Apple’s MIE, Fake Chrome Ext, and C2PA Content Credentials in Google Pixel
Notable security news for the week of Sept 7-13th, 2025, brought to you by the F5 Security Incident Response Team. This week, your editor is Dharminder. In this edition, I have security news covering Apple's new built-in memory safety system called Memory Integrity Enforcement, the emergence of fake Chrome extensions used to hijack Meta business accounts, Google's introduction of Trusted Photography with C2PA Content Credentials in Google Pixel a significant step towards digital media transparency and CISA's alert regarding the actively exploited Dassault DELMIA Apriso RCE vulnerabilityPost-Quantum Cryptography, OpenSSH, & s1ngularity supply chain attack
This week in security: PQC by default, and a supply-chain gut check. At F5, we are publishing a forward‑looking series of blog posts which help security and IT leaders anticipate tomorrow’s risks and capitalize on emerging tech. Think of it as a field guide to future threats—and how to stay resilient as they arrive. We are about half way through the series, here are some of the highlights from my point of view.OpenSource Hacking Tools, Budget Constraints Drive AI Use, and New CISA OT Guidelines
A Chinese-speaking advanced persistent threat (APT) group, UAT-7237, has been targeting web infrastructure in Taiwan using customized open-source hacking tools. This group is believed to be a sub-group of UAT-5918, which has been active against Taiwan's critical infrastructure since at least 2023.Blackhat 2025 Wrap up
Hello ! Jordan_Zebor is your editor this time for the F5 SIRT This Week in Security, covering Blackhat 2025. The Black Hat 2025 security conference proved once again why it’s the global epicenter for unveiling cutting-edge cybersecurity research and innovative attack methodologies. Here are a few of this year’s highlights. Unicode as a Double-Edged Sword: Exploiting Normalization Pitfalls Unicode underpins the Internet, but as researchers revealed in Lost in Translation: Exploiting Unicode Normalization, it also presents an alarmingly rich attack surface. This talk, notably the first-ever father-daughter presentation at Black Hat, demonstrated how flaws in Unicode normalization processes can bypass security mechanisms, enabling attackers to execute several web application attacks. During the session, the team detailed how techniques like visual confusables, overlong encodings, truncations, and improper case mappings can undermine common defenses, such as web application firewalls (WAFs) and backend validation. Attacks leveraging these flaws were showcased using fuzzing tools like Shazzer and Recollapse, as well as contributions to the Burp Suite extension ActiveScan ++, which help pinpoint how Unicode quirks can create security blind spots. The slides can be found here. Reckoning with the Limits of Machine Intelligence In the session Cybersecurity, AI, and Our Brains: A Fireside Chat with Gary Marcus, the renowned cognitive scientist and AI expert delivered a much-needed critique of the growing hype surrounding generative AI systems. Marcus dissected the risks and limitations of relying too heavily on tools like ChatGPT, warning against a phenomenon he referred to as "ChatGPT psychosis," where users overestimate the decision-making capabilities and reliability of these systems. Marcus also emphasized the potential of neuro-symbolic AI, which was a new term for me. If I'm correct in understanding this, neuro-symbolic AI is a hybrid approach combining neural networks with symbolic reasoning, to address the abstraction and reasoning challenges current systems cannot handle. The audience was urged to treat AI as a tool, not an oracle, and deploy it with a full understanding of its limitations. HTTP/1.1 Must Die! The Desync Endgame HTTP request smuggling, a decades-old attack method, is still alive and kicking—thanks to lingering weaknesses in HTTP/1.1 implementations, as the researcher revealed in HTTP/1.1 Must Die! The Desync Endgame. He demonstrated how desync attacks continue to be used to exploit weak request/response isolation and server behavioral quirks with Expect request headers. The session wasn’t just about exposing vulnerabilities—it also introduced updates to the popular HTTP Request Smuggler Burp Extension. This makes it easier for security teams to identify and explore multiple desync risks within their own environments. The talk title says it all, but the researcher did reinforce the urgent need to transition to HTTP/2, which due to different request semantics will help prevent these types of attacks. Read more about the research here. A brief note on DEF CON DEF CON, held alongside Black Hat, shifts the focus to core hacking and hands-on exploration. In an era dominated by AI and cutting-edge tech, I chose to spend my time in the Tamper Evidence Village, diving into the fundamentals of physical security. This is an often-overlooked yet critical area in the modern threat landscape. Along the way, I also caught a few technical talks, reinforcing the reminder that both the simplest physical vulnerabilities and sophisticated exploits can have massive impacts. That's it for this week. Hope you enjoyed the content!Phishing, Malware, Breach and Open-Source Security
Notable security news for the week of July 20th-26th July 2025, brought to you by the F5 Security Incident Response Team. This week, your editor is Dharminder. In this edition, I have security news about an attacker who compromised an executive's Microsoft 365 account, accessed invoice from the emails, altered it and send a fraudulent request from a newly identical domain, Malware which was embedded into the Steam early access game Chemia, US Nuclear Weapons agency breached using SharePoint vulnerability, and OSS Rebuild a new initiative to enhance open-source software security.Malware using LLM and law enforcement getting the hackers
This week is rich with incidents, from critical vulnerabilities being actively exploited to new ransomware operations using AI-driven tactics, cybersecurity threats continue to evolve at a rapid pace. Recent vulnerabilities, including the Citrix NetScaler and NVIDIA Container Toolkit flaws, highlight the pressing need for immediate patches and enhanced security measures. Meanwhile, the emergence of the GLOBAL GROUP ransomware-as-a-service (RaaS) operation and significant data breaches emphasize the growing threat landscape. Law enforcement actions against notorious cybercrime groups further underscore the ongoing efforts to combat these threats across borders. Until next time, keep is safe , Lior
