Researcher drops three iOS zero-days that Apple refused to fix
Proof-of-concept exploit code for three iOS zero-day vulnerabilities (and a fourth one patched in July) was published on GitHub after Apple delayed patching and failed to credit the person who reported them. Software developer Denis Tokarev found the four zero-days, and reported them to Apple between March 10 and May 4. The company silently patched one of them in July with the release of 14.7 without giving credit in the security advisory. Since then, all attempts made to get an explanation for Apple’s failure to fix the rest of these unpatched vulnerabilities and for their refusal to give credit were ignored even though more security advisories, for iOS 14.7.1, iOS 14.8, and iOS 15.0, have since been published.
Microsoft releases rollback fix for updates
Microsoft has released an emergency fix for freezing and crashing app issues caused by September’s KB5005565 and KB5005101 cumulative updates. These issues only affected users utilizing the Microsoft Exploit Protection Export Address Filtering (EAF) feature, which is used to detect dangerous operations used by malicious code or exploit modules. Microsoft warns that it might take up to 24 hours for the resolution to propagate automatically to consumer devices and non-managed business devices. Restarting your Windows device might help the resolution apply faster.
New Cooperative ransomware negotiations get hijacked
Following up on a story we brought you last week, less than 48 hours before the deadline arrived for Iowa-based grain organization New Cooperative to pay a ransom to BlackMatter the negotiation chat was hijacked by a troll. The chat, which was occurring on Tor, included defiant and aggressive commentary from the suppose victim’s side, suggesting that BlackMatter actually deposit some bitcoin in their account as a good faith demonstration, and used the catchphrase most often associated with Anonymous, “We are legion,” before adding, “no more chicken, pork and grain for you.” Cybersecurity experts state this is another example of how the hijacking of negotiations is extremely possible and can add complications for victims.
FBI had ransomware decryption key for weeks before giving it to victims
The effects of the Kaseya ransomware attack, which occurred in July and affected as many as 1,500 companies worldwide, could have been lightened, but wasn’t. A new report from the Washington Post shows that, shortly after the attack, the FBI came into possession of a decryption key that could unlock victims’ data but instead of sharing it, the bureau kept it a secret for approximately three weeks. They did this, they said, as part of a plan to “disrupt” REvil, the gang behind the attack, and didn’t want to tip their hand. But before the FBI could put its plan into action, the gang mysteriously disappeared. The bureau finally shared the decryption key with Kaseya on July 21—about a week after the gang had vanished.
Thanks to our episode sponsor, VMware
Google warns of a new way hackers can make malware undetectable on windows
Malformed code signatures which are treated as valid by Windows but are not able to be decoded or checked by OpenSSL code — which is used in a number of security scanning products, is a new mechanism being described by Google’s Threat Analysis Group. The new mechanism was observed to be exploited by a notorious family of unwanted software known as OpenSUpdater that’s used to download and install other suspicious programs on compromised systems. Most targets of the campaign are users located in the U.S. who are prone to downloading cracked versions of games and other grey-area software.
The Port of Houston successfully defends itself against nation-state cyberattack
A statement issued by Port officials reads, “The Port of Houston Authority successfully defended itself against a cybersecurity attack in August. Port Houston followed its Facilities Security Plan in doing so, as guided under the Maritime Transportation Security Act (MTSA), and no operational data or systems were impacted as a result.” CISA Director Jen Easterly disclosed the attack at a Senate committee hearing Thursday morning. She believed the attack was conducted by a “nation-state actor” that exploited a zero-day flaw in a Zoho user authentication device.
Critical Cisco bugs allow code execution on wireless, SD-WAN
Cisco is warning three critical security vulnerabilities affect its flagship IOS XE software, the operating system for most of its enterprise networking portfolio. The flaws impact Cisco’s wireless controllers, SD-WAN offering and configuration mechanisms in use in a wide range of products. The most severe of the critical bugs is an unauthenticated remote-code-execution (RCE) and denial-of-service (DoS) bug, affecting the Cisco Catalyst 9000 family of wireless controllers. The networking giant has released patches for all of them, as part of a comprehensive 32-bug update released this week.
Fisher Price releases work-from-home toy for preschoolers
Keeping pace with the ever changing hybrid work and school situation, the My Home Office toy from Fisher Price includes a pretend laptop with four fabric overlays representing desktop apps and even a Zoom call with the cat, a wooden smartphone and headset and a takeout coffee cup. The toy’s landing page leads with the following copy: “Better grab a latte to go, that report is due this morning and there’s a call with the dog across the street after naptime.” You too can make your preschooler the boss of their own workstation, for $26.99.