September 10, 2025 • 10 mins
Phishing Scams, Leaked Stream Keys, Zero-Day Android Vulnerabilities, and Bounties on Russian Hackers
In this episode of Cybersecurity Today, host Jim Love discusses several critical cybersecurity issues. Attackers are using iCloud calendar invites for phishing scams, leveraging Apple's system to bypass security checks. The US Department of Defense has exposed livestream credentials, risking hijack and fake content insertion. Billions of Android phones are vulnerable due to unpatched critical zero days, and Google has only fixed issues for Pixel devices so far. Additionally, the US State Department has placed a $10 million bounty on three Russian FSB hackers responsible for attacks on energy companies. Jim emphasizes the importance of securing digital assets and maintaining strong cybersecurity practices.
00:00 Introduction and Headlines
00:24 Phishing Scam via iCloud Calendar Invites
03:18 US Department of Defense Livestream Vulnerabilities
05:53 Critical Android Zero-Day Vulnerabilities
07:38 US Bounty on Russian FSB Hackers
09:42 Conclusion and Contact Information
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
iCloud calendar invites arehijacked for a phishing scam.
US Department of Defense livestreamcredentials are left exposed.
Billions of Android phonesare vulnerable as critical.
Zero days are exploited, The USputs a $10 million bounty on Russian
FSB Hackers, justice or just pr.
(00:20):
This is Cybersecurity today.
I'm your host, Jim Love.
Attackers have found a new way tosend phishing messages that look
like they come straight from Apple.
They're using iCloud calendarinvites to push their scams
through Apple's own servers.
Here's how it works.
Instead of sending a normalemail, criminals create.
(00:41):
Fake calendar invites.
In the notes section, they type thescam message like a warning about a
$599 PayPal charge with a phone numberto call, But here's the thing, because
the calendar invite is sent throughApple's iCloud system, it shows up
as coming from a real Apple address.
(01:02):
That means it passes the usual checksthat email systems use to catch fake, so
it sales pass things like spam filters.
And then the attackers forward the invitethrough Microsoft 365 using something
called the sender rewriting scheme.
Now, that tool is there to helplegitimate forward emails, past security
checks, but in this case, it keepsthe phishing invite looking valid.
(01:27):
Even after it's forwarded, theresult is the scam lands in your
calendar looking trustworthy.
And if you call the number, the attackerswill try to trick you into giving
remote access, downloading malware,or handing over personal information.
I will add a quick editorial note to this.
We've seen a similartrick with PayPal earlier.
(01:49):
This isn't just about calendar invites.
It's part of a bigger trend.
We've all been trained and we've trainedour staff to check that stuff comes
from a legitimate email address, butthat might not be good enough anymore.
just this past week I got what I'm sureis a spear phishing email that also
(02:09):
came from an authentic Apple address.
It wasn't the same as this attack.
I checked it out pretty carefully, but Icouldn't believe that Apple would ever ask
me to follow a link in an email to changemy password, and I wouldn't do it anyway.
But you think they would, or at least theyshould say, just go change your password.
(02:30):
So that was the trigger for me, becauseif it was a phishing attempt and I
think it was, it was damn convincing.
I think it would'vefooled a lot of people.
And like this last story, it slippedright past our email filters.
The key takeaway.
You have to treat unexpectedcalendar invites the same way
you treat suspicious emails.
(02:52):
Don't click.
Verify the claim directly.
And what we always tell our users, ifit bugs you even a little, don't click.
Ask somebody.
And if I'm a nutcase and Apple reallyis sending out links that we're supposed
to click on to change our passwords,I have only one question for them.
(03:14):
Have you lost your freaking minds?
The US Department of Defense, likemany other organizations, will
broadcast live videos to platformslike YouTube and X, but those live
streams can often easily be hacked.
When the stream key, the password thatallows the video to go live is exposed.
(03:37):
Anyone can take control.
It's like handing strangers thekeys to your official megaphone.
And this isn't hypothetical.
In 2018, stream keys for US cybercommand were publicly accessible.
