Sandworm (aka Seashell Blizzard) has an initial access wing called "BadPilot" that uses standard intrusion tactics to spread Russia's tendrils around the world.

Source: Kenishirotie via Alamy Stock Photo

Arguably, no advanced persistent threat (APT) enjoys as much notoriety as Sandworm, otherwise known as Military Unit 74455 within Russia's military intelligence (GRU). Its highlight reel includes NotPetya, an attack against the 2018 Winter Olympics, and two effective assaults on Ukraine's power grid. More recent activities include a campaign against Denmark's energy sector and an unsuccessful attempt to down Ukraine's grid for a third time, followed by a successful attempt.

In a sign of the times, Sandworm has subtly been shifting toward quieter, more widespread intrusions. Microsoft, which tracks the group as "Seashell Blizzard," has identified a subgroup within 74455 focused solely on gaining initial access to high-value organizations across major industries and geographic regions. It calls this subgroup "BadPilot."

**Sandworm's IAB, BadPilot**

Since at least late 2021, BadPilot has been performing opportunistic attacks against Internet-facing infrastructure, taking advantage of known vulnerabilities in popular email and collaboration platforms. Notable examples include Zimbra's CVE-2022-41352, the Microsoft Exchange bug CVE-2021-34473, and CVE-2023-23397 in Microsoft Outlook. All three of these vulnerabilities received "critical" 9.8 out of 10 scores in the Common Vulnerability Scoring System (CVSS).

BadPilot uses these critical vulnerabilities to gain useful initial access to traditionally high-value organizations: telecommunications companies, oil and gas companies, shipping companies, arms manufacturers, and entities of foreign governments. Targets have ranged from Ukraine and broader Europe to Central and South Asia and the Middle East.

Since early 2024, BadPilot has expanded to access targets in the US and UK as well. For this, it has made particular use of bugs in remote monitoring and management software: CVE-2023-48788, for example, a remote injection opportunity in the Fortinet Forticlient Enterprise Management Server (EMS), and the rare 10 out of 10 CVSS-rated CVE-2024-1709, allowing for authentication bypass in ScreenConnect by ConnectWise.

After gaining its foothold on a targeted system, BadPilot follows all the usual steps of any average hacking operation. It promptly establishes persistence using its custom "LocalOlive" Web shell, as well as copies of legitimate remote management and monitoring (RMM) tools, or "ShadowLink," which configures compromised systems as Tor hidden services. It collects credentials, performs lateral movement, exfiltrates data as necessary, and sometimes performs further post-compromise activities.

"There is not a lack of sophistication here, but a focus on agility and obtaining goals," says Sherrod DeGrippo, director of threat intelligence strategy at Microsoft. "These TTPs work because this threat actor is persistent and continues pursuing its objectives."

**The Impact in Ukraine**

Ultimately, BadPilot's job is to lubricate more significant attacks by its parent group, and, by extension, empower its controlling government. While a lot of its activity seems opportunistic, Microsoft wrote, "its compromises cumulatively offer Seashell Blizzard options when responding to Russia's evolving strategic objectives."

It may or may not be a coincidence, for example, that the group came into being just months before Russia's invasion of Ukraine. As that war began, and Russia peppered its neighbor with more cyberattacks than ever before, BadPilot was right in the mix, helping gain access to organizations perceived to be providing political or military support to its adversary. Additionally, Microsoft says, the group has enabled at least three destructive attacks in Ukraine since 2023.

Sandworm has targeted critical infrastructure across Ukraine since the war started, including telecommunications infrastructure, manufacturing plants, transportation and logistics, energy, water, military and government organizations, and other infrastructure meant to support the civilian population. It has also targeted military communities for the purpose of intelligence gathering.

"These threat actors are persistent, creative, organized, and well-resourced," DeGrippo emphasizes. For this reason, "Critical sectors need to ensure that they sustain above-average security practices, patch their software, monitor Internet-facing assets, and enhance their overall security posture."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Microsoft: Russia's Sandworm APT Exploits Edge Bugs Globally

Apple fixes the USB Restricted Mode flaw in iOS 18.3.1 and iPadOS 18.3.1.  Vulnerability exploited in targeted attacks.…

Apple fixes the USB Restricted Mode flaw in iOS 18.3.1 and iPadOS 18.3.1.  Vulnerability exploited in targeted attacks. Update your iPhone/iPad now.

Apple has issued an urgent security update for iPhones and iPads, addressing a significant vulnerability that has, reportedly, already been exploited in targeted attacks. Tracked as CVE-2025-24200, the vulnerability affects the USB Restricted Mode, a security feature introduced in 2018 to protect devices from unauthorized access. 

For your information, this security feature is designed to disable the Lightning or USB ports of iPhones and iPads if they remain locked for more than an hour. Normally, these ports are re-enabled once the user authenticates and unlocks their device.   

However, it appears that this protection mechanism itself has been compromised. The bug can be exploited by an attacker with physical possession of a locked phone, enabling them to re-enable the data port and potentially allowing further intrusion. Apple has acknowledged that this flaw can disable the feature.

“A physical attack may disable USB Restricted Mode on a locked device. Apple is aware of a report that this issue may have been exploited in an “extremely sophisticated” attack against specific targeted individuals,” the iPhone maker’s advisory read.

Security experts believe that Apple’s unusual choice of words, describing the exploit as “extremely sophisticated,” highlights the seriousness of the issue.   

The National Institute of Standards and Technology (NIST) has also assessed this vulnerability, describing it as an “authorization issue” that has been resolved through “improved state management.”  

The company has released patches, iOS 18.3.1, iPadOS 18.3.1, and iPadOS 17.7.5 to address this issue. These updates are available for a wide range of devices, including iPhone XS and later models, as well as various iPad Pro, iPad Air, iPad Mini, and standard iPad models.

The vulnerability was discovered by Bill Marczak, a senior researcher at the Citizen Lab. While Apple has not provided detailed information about the attack or the specific methods used, the discovery by the Citizen Lab suggests a possible connection to sophisticated surveillance techniques, potentially at the nation-state level.

> Update your iPhones.. again! iOS 18.3.1 out today with a fix for an ITW USB restricted mode bypass (via Accessibility) https://t.co/jcrsab7RGu pic.twitter.com/ER42QQcsLj
> 
> — Bill Marczak (@billmarczak) February 10, 2025

Apple Confirms ‘Extremely Sophisticated’ Exploit Threatening iOS Security

Microsoft today issued security updates to fix at least 56 vulnerabilities in its Windows operating systems and supported software, including two zero-day flaws that are being actively exploited.

**Microsoft** today issued security updates to fix at least 56 vulnerabilities in its Windows operating systems and supported software, including two zero-day flaws that are being actively exploited.

All supported Windows operating systems will receive an update this month for a buffer overflow vulnerability that carries the catchy name CVE-2025-21418. This patch should be a priority for enterprises, as Microsoft says it is being exploited, has low attack complexity, and no requirements for user interaction.

**Tenable** senior staff research engineer **Satnam Narang** noted that since 2022, there have been nine elevation of privilege vulnerabilities in this same Windows component — three each year — including one in 2024 that was exploited in the wild as a zero day (CVE-2024-38193).

“CVE-2024-38193 was exploited by the North Korean APT group known as Lazarus Group to implant a new version of the FudModule rootkit in order to maintain persistence and stealth on compromised systems,” Narang said. “At this time, it is unclear if CVE-2025-21418 was also exploited by Lazarus Group.”

The other zero-day, CVE-2025-21391, is an elevation of privilege vulnerability in Windows Storage that could be used to delete files on a targeted system. Microsoft’s advisory on this bug references something called “CWE-59: Improper Link Resolution Before File Access,” says no user interaction is required, and that the attack complexity is low.

**Adam Barnett**, lead software engineer at **Rapid7**, said although the advisory provides scant detail, and even offers some vague reassurance that ‘an attacker would only be able to delete targeted files on a system,’ it would be a mistake to assume that the impact of deleting arbitrary files would be limited to data loss or denial of service.

“As long ago as 2022, ZDI researchers set out how a motivated attacker could parlay arbitrary file deletion into full SYSTEM access using techniques which also involve creative misuse of symbolic links,”Barnett wrote.

One vulnerability patched today that was publicly disclosed earlier is CVE-2025-21377, another weakness that could allow an attacker to elevate their privileges on a vulnerable Windows system. Specifically, this is yet another Windows flaw that can be used to steal NTLMv2 hashes — essentially allowing an attacker to authenticate as the targeted user without having to log in.

According to Microsoft, minimal user interaction with a malicious file is needed to exploit CVE-2025-21377, including selecting, inspecting or “performing an action other than opening or executing the file.”