TSA Drops Shoes, IoT and Roundup
Kyle Fox is back this week with a couple of writeups and the roundup. This week, we look at the current situation with changes to security measures at the TSA and what more needs to change. We also look at some ongoing problems with IoT long-term support. TSA Drops Shoe Removals For years, people in the United States have had to take off their shoes while going through security at the airport. A new policy was announced on July 8th that will no longer require people to take off their shoes. Unless they're me and travel wearing steel toe boots. This surprising reversal comes after 20 years of this policy enacted after shoe bomber Richard Reid attempted to blow up American Airlines Flight 63 in December of 2001 with PETN explosive smuggled in his shoes. Often lambasted as security theatre, we have to remember that the TSA, or something like it, is mandated by Annex 17 to the Chicago Convention on International Civil Aviation, which states "4.4.1 Each Contracting State shall establish measures to ensure that originating passengers of commercial air transport operations and their cabin baggage are screened prior to boarding and aircraft departing from a security restricted area." (the PDF does not allow copying, so I had to type that all up) And we generally don't want explosives on planes or guns and dangerous knives making their way into the passenger cabin. So we still in-part need what the TSA is doing. The original intention of creating the TSA was to standardize what they do, which was also something we were in dire need of at the time. So what measures are security theatre? According to Bruce Schneier, the coiner of the term, his top three are now: Liquid restrictions, body scanners and the Screening Passengers by Observation Techniques (SPOT) program now called Behavior Detection and Analysis (BDA). Lets start by first examining the liquid rule. The group was established after a 2006 plot to blow up planes using liquid explosives. The explosives would be made up using component liquids the plotters would bring onboard in innocuous looking containers. Since then, the ICAO has issued guidance on screening liquids and the results are the liquid restrictions. Since this is an international rule, it may be difficult to completely get rid of it without international cooperation, despite having holes. The next item on the list is body scanners, these do not appear to be required by ICAO regulations and are not used in many countries. These devices, even when working optimally are capable of missing some very large weapon like objects. The scanners have improved. When they first started, they were x-ray backscatter units that would be exposing travelers to unnecessary ionizing radiation. The new ones use millimeter-wave radar technology that should not be a possible health risk. They still take up a lot of floor space and time in screening passengers. Schneier's last item is the Screening Passengers by Observation Techniques (SPOT) program, which since 2016 has been called Behavior Detection and Analysis (BDA). This program is alleged to work by training TSA officers to observe passengers stress levels and behavior to spot passengers that are concealing something or otherwise being deceptive. From that description it seems to be a human lie-detector program. Like the polygraph lie-detector, its efficacy has been disputed quite a bit. With airports and air travel often a high-stress situation for most of the traveling public, it seems to lead to the individual officers' biases showing through. This one seems to be the most ripe for getting rid of, so I expect it to hang on for a long time. Belkin, IKEA and Nest and the Struggle to Find Long Term Support in IoT Several announcements have come through in the last few weeks, first Belkin announced it was discontinuing support for some Smart Home devices that it previously sold. Then IKEA announced that it was transitioning off Zigbee and to Thread, and finally Nest will discontinue support for some older devices. This has all highlighted the issues now surrounding a lot of IoT, mainly that as time goes on, support of these devices becomes an issue. The first issue is that a lot of manufacturers want their IoT enabled appliances to link back to servers that they run. While this helps with allowing users to access the devices from anywhere and allows the manufacturers to push software updates to help improve the devices and deal with security vulnerabilities. However, this also adds ongoing costs to supporting the devices and ties them to the manufacturer's continued support. The next issue is these devices contain software that needs to be updated periodically to resolve security issues. Often that still depends on the manufacturer to maintain the software and push updates. In some cases, this has been sidestepped by projects creating open firmware for discontinued devices. But as a rule, you'll only get updates till the manufacturer decides to shelve maintaining the code. While this would be perfectly fine if these were widgets that would last 5 years, it becomes a concern when your talking stuff installed in a house. For example, my house was built in 1978, my breaker panel is from that era, but I have a Emporia Vue panel monitor. The last issue is that as time goes on, companies may change the basic rules that their devices work with. With IoT, this often means going from Zigbee to Wifi or Bluetooth or some other combination of changes. Once these changes are made, the manufacturer could maintain compatibility, if they use a system with hubs, or they can dump the entire previous ecosystem. The IKEA transition is an example of this issue. It's currently not clear how the future support model for their existing Zigbee devices will work, but I expect some level of support to continue. Roundup: Not really security related but this week's YouTube recommendation is Patrick (H) Willems. From analyzing pop music soundtracks to ranking the most 80's movie, he has you covered in long from cinema analysis. Plague's back in town. AI company leaks McDonald's job applications. Comcast Wifi Motion Detection? Apparently this field grew up. ChatGPT hallucinated features are getting added to software. Because Bluetooth is complicated, another week, another Bluetooth attack.