More recently, just before the defensesecretary's live stream where they
handed out burgers to the troops.
(03:57):
The keys for Pentagon Channels onX, Facebook and YouTube were easily
discoverable with simple searches.
That means attackers could hijack anofficial feed or insert fake content
that looks authoritative in today'senvironment where artificial intelligence
could create convincing fake audioor video, the danger is even bigger.
(04:21):
Imposters have already used AI tomimic Secretary of State, Marco Rubio's
voice in calls to US politicians andeven foreign ministers And security
experts are warning that if somethinglike this appears on an official live
stream, you can imagine this beingused for some sort of confusion event.
(04:41):
We've all seen how powerfuleven a short-lived hoax can be.
In 2023, a fake image of smokerising near the Pentagon caused
a dip in the stock market.
If such deceptive content werebroadcast through an official
defense channel, even for a fewminutes, the impact could be global.
but the other point is that ifyou're sloppy in one area, it's
(05:04):
an indication of a cultural issue,you're probably sloppy in other areas.
Not only does that make for badsecurity, but it also makes you a target.
because this isn't the only lapse.
Earlier this year, officials reportedlydiscussed a bombing campaign in
Yemen on Signal, in a group chat thatincluded a journalist back to this case.
(05:29):
The lesson is clear Stream keysneed to be treated like passwords.
Rotate them, store them securely,lock them down with the same
care as any sensitive system.
'cause the idea of never leavingaccess to anything exposed should
be part of a culture of security.
Or of good defense.
(05:53):
Google has confirmed that attackersare actively exploiting two critical
zero day vulnerabilities in Android.
But here's the problem.
While Google has issued an emergency fixfor Pixel devices more than a billion
other Android phones remain unpatched.
The flaws are tracked as CVE 20 25 02 1 7 a kernel memory bug, and CVE 20
(06:17):
25 0 4 6 2 a runtime vulnerability.
both can be used to take control of adevice without any action from the user.
These aren't theoretical.
They're already being usedin real world attacks.
Pixel phones are protected because Googlecontrols the update process, but for the
(06:39):
vast Android ecosystem, updates dependon phone makers and carriers, and these
will take time to get patched, and that'sfor the devices that are supported.
Believe it or not, there are anenormous amount of Android devices
still in use, often years old,that are now outside of support.
(06:59):
So that leaves a huge numberof phones permanently exposed.
For businesses, this raises an issuein an age of bring your own device.
If more than a billion phones areunpatched, and a large number of those
might be unpatchable organizations mayneed to set minimum standards for any
phone that connects to your corporatenetworks if you haven't done that already.
(07:23):
Otherwise, one vulnerable handset couldbe the entry point for an attacker.
I will put it this way.
You wouldn't let someone connect anunpatched Windows laptop to your system,
so why would you allow an unpatched phone?
And finally, the US State Departmenthas put a $10 million bounty on three
Russian FSB cyber operatives accusedof targeting critical infrastructure.
(07:48):
The group is tied to attacks on more than500 energy companies in 135 countries.
They exploited an old Cisco flaw,CVE 20 18 0 1 71, to break into
these networks, and you might think.
How big a deal could that be?
Well, their campaigns even reached intonuclear facilities and refinery safety
(08:10):
systems, and that's just one example.
Let's just say theygot people's attention.
But it's been a long time since thesehackers were doing those attacks, and the
three of them, Marat Ov Mikhail Gavrilovand Paval aov are intelligence officers.
So realistically, are they likely toever try to set foot in a Western country
(08:33):
where extradition would be possible?
The question is, is thismore symbolic than practical?
Maybe, but it does send a clearsignal that crimes won't be forgotten
no matter how much time passes.
And the other thing is thatdangling millions of dollars
introduces a different kind of risk.
(08:54):
It encourages crooks to turn on crooks.
Sowing distrust inside hackerorganizations and between
individuals is a new tactic for lawenforcement, but one that's working.
It might not stop an operationentirely, but it can slow them down.
if you caught our show we did acouple weeks back on ransomware
(09:15):
groups, you'll find out often theydon't like each other very much.