“This trademark linguistic ducking and weaving may be Microsoft’s way of saying ‘if we told you any more, we’d give the game away,'” Barnett said. “Accordingly, Microsoft assesses exploitation as more likely.”

The SANS Internet Storm Center has a handy list of all the Microsoft patches released today, indexed by severity. Windows enterprise administrators would do well to keep an eye on askwoody.com, which often has the scoop on any patches causing problems.

It’s getting harder to buy Windows software that isn’t also bundled with Microsoft’s flagship Copilot artificial intelligence (AI) feature. Last month Microsoft started bundling Copilot with **Microsoft Office 365**, which Redmond has since rebranded as “**Microsoft 365 Copilot**.” Ostensibly to offset the costs of its substantial AI investments, Microsoft also jacked up prices from 22 percent to 30 percent for upcoming license renewals and new subscribers.

Office-watch.com writes that existing Office 365 users who are paying an annual cloud license do have the option of “Microsoft 365 Classic,” an AI-free subscription at a lower price, but that many customers are not offered the option until they attempt to cancel their existing Office subscription.

In other security patch news, **Apple** has shipped iOS 18.3.1, which fixes a zero day vulnerability (CVE-2025-24200) that is showing up in attacks.

**Adobe** has issued security updates that fix a total of 45 vulnerabilities across **InDesign**, **Commerce**, **Substance 3D** **Stager**, **InCopy**, **Illustrator**, **Substance 3D Designer** and **Photoshop Elements**.

**Chris Goettl** at **Ivanti** notes that **Google Chrome** is shipping an update today which will trigger updates for Chromium based browsers including **Microsoft Edge**, so be on the lookout for Chrome and Edge updates as we proceed through the week.

Microsoft Patch Tuesday, February 2025 Edition

Privacy, security, and unrestricted access are the promises of a personal VPN. But what does it actually do,…

Privacy, security, and unrestricted access are the promises of a personal VPN. But what does it actually do, and why do so many people rely on it? In an era of constant digital surveillance, increasing cyber threats, and growing concerns over data privacy, VPNs (Virtual Private Networks) have surged in popularity.

But not all VPNs are created equal. Some are designed for corporate use, while others cater to individuals looking for enhanced online anonymity. So, let’s break it down: What is a personal VPN? How does it work? And what benefits does it bring to the table?

****Understanding Personal VPNs****

A Personal VPN is a service that encrypts your internet traffic and routes it through a secure server, masking your IP address and online activities. Unlike business or corporate VPNs, which are typically used to provide remote employees with access to internal company networks, personal VPNs focus on individual users who want to protect their privacy, bypass geo-restrictions, or stay safe on public Wi-Fi.

Think of it as a digital invisibility cloak, one that shields you from prying eyes, whether they belong to hackers, advertisers, or even your own Internet Service Provider (ISP).

But why does this matter? Consider this: 70% of internet users worldwide are concerned about their online privacy (Statista, 2023). That’s a lot of people looking for ways to stay anonymous, avoid tracking, and prevent data breaches.

****How Does a Personal VPN Work?****

A VPN functions like a secure tunnel between your device and the internet. Here’s a simplified breakdown of what happens when you connect to a VPN server:

*   **Your device encrypts all outgoing internet traffic.** This means your browsing data, passwords, and online activities become unreadable to outsiders.

*   **The encrypted data is sent to a VPN server, located in a different region or country.** Your real IP address is replaced with one from the VPN server, making it appear as if you’re browsing from that location.

*   **The server forwards your requests to the internet.** Websites and services see only the VPN server’s IP address, not yours.

*   **Incoming data follows the same path back, fully encrypted.** This prevents hackers, ISPs, and governments from snooping on your activity.

****What Is a Personal VPN Server?****

For those who want even more control, a personal VPN server is an option. Instead of relying on a commercial VPN provider, you can set up your own VPN server; on a cloud platform, a home router, or a dedicated server. This offers:

*   **Full control over security settings**

*   **No reliance on third-party VPN providers**

*   **Faster speeds with fewer users sharing the server**

However, setting up a personal VPN server requires technical knowledge and maintenance. Most people opt for paid VPN services instead.

****Key Features of a Personal VPN********1\. Strong Encryption****

A good VPN uses AES-256 encryption; the same standard used by governments and banks. It ensures that even if your data is intercepted, it remains unreadable.

