Two Apple Zero Days 🍎, Ransomware Target Against S3 🪣, CVE renewed for 11 months 🛡

Apple has released emergency security updates to patch two new zero-day vulnerabilities exploited in sophisticated attacks against iPhones ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ 

Sign Up |Advertise|View Online TLDR Together With TLDR Information Security 2025-04-17 What we learned about 2025 cyber threats from analyzing 3.6 petabytes of web data (Sponsor) Flashpoint's Threat Intelligence Report looks at +3.6 petabytes of data from the hardest-to-reach corners of the web — revealing 2.1B stolen credentials and 5,742 ransomware attacks in 2024, with five major RaaS groups responsible for nearly half. Get a free copy of the report to discover: Current threats — from infostealers to the growing impact of geopolitical tensions Tactics, techniques, and procedures (TTPs) used by today's most prolific threat actors, including ransomware-as-a-service groups and malware developers. How to reduce critical patching workloads by 83% and focus on the real threats. 📥 Download the 2025 Global Threat Intelligence Report 🔓 Attacks & Vulnerabilities CVE, global source of cybersecurity info, was hours from being cut by DHS (3 minute read) The Common Vulnerability and Exposures (CVE) repository, a 25-year-old program run by MITRE for DHS, serves as the global cybersecurity standard for identifying and documenting security vulnerabilities. Yesterday, there were rumors that MITRE's contract would expire, but it has received an 11-month extension from CISA, averting potential widespread disruption to vulnerability management worldwide. Apple Fixes Two Zero-Days Exploited in Targeted iPhone Attacks (2 minute read) Apple has released emergency security updates to patch two new zero-day vulnerabilities exploited in sophisticated attacks against iPhones. The first vulnerability is a flaw in CoreAudio, which can be exploited by processing an audio stream in a malicious file to execute remote code. The second vulnerability is a flawed RPAC that allows attackers with read or write access to bypass Pointer Authentication, which is a security feature to protect against memory vulnerabilities. Huge Ransomware Campaign Targets AWS S3 Storage (3 minute read) Security researchers have discovered a publicly accessible server containing 1,229 unique AWS credentials. Upon investigation, the researchers found that the active keys were used in S3 ransomware campaigns, where the attackers utilized SSE-C to encrypt S3 bucket data and demanded 0.3 BTC (~$25,000) per victim. In some cases, the highly automated attackers were willing to offer a "proof of decryption" test file restoration. 🧠 Strategies & Tactics EDV - Endpoint Detection & Vibes (4 minute read) EDV is a tool that feeds Windows Sysmon security events to Microsoft's Copilot AI through WebSocket connections, asking it to identify malicious activity. Testing with known attack techniques showed Copilot could detect about 40% of malicious events not blocked by Windows Defender, though with inconsistent results and false positives. Access Denied? Not Always! Hunting IDORs and Access Control Flaws (9 minute read) IDOR vulnerabilities occur when attackers manipulate direct object references like IDs in URLs to access unauthorized data. As a common form of Broken Access Control, these flaws are prevalent in web applications, relatively easy to find, and highly impactful. This guide walks through how bug bounty hunters regularly exploit it. Detecting C2-Jittered Beacons with Frequency Analysis (7 minute read) Frequency analysis is a technique that allows for the detection of anomalies in a set of data. This post details how Fourier Transforms can be used to shift data to the frequency domain and then detect C2 beaconing behavior. When a C2 beacon utilizes jitter to vary its periodicity, a sliding window must be used to properly detect the activity. 🧑‍💻 Launches & Tools Symbiotic brings AI detection, remediation, and education directly into the IDE (Sponsor) Developers are moving fast - your security should too. Symbiotic Security v1 helps you ship secure code without slowing down. With AI-powered remediation, real-time contextual training, and an AI chat assistant built into your IDE, security works with developers to accelerate their flow. Teams can save an estimated $750+ per developer, per month. Speed and security, finally aligned. Get started. Aurascape (Product Launch) Aurascape helps corporate IT departments monitor AI employee usage across thousands of AI applications—both approved and unauthorized. The technology tracks interactions, decodes prompt-response data, and evaluates security risks, even for less common AI tools. Content (GitHub Repo) Security automation content in SCAP, Bash, Ansible, and other formats ollvm-unflattener (GitHub Repo) ollvm-unflattener is a Python tool to deobfuscate control flow flattening applied by OLLVM. 🎁 Miscellaneous Guess what happens when ransomware fiends find 'insurance' 'policy' in your files (4 minute read) Companies with cyber insurance face ransomware demands 2.8 times higher than uninsured victims, as criminals specifically search for insurance policies during attacks. Insured victims pay more often (44% vs 24%) and pay significantly larger amounts. Security Operations with RunReveal's MCP Server (4 minute read) SIEM provider RunReveal released an MCP server for use with its product. In this post, RunReveal provides insights into some ways that its customers are using the MCP server for threat hunting with Cursor, investigating GuardDuty alerts, and tuