI improves, it will play a central role in combating AI-generated threats and various forms of malware. 2. Quantum-Safe Cryptography While quantum computing is still in its early stages, its eventual application will have profound implications for data encryption. Organizations are already exploring post-quantum cryptography. This ensures that mobile communications and sensitive information remain secure against the enormous processing power of quantum computers. 3. Zero-Trust Architecture for Mobile Devices Zero Trust principles, which by default trust no device, application, or user regardless of their network location, are being used more on mobile devices. Continuous verification, device posture checks, and contextual information (e.g., user behavior, location) will further tighten security for mobile endpoints accessing sensitive systems. 4. Hardware-Backed Security By 2025, most modern devices will come pre-equipped with secure enclaves (such as Apple’s Secure Enclave or Android’s Titan M chips). These hardware modules are isolated from the operating system. This keeps sensitive data like cryptographic keys, payment information, and biometric data secure from OS-level exploits. 5. Stricter Regulation and Compliance Privacy regulations like GDPR, CCPA, and other global frameworks will continue to evolve, ensuring that users' data is handled responsibly. Mobile app developers will embed compliance-by-design practices. They will focus on transparency, limited data collection, and permission management to align with user rights. 6. Interconnected Ecosystems and Broader Risks As IoT ecosystems mature, the smartphone will act as the central controller for a growing range of devices. Cybersecurity solutions for mobile devices will need to address the cascading risks posed by compromised IoT devices, interconnected networks, and 5G-enabled technologies. Best Practices to Protect Mobile Devices Both individuals and organizations must adopt proactive mobile security strategies. Here are some of the best practices for reducing exposure to threats: For Individuals: Enable Biometric, and Multi-Factor Authentication (MFA): Use biometrics like fingerprints or facial recognition alongside MFA for critical accounts such as banking, email, and corporate logins. Keep Devices and Apps Updated: Regularly update operating systems and apps to patch critical vulnerabilities. Many attacks target older, unpatched versions of software. Review App Permissions Carefully: Avoid granting unnecessary permissions to apps, especially for access to sensitive data like location, contacts, or storage. Use Trusted App Stores: Stick to verified marketplaces like Google Play and Apple’s App Store to avoid downloading malicious apps. Adopt Secure Communication Tools: Use encrypted messaging apps like Signal or WhatsApp for confidential communication. Beware of Smishing and Phishing Attacks: Avoid clicking on suspicious links in SMS or messaging apps. If something seems too urgent or too good to be true, validate its authenticity via official channels. Use Mobile VPNs: A Virtual Private Network (VPN) ensures secure browsing, especially on public Wi-Fi networks. Install Anti-Malware Apps: Consider a trustworthy mobile security app to monitor your device for malware and other threats. For Organizations: Adopt Mobile Threat Defence (MTD): Deploy MTD solutions that integrate with Mobile Device Management (MDM) and Enterprise Mobility Management (EMM) platforms. These tools provide real-time monitoring of mobile endpoints and threat mitigation. Implement Zero Trust Network Access (ZTNA): Use a zero-trust approach for mobile device access to corporate networks, continually verifying devices for access permissions. Enforce App Containerization: Use tools that separate corporate data from personal applications on mobile devices to prevent cross-contamination of information. Train Employees on Mobile Security: Regular awareness campaigns and training on recognizing smishing scams, fake apps, and account takeover attempts are critical. Monitor for SIM-Swap Attacks: Leverage tools capable of detecting and flagging suspicious account activity associated with SIM-swapping fraud. Restrict BYOD Access: For Bring Your Own Device (BYOD) policies, enforce strict security policies, such as requiring up-to-date OS and apps, to minimize risks. Conclusion There is no doubt that the future of cybersecurity is mobile-centric. As smartphones continue to act as gateways to digital assets, IoT ecosystems, and corporate networks, they will remain a primary battleground for attackers and defenders alike. The good news is that both individuals and organizations are empowered to improve their resilience. By adopting stronger authentication measures, AI-powered defenses, zero trust principles, and remaining vigilant with updates and monitoring, mobile security can evolve to meet even the most sophisticated challenges ahead. In the race to safeguard the digital future, proactive preparation, collaboration, and innovation in mobile security ensures that technology continues to empower, not endanger its users.Apple’s MIE, Fake Chrome Ext, and C2PA Content Credentials in Google Pixel
Notable security news for the week of Sept 7-13th, 2025, brought to you by the F5 Security Incident Response Team. This week, your editor is Dharminder. In this edition, I have security news covering Apple's new built-in memory safety system called Memory Integrity Enforcement, the emergence of fake Chrome extensions used to hijack Meta business accounts, Google's introduction of Trusted Photography with C2PA Content Credentials in Google Pixel a significant step towards digital media transparency and CISA's alert regarding the actively exploited Dassault DELMIA Apriso RCE vulnerability