****2\. No-Logs Policy****

Some VPNs keep logs of your online activity, which defeats the purpose of using one. The best VPNs follow a strict no-logs policy, meaning they don’t track or store user data.

****3\. Multiple Server Locations****

Want to access Netflix libraries from different countries? A VPN with global server locations lets you bypass geo-blocks and censorship.

****4\. Kill Switch****

If your VPN connection drops unexpectedly, a kill switch cuts off your internet to prevent data leaks.

****5\. Split Tunneling****

Some users need certain apps to bypass the VPN. Split tunneling allows you to choose which traffic goes through the VPN and which doesn’t.

****6\. Fast Speeds****

VPNs can slow down your connection, but top-tier services use high-speed servers to **minimize lag and buffering**.

****What Is the Best VPN for Personal Use?****

With so many options, what is the best personal VPN? The answer depends on your needs. It is quite difficult to choose the most balanced solution in terms of security features, anonymity, functionality, speed, number of servers and price. According to VeePN VPN, users should choose a VPN with a proven history of protecting their privacy.

****What Is a Personal VPN on an iPhone?****

If you’ve ever seen a “Personal VPN” option in your iPhone settings, you might wonder what it means. Apple allows users to configure VPN connections manually or use third-party VPN apps. The built-in option is designed for those with a VPN configuration file (such as one provided by an employer or a self-hosted VPN).

****Benefits of Using a Personal VPN********1\. Privacy Protection****

Your ISP can see everything you do online. A VPN stops this by encrypting your traffic, preventing tracking, data collection, and targeted ads.

****2\. Security on Public Wi-Fi****

Hackers love public Wi-Fi networks. Airports, coffee shops, hotels. A VPN encrypts your data, making it useless to cybercriminals.

****3\. Access Restricted Content****

Whether it’s streaming services, websites blocked in your country, or social media platforms, a VPN can bypass geo-restrictions and censorship.

****4\. Safe Torrenting****

Downloading torrents can expose your real IP address. A VPN masks your identity, ensuring anonymous and secure torrenting. (Avoid downloading pirated software, eBooks, or engaging in any other illegal activities while torrenting.)

****5\. Avoid Bandwidth Throttling****

Some ISPs slow down your connection based on your activities (e.g., streaming, gaming). A VPN hides your activity, preventing speed throttling.

****6\. Better Online Deals****

Airline tickets, hotel rates, and rental services sometimes offer different prices based on your location. A VPN lets you change your virtual location and find better deals.

At the end of the day, a personal VPN is all about keeping your online activity private, secure, and unrestricted. Whether you want to protect your data on public Wi-Fi, stop your ISP from tracking you, or access content from different parts of the world, a good VPN can make a big difference. Not all VPNs are the same, so it’s important to pick one that actually protects your privacy without slowing you down. If you’re serious about staying safe online, using a VPN is one of the easiest and smartest ways to do it.

What Is a Personal VPN? Features, Benefits, and How It Works

The vulnerability could allow a threat actor to disable the security feature on a locked device and gain access to user data.

Source: Simon Dack via Alamy Stock Photo

NEWS BRIEF

Apple has released a security update for a vulnerability that the tech giant reports may have been exploited in an "extremely sophisticated attack."

Not only that, but these attacks targeted specific individuals, though Apple has not provided any further information.

The vulnerability, tracked as CVE-2025-24200, could allow for a physical attack to disable USB Restricted Mode on a locked device.

USB Restricted Mode is a feature that makes it more difficult for threat actors to unlock a user's phone. When active, a phone's lightning port will only allow charging after the device has been locked for more than an hour, meaning that if an unauthorized actor attempted to connect a locked iPhone to a device to access its data, they could only do so with the necessary credentials.

The security update to fix this vulnerability is available for iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch third generation and later, iPad Pro 11-inch first generation and later, iPad Air third generation and later, iPad seventh generation and later, and iPad mini fifth generation and later.

Users of any of these devices should install updates as soon as possible and can check if they're updated to the latest software version by going to their settings.

These kinds of vulnerabilities are usually deployed by commercial spyware vendors, such as Pegasus, to target particular individuals, so the average user shouldn't be concerned about being targeted while the details of the attack remain unpublished. However, if they are published, copycat cybercriminals will try to imitate this attack vector, hence the urgency in updating to the latest version.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Apple Releases Urgent Patch for USB Vulnerability

Salt Typhoon underscores the urgent need for organizations to rapidly adopt modern security practices to meet evolving threats.