Some even hate each other.
And if you didn't catch thatshow, go back and look it up.
It's good.
I'll put a link in theshow notes later today.
But while the odds of an arrestare slim, the message is strong.
You can hide behind borders, but a priceon your head will follow you forever.
(09:39):
Not a bad message to send actually.
And that's our show for today.
You can reach me with tips, comments,or even constructive criticism.
Find me@technewsday.com or.ca.
Use the Contact Us Forum.
I'm your host, Jim Love.
Thanks for listening.
iCloud calendar invites arehijacked for a phishing scam.
US Department of Defense livestreamcredentials are left exposed.
Billions of Android phonesare vulnerable as critical.
Zero days are exploited, The USputs a $10 million bounty on Russian
FSB Hackers, justice or just pr.
(00:20):
This is Cybersecurity today.
I'm your host, Jim Love.
Attackers have found a new way tosend phishing messages that look
like they come straight from Apple.
They're using iCloud calendarinvites to push their scams
through Apple's own servers.
Here's how it works.
Instead of sending a normalemail, criminals create.
(00:41):
Fake calendar invites.
In the notes section, they type thescam message like a warning about a
$599 PayPal charge with a phone numberto call, But here's the thing, because
the calendar invite is sent throughApple's iCloud system, it shows up
as coming from a real Apple address.
(01:02):
That means it passes the usual checksthat email systems use to catch fake, so
it sales pass things like spam filters.
And then the attackers forward the invitethrough Microsoft 365 using something
called the sender rewriting scheme.
Now, that tool is there to helplegitimate forward emails, past security
checks, but in this case, it keepsthe phishing invite looking valid.
(01:27):
Even after it's forwarded, theresult is the scam lands in your
calendar looking trustworthy.
And if you call the number, the attackerswill try to trick you into giving
remote access, downloading malware,or handing over personal information.
I will add a quick editorial note to this.
We've seen a similartrick with PayPal earlier.
(01:49):
This isn't just about calendar invites.
It's part of a bigger trend.
We've all been trained and we've trainedour staff to check that stuff comes
from a legitimate email address, butthat might not be good enough anymore.
just this past week I got what I'm sureis a spear phishing email that also
(02:09):
came from an authentic Apple address.
It wasn't the same as this attack.
I checked it out pretty carefully, but Icouldn't believe that Apple would ever ask
me to follow a link in an email to changemy password, and I wouldn't do it anyway.
But you think they would, or at least theyshould say, just go change your password.
(02:30):
So that was the trigger for me, becauseif it was a phishing attempt and I
think it was, it was damn convincing.
I think it would'vefooled a lot of people.
And like this last story, it slippedright past our email filters.
The key takeaway.
You have to treat unexpectedcalendar invites the same way
you treat suspicious emails.
(02:52):
Don't click.
Verify the claim directly.
And what we always tell our users, ifit bugs you even a little, don't click.
Ask somebody.
And if I'm a nutcase and Apple reallyis sending out links that we're supposed
to click on to change our passwords,I have only one question for them.
(03:14):
Have you lost your freaking minds?
The US Department of Defense, likemany other organizations, will
broadcast live videos to platformslike YouTube and X, but those live
streams can often easily be hacked.
When the stream key, the password thatallows the video to go live is exposed.
(03:37):
Anyone can take control.
It's like handing strangers thekeys to your official megaphone.
And this isn't hypothetical.
In 2018, stream keys for US cybercommand were publicly accessible.
More recently, just before the defensesecretary's live stream where they
handed out burgers to the troops.
(03:57):
The keys for Pentagon Channels onX, Facebook and YouTube were easily
discoverable with simple searches.
That means attackers could hijack anofficial feed or insert fake content
that looks authoritative in today'senvironment where artificial intelligence
could create convincing fake audioor video, the danger is even bigger.
(04:21):
Imposters have already used AI tomimic Secretary of State, Marco Rubio's
voice in calls to US politicians andeven foreign ministers And security
experts are warning that if somethinglike this appears on an official live
stream, you can imagine this beingused for some sort of confusion event.
