Weekly Roundup: A Google Researcher Found an iOS Vulnerability That Exposes All Your Data

This week’s roundup discusses a huge iOS vulnerability that can steal your private information, the unstoppable BEC attacks, and how cybercriminals targeting the COVID-19 cold chain. Take a look at the top cybersecurity news of this week. 

iOS isn’t Safe and AWDL is Even Worse 

This is insane. Over 30,00 words with pictures and code have been shared by a Google Project Zero researcher, Ian Beer,, about a significant Apple iOS vulnerability. 

Basically, the gist of his bible of epic proportions is this: this  vulnerability could have easily allowed a creepy hacker to use your Wi-Fi and get access to any iOS device in nearby proximity. In simpler words, a remote hacker can capitalize this vulnerability and see your photos, messages, emails, and track every mobile app if you have an iOS device. 

When it comes to iOS devices, the real vulnerability lies in the Wi-Fi driver that is linked with Apple Wireless Direct Link (AWDL). The AWDL protocol is occasionally used for connecting devices via AirDrop and AirPlay. 

By exploiting this Buffer Overflow Vulnerability, any hacker could have installed malicious code in Apple’s iPhone 11 to gain full access to your device. Who would have thought Apple’s iPhone can be that vulnerable? Most people buy iPhones because they think it has secure software. 

Here is a video showing Beer taking control of various iOS phones with a laptop click: 

This vulnerability is terrifying. No wonder army centers and government officials are not allowed to use mobile phones during top secret meetings. Even the White House has banned personal cell phones in the West Wing. You can’t even trust air-gapped devices nowadays so it’s better to have a meeting without cell phones (let’s not discuss President Trump here). 

It’s worth noting that this vulnerability is so bad that attackers don’t require backdoor access anymore on the same Wi-Fi network. That’s how bad this is. You could have your iPhone completely connected to your LTE network and off WiFi and you can still fall victim to this breach. No one in the modern iOS ecosystem is spared. Bugs like these are the reason why some companies need a whitehat hacker. 

So we urge you: you must always update your iOS devices and have security protocols in place just in case someone decides to snoop into your device. When the next iOS patch is out, don’t walk, run.

The worst part is this particular iOS vulnerability can impact all iOS devices that are connected to the same Wi-Fi network. Imagine a hacker doing this at a coffee shop, a train station, a bar, or any mall. Do you remember Sherlock Holmes hacking into devices like this?  When Detective Lestrade was giving a brief, Sherlock sent a message to every reporter in the room. That was cool. And it’s now easier than ever. 

Yup. In reality, there are many smart people, besides Sherlock Holmes, who only need a device with an internet connection to penetrate all interconnected systems. This time, it’s not so cool because it could happen to you.

FBI Warns American Companies of BEC Attacks

The Federal Bureau of Investigation (FBI) has warned all companies in the United States they are on the verge of Business Email Compromise (BEC) attacks. Cybercriminals are now using auto-forwarding and BEC attacks on web-based email clients to track their private activities. Auto forwarding works best on web-based email clients as compared to desktop email clients.  

FYI: If you are stone-faced right now and have no clue about BEC attacks then it is a super targeted email scam. A cybercriminal tries to steal email credentials using a phishing attack and then impersonate as a company employee to gather private information. A wolf in disguise. 

Moreover, there have been a few recent attacks on medical and manufacturing companies where cybercriminals use BEC attacks. The attackers forwarded emails with pre-configured rules and specifically looked for some words like payment, invoice, bank, check (or cheque, for those of you Brits and Aussies), or wire. After getting all the related information on these specific words, the information is sent back to the attacker’s email address. 

Sigh! These attacks are actually easier to pull off for any cyber attacker because it involves phishing campaigns. You only need one non-tech (sometimes techy too) to click on a phishing email and the whole company will bend their knees in front of a ransomware attacker simply because they have no other choice. The attackers use these phishing campaigns and kits to steal email credentials and impersonate finance executives of any company. 

According to the FBI, the US companies bled up to $1.8 billion due to BEC attacks and scams in 2019. That’s why they issued a warning notifying all the companies to stay vigilant and use rock-solid security protocols. 

This news calls for company-wide security checks especially those who are working in the finance department or communicate with vendors every day. If you are an employee who is working at a medical equipment or manufacturing company, then show your IT departments and managers this news. You can also take precautions on your own by using multi-factor authentication and complex passwords or a VPN app. 

In the first three months of 2020, invoice and payment fraud BEC attacks increased more than 75%. But the rise was even more pronounced from April to May. Over that period, the volume of these types of BEC campaigns shot up by 200% per week, with a 36% ju…https://t.co/1lju1SmHnn

— InQuest Advisories (@capt_dahiya) December 6, 2020

IBM Predicts COVID-19 Cyber Espionage

You might have heard the good news about the COVID-19 vaccine that will be rolling out in many countries. Finally! But like we have previously warned you in our weekly roundups, attackers won’t stop looking for opportunities to pounce. 

A research team called X-Force at IBM said that cybercriminals have started a global phishing campaign targeting the COVID-19 cold chain. The cold chain is part of the vaccine supply chain that preserves the vaccine in storage as well as transportation. 

The attackers are sending the following email to various employees working in these vaccine-providing companies to accelerate the phishing campaign. 

We will not add fuel to the fire by saying this might be a country-backed phishing attack. Cyber criminals have previously targeted medical companies since the start of the global pandemic. They will continue to do so as long as they are minting money in millions of dollars. The phishing attacks keep getting advanced over time. 

During a phishing attack, the attacker is looking to either spread malware into your system or steal credentials so he can impersonate you and communicate with other employees. You should: 

• Keep changing your passwords every month
• Write down passcodes on a piece of paper instead of your desktop folders
• Never click on an unknown email
• Avoid clicking on links especially when you are using a company device 

That’s good cyber hygiene. 

TL;DR: Well, if you haven’t got the chance to read our entire weekly news roundup, then the bottom line is that cyber attackers know that the easiest way to penetrate company systems is through a phishing attack. We have covered quite a bit of news indicating how vulnerable a single employee without basic security common sense can badly harm companies of all sizes. 

To make a long story short, if you are online then you are a target. So, stay safe and combat cyber threats with security weapons like an internet firewall, endpoint security, a VPN, or any other tool that hides you from these attacks.