Source: vska via Alamy Stock Photo

COMMENTARY

The Chinese-linked hacking group Salt Typhoon recently was detected lurking in major US telecommunication systems, exposing nearly every American's communications to Chinese intelligence and security services. 

In response, on Dec. 4, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a joint statement recommending that American citizens and companies adopt end-to-end encrypted communication tools to avoid exposing sensitive information to China. While this advice is prudent to secure communications, hasty adoption of these technologies could result in regulatory noncompliance for organizations in highly regulated industries. These organizations should carefully examine both their security risk and regulatory obligations as they adopt new security solutions.

**Background: Salt Typhoon**

Salt Typhoon exploited legacy systems throughout the telecommunications industry that were too old to implement modern cybersecurity practices, with some parts dating back to the late 1970s. Commonly accepted baseline cyber protections like multifactor authentication were not implemented. While the scope of this attack is widespread, including voice calls and SMS messages, US intelligence officials noted that communications within encrypted communication applications such as Apple's iMessage, Meta's WhatsApp, and Signal were not exposed.

Salt Typhoon marks one of the most sophisticated attacks on US critical infrastructure in history. US officials have concluded that every major telecommunications provider has been implicated. China remains the most active and persistent cyber threat to the United States, and the Salt Typhoon campaign marks one of the most sophisticated attacks on US critical infrastructure in history. 

**Security vs. Compliance: Adopting End-to-End Encryption Technologies**

US cybersecurity and intelligence officials advised companies and individuals to adopt end-to-end encrypted applications for communications where only the sender and the intended recipients can access the content of the communication. End-to-end encryption works by securing the content of communications using cryptographic keys at both the sender and recipient. The end result is data in transit is secure, rendering the contents of any intercepted or compromised communications indecipherable without the cryptographic key, including by Internet service providers and telecommunications companies — and foreign hackers targeting those entities.

While end-to-end encrypted applications provide obvious advantages for security, many are not designed to comply with the data retention and access requirements imposed upon certain highly regulated industries. 

In the financial services sector, Securities and Exchange Commission (SEC) Rule 17a-4(b)(4) requires that communications received and sent by a member, broker, or dealer that relate to the business of an organization are to be retained for at least three years. Additionally, Section 802 of the Sarbanes-Oxley Act requires accountants who audit or review financial statements to retain records, which include any communications relevant to the audit or review. 

In the healthcare sector, Section 164.312(e) of the Health Insurance Portability and Accessibility Act (HIPAA) requires that covered entities implement technical safeguards to prevent unauthorized access to electronic protected health information (ePHI) that is being transmitted over an electronic communications network. Many encrypted communications applications restrict a covered entity's ability to monitor for or audit unauthorized disclosure of ePHI. Additionally, Section 164.350(j) of HIPAA requires that covered entities retain documentation of any communications containing ePHI for at least six years. 

**Recommendations**

As Salt Typhoon has revealed, unsecured communications of executives and employees across every sector may be targeted by Chinese intelligence services for exploitation. In this new environment, balancing communications security with compliance can be challenging. To appropriately navigate these risks, organizations in every sector should consider three things.

First, organizations should implement end-to-end encryption for all business communications internally and, to the greatest extent practicable, externally. There are numerous mobile and desktop applications currently available that are designed to serve this purpose. For companies in regulated industries, it is important to also consider regulatory retention, monitoring, and auditing requirements when considering these tools. Such organizations should seek to implement solutions that can ensure appropriate encryption standards for messaging, collaboration, and voice and video calls specifically configured to allow for auditing and data preservation. 

Second, organizations should implement policies and procedures to guide the use of encrypted communications. For example, many encrypted communication applications allow users to individually establish time-based purge rules for messages. While valuable for information security, this could render an organization non-compliant with data retention and audit requirements. Where possible, such functions should be disabled for individuals and archiving tools should be in place. Additionally, employees should receive regular training on communications security and regulatory compliance.

Third, a key lesson from Salt Typhoon is that baseline cybersecurity measures still provide meaningful defenses against malicious parties. Cybersecurity measures such as multifactor authentication, use of password managers, encrypting data at rest and in motion, and ensuring that all software and hardware are modern and equipped with the latest updates will give organizations a much stronger cybersecurity posture. 

**Conclusion**

Salt Typhoon underscores the urgent need for organizations to rapidly adopt modern security practices to meet evolving threats. However, in doing so, organizations need to balance the security imperatives with their regulatory obligations. 

**About the Authors**

Co-Leader, Cybersecurity and Data Privacy Practice Group, Buchanan Ingersoll & Rooney

Michael McLaughlin is the co-leader of Buchanan Ingersoll & Rooney’s Cybersecurity and Data Privacy practice group. Michael advises clients in matters involving cybersecurity, public policy, and government relations. Michael helps clients navigate the complexities of cybersecurity, data privacy and the related regulatory landscape. Michael is the co-author of Battlefield Cyber: How China and Russia Are Undermining Our Democracy and National Security.

Jillian Cash, Associate, Corporate Section, Buchanan Ingersoll & Rooney

Jillian Cash is an associate Buchanan’s Corporate Section, where she focuses on a variety of corporate, transactional, and cybersecurity matters.

Kellen Carleton, Associate, Corporate Finance and Technology Group, Buchanan Ingersoll & Rooney

Kellen Carleton is an associate in Buchanan’s Corporate Finance and Technology group where he focuses on a variety of corporate, transactional, and cybersecurity matters.

Salt Typhoon's Impact on the US &amp; Beyond

Apple has released an out-of-band security update for a vulnerability which it says may have been exploited in an "extremely sophisticated attack against specific targeted individuals.”

Apple has released an emergency security update for a vulnerability which it says may have been exploited in an “extremely sophisticated attack against specific targeted individuals.”

The update is available for:

*   iOS 18.3.1 and iPadOS 18.3.1 – iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
*   iPadOS 17.7.5 – iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation

If you use any of these then you should install updates as soon as you can. To check if you’re using the latest software version, go to **Settings** (or **System Settings**) > **General** \> **Software Update**. It’s also worth turning on Automatic Updates if you haven’t already, which you can do on the same screen.

Update now

**Technical details**

The new-found zero-day vulnerability is tracked as CVE-2025-24200. When exploited, the vulnerability would allow an attacker to disable USB Restricted Mode on a locked device. The attack would require physical access to your device

The introduction of USB Restricted Mode feature came with iOS 11.4.1 in July 2018. The feature was designed to make it more difficult for attackers to unlock your iPhone. When USB Restricted Mode is active, your device’s Lightning port (where you plug in the charging cable) will only allow charging after the device has been locked for more than an hour. This means that if someone tries to connect your locked iPhone to a computer or other device to access its data, they won’t be able to do so unless they have your passcode.

To enhance data security, especially when traveling or in public places, it is recommended that you enable USB Restricted Mode in your device settings. If your iPhone, iPad or iPod Touch is running iOS 11.4.1 or later, USB Restricted Mode is automatically on by default, but if you want to check and enable USB Restricted Mode, this can be done by going to **Settings** > **Face ID & Passcode** or **Touch ID & Passcode** > **(USB) Accessories** and toggling off (grey) the **(USB) Accessories** option. Enabling this setting adds an extra layer of protection against unauthorized data access.

Accessories are safe now

Please note: toggling the option to green turns this feature off.

Vulnerabilities like these typically target specific individuals as deployed by commercial spyware vendors like Pegasus and Paragon. This means the average user does not need to fear attacks as long as the details are not published. But once they are, other cybercriminals will try to copy them.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Apple fixes zero-day vulnerability used in &#8220;extremely sophisticated attack&#8221; 

The UK has demanded Apple provides it with a worldwide backdoor into iCloud backups. Privacy organizations are furious.

Last week, an article in the Washington Post revealed the UK had secretly ordered Apple to provide blanket access to protected cloud backups around the world. Since then, privacy focused groups have uttered their objections.

The UK government has demanded to be able to access encrypted data stored by Apple users worldwide in its cloud service. However, Apple itself doesn’t have access to it at the moment, only the holder of the Apple account can access data stored in this way.

Neither the Home Office nor Apple responded on the record to queries about the demand served by the Home Office under the Investigatory Powers Act (IPA) , but the BBC confirmed that it had heard the same information from reliable sources.

Privacy International said the demand is a “misguided attempt” that uses disproportionate government powers to access encrypted data, which may:

> “Set a damaging precedent and encourage abusive regimes around the world to take similar actions.”