(04:41):
We've all seen how powerfuleven a short-lived hoax can be.
In 2023, a fake image of smokerising near the Pentagon caused
a dip in the stock market.
If such deceptive content werebroadcast through an official
defense channel, even for a fewminutes, the impact could be global.
but the other point is that ifyou're sloppy in one area, it's
(05:04):
an indication of a cultural issue,you're probably sloppy in other areas.
Not only does that make for badsecurity, but it also makes you a target.
because this isn't the only lapse.
Earlier this year, officials reportedlydiscussed a bombing campaign in
Yemen on Signal, in a group chat thatincluded a journalist back to this case.
(05:29):
The lesson is clear Stream keysneed to be treated like passwords.
Rotate them, store them securely,lock them down with the same
care as any sensitive system.
'cause the idea of never leavingaccess to anything exposed should
be part of a culture of security.
Or of good defense.
(05:53):
Google has confirmed that attackersare actively exploiting two critical
zero day vulnerabilities in Android.
But here's the problem.
While Google has issued an emergency fixfor Pixel devices more than a billion
other Android phones remain unpatched.
The flaws are tracked as CVE 20 25 02 1 7 a kernel memory bug, and CVE 20
(06:17):
25 0 4 6 2 a runtime vulnerability.
both can be used to take control of adevice without any action from the user.
These aren't theoretical.
They're already being usedin real world attacks.
Pixel phones are protected because Googlecontrols the update process, but for the
(06:39):
vast Android ecosystem, updates dependon phone makers and carriers, and these
will take time to get patched, and that'sfor the devices that are supported.
Believe it or not, there are anenormous amount of Android devices
still in use, often years old,that are now outside of support.
(06:59):
So that leaves a huge numberof phones permanently exposed.
For businesses, this raises an issuein an age of bring your own device.
If more than a billion phones areunpatched, and a large number of those
might be unpatchable organizations mayneed to set minimum standards for any
phone that connects to your corporatenetworks if you haven't done that already.
(07:23):
Otherwise, one vulnerable handset couldbe the entry point for an attacker.
I will put it this way.
You wouldn't let someone connect anunpatched Windows laptop to your system,
so why would you allow an unpatched phone?
And finally, the US State Departmenthas put a $10 million bounty on three
Russian FSB cyber operatives accusedof targeting critical infrastructure.
(07:48):
The group is tied to attacks on more than500 energy companies in 135 countries.
They exploited an old Cisco flaw,CVE 20 18 0 1 71, to break into
these networks, and you might think.
How big a deal could that be?
Well, their campaigns even reached intonuclear facilities and refinery safety
(08:10):
systems, and that's just one example.
Let's just say theygot people's attention.
But it's been a long time since thesehackers were doing those attacks, and the
three of them, Marat Ov Mikhail Gavrilovand Paval aov are intelligence officers.
So realistically, are they likely toever try to set foot in a Western country
(08:33):
where extradition would be possible?
The question is, is thismore symbolic than practical?
Maybe, but it does send a clearsignal that crimes won't be forgotten
no matter how much time passes.
And the other thing is thatdangling millions of dollars
introduces a different kind of risk.
(08:54):
It encourages crooks to turn on crooks.
Sowing distrust inside hackerorganizations and between
individuals is a new tactic for lawenforcement, but one that's working.
It might not stop an operationentirely, but it can slow them down.
if you caught our show we did acouple weeks back on ransomware
(09:15):
groups, you'll find out often theydon't like each other very much.
Some even hate each other.
And if you didn't catch thatshow, go back and look it up.
It's good.
I'll put a link in theshow notes later today.
But while the odds of an arrestare slim, the message is strong.
You can hide behind borders, but a priceon your head will follow you forever.
(09:39):
Not a bad message to send actually.
And that's our show for today.
You can reach me with tips, comments,or even constructive criticism.
Find me@technewsday.com or.ca.
Use the Contact Us Forum.
I'm your host, Jim Love.
Thanks for listening.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!