The Electronic Frontier Foundation (EFF) stated:

> “Encryption is one of the best ways we have to reclaim our privacy and security in a digital world filled with cyberattacks and security breaches, and there’s no way to weaken it in order to only provide access to the good guys.”

The main goal for the Home Office is an optional feature that turns on end-to-end encryption for backups and other data stored in iCloud. This feature is called Advanced Data Protection. Enabling Advanced Data Protection (ADP), protects the majority of your iCloud data — including iCloud Backup, Photos, Notes, and more — using end-to-end encryption.

For some time, these backups presented law enforcement agencies with a loophole to obtain access to data otherwise not available to them on iPhones with device encryption enabled. If the user hasn’t enabled ADP, this loophole still exists.

The EFF recommends users should turn off the option to create iCloud backups should the UK get its way. As the EFF has said before, and we agree, there is no backdoor that only works for the “good guys” and only targets “bad guys.” It’s all or nothing, and the bad guys will have enough money to find alternatives, while regular users may run out of free options if governments keep doing this.

**What can I do?**

How you wish to proceed after this news is obviously up to you, but we have some options you may be interested in. If you think Apple will stand up against the UK’s Home Office you can enable iCloud backup and Advanced Data Protection.

But if you want to find another place for your backups, these instructions may come in handy.

****How to turn off iCloud backups********On iPhone or iPad****

*   Tap **Settings** > {username} > **iCloud On your iPhone or iPad**.
*   This will list the devices with iCloud Backup turned on.
*   To delete a backup, tap the name of a device, then tap **Turn Off and Delete from iCloud** (or **Delete & Turn Off Backup**).

iCloud backup disabled

****On Mac****

*   Click **Manage** > **Backups**.
*   A list of devices that have iCloud Backup turned on is shown.
*   To delete a backup, select a device, then click **Delete** or the **Remove** button.

Note: If you turn off iCloud Backup for a device, any backups stored in iCloud are kept for 180 days before being deleted.

**How to turn on Advanced Data Protection**

If you haven’t enabled ADP and you want it, first update the iPhone, iPad, or Mac that you’re using to the latest software version.

Turning on ADP on one device enables it for your entire account and all your compatible devices.

****On iPhone or iPad****

1.  Open the **Settings** app.
2.  Tap your name, then tap **iCloud**.
3.  Scroll down, tap **Advanced Data Protection**, then tap **Turn on Advanced Data Protection**.
4.  Follow the onscreen instructions to review your recovery methods and enable Advanced Data Protection.

****On Mac****

1.  Choose **Apple menu** > **System Settings**.
2.  Click your name, then click **iCloud**.
3.  Click **Advanced Data Protection**, then click **Turn On**.
4.  Follow the onscreen instructions to review your recovery methods and enable Advanced Data Protection.

Note: If you’re not able to turn on Advanced Data Protection for a certain period of time, the onscreen instructions may provide more details.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Apple ordered to grant access to users&#8217; encrypted data 

Apple on Monday released out-of-band security updates to address a security flaw in iOS and iPadOS that it said has been exploited in the wild.
Assigned the CVE identifier CVE-2025-24200, the vulnerability has been described as an authorization issue that could make it possible for a malicious actor to disable USB Restricted Mode on a locked device as part of a cyber physical attack.
This

Apple Patches Actively Exploited iOS Zero-Day CVE-2025-24200 in Emergency Update

PRESS RELEASE

WASHINGTON – Eric Council, 25, of Athens, Alabama, entered a guilty plea today to one count of conspiracy to commit aggravated identity theft in United States District Court for the District of Columbia. Council was arrested on October 17, 2024, in connection with his role in a conspiracy to hack into the X account of the U.S. Securities and Exchange Commission (SEC) and publish fraudulent posts in the name of the then-SEC Chairman. 

The plea was announced by U.S. Attorney Edward R. Martin, Jr., Supervisory Official Antoinette T. Bacon of the Justice Department’s Criminal Division, SEC Inspector General Deborah Jeffrey and FBI Special Agent in Charge Sean Ryan of the Washington Field Office, Criminal and Cyber Division.

Council’s plea was entered before U.S. District Court Judge Amy Berman Jackson in the District of Columbia. He faces a maximum sentence of five years in prison, a $250,000 fine, and up to three years of supervised release. His sentencing is scheduled for May 16, 2025.

According to court documents, from at least January 2024, Council conspired with others to carry out Subscriber Identity Model (SIM) attacks, commonly referred to as “SIM swaps,” in exchange for money. 

A SIM card is a chip that stores information identifying and authenticating a cell phone subscriber and connects a physical cell phone to a mobile carrier’s cellular and data network. A SIM swap attack is a form of sophisticated fraud where criminal actors fraudulently induce a mobile carrier to reassign a mobile phone number from a victim’s SIM card to a SIM card and telephone controlled by a criminal actor attempting to access valuable information associated with the victim’s telephone. Members of SIM swapping groups conduct SIM swaps for the purpose of defeating multifactor authentication and/or two-step verification security features for internet connected accounts, such as social media and virtual currency accounts. 

After convincing a mobile carrier to reassign a phone number to a new SIM card in the criminal actor’s control, members of the conspiracy generate password reset security authentication codes for online accounts and those codes are in turn sent to the telephone in the control of the criminal actor. Members of SIM swap groups share the security reset codes with one another to unlawfully access a victim’s internet connected accounts and complete the fraud. 

On or about January 9, 2024, Council, and others, executed a SIM swap of the mobile phone account associated with the @SECgov X account, the official account of the SEC. The purpose of this SIM swap was to gain unauthorized access to this government account in order to make fraudulent posts. 

Before January 9, a member of the conspiracy had identified the authorized user for the phone number linked to the official @SECgov X account. Council received instruction from a co-conspirator to perform the SIM swap on this phone line, along with information to make the needed fake ID, that is, an image of an ID card template with the authorized user’s name on it but Council’s face, and information purporting to be the user’s date of birth and social security number. 

Council used his portable ID card printer to create a physical ID which he used to impersonate the victim at an AT&T store in Huntsville, Alabama. Council provided false information to the AT&T store employee to explain why he needed a replacement SIM card. Council obtained the SIM card linked to the victim’s phone line and walked to a nearby Apple store where he purchased a new iPhone to use in the crime.  He inserted the SIM card to activate the phone, received the @SECGov X password reset codes on this new phone linked to the victim’s SIM card and used his personal cell phone to take a photo of the @SECgov X account reset code to share with his co-conspirators. After passing along the password reset codes, Council drove to Birmingham, Alabama and immediately returned the iPhone for cash.   

A member of the conspiracy used the reset code to gain access to the @SECGov X account and issue a fraudulent post in the name of the then-SEC Chairman, falsely announcing SEC approval of Bitcoin (BTC) Exchange Traded Funds (ETFs). The price of BTC increased by more than $1,000 following the post. Shortly after this unauthorized post, the SEC regained control over their X account and confirmed that the announcement was unauthorized and the result of a security breach, which caused the value of BTC decreased by more than $2,000.

Council also admitted to attempting to perform additional SIM swaps in June 2024 in Alabama. In June 2024, the FBI executed a search warrant at an Athens, Alabama, apartment where he resided. Agents recovered a fake identification card and a portable ID card printer. They also recovered a laptop computer.  

Pursuant to the search warrant, agents searched the laptop and discovered templates for additional fake identification cards stored on the laptop along with internet searches for

“SECGOV hack,” “telegram sim swap,” “how can I know for sure if I am being investigated by the FBI,” “What are the signs that you are under investigation by law enforcement or the FBI even if you have not been contacted by them,” “what are some signs that the FBI is after you,” “Verizon store list,” “federal identity theft statute,” and “how long does it take to delete telegram account.” 

Council admitted to receiving approximately $50,000 from members of the conspiracy to perform SIM swap during the previous six months.   

This case is being investigated by the FBI Washington Field Office Criminal and Cyber Division, the SEC-Office of Inspector General, the U.S. Attorney’s Office for the District of Columbia, and the Computer Crime and Intellectual Property Section (CCIPS) and Fraud Section’s Market Integrity and Major Frauds Unit of the Justice Department’s Criminal Division. Significant assistance was provided by the FBI’s Birmingham Field Office.

The prosecution is being handled by Assistant United States Attorney Kevin Rosenberg, CCIPS Trial Attorney Ashley Pungello, and Fraud Section Trial Attorney Lauren Archer. Valuable assistance was provided by Assistant United States Attorney John Hundscheid from the Northern District of Alabama.

For more information on SIM swapping, go to: https://www.ic3.gov/PSA/2024/PSA240411

Tag

#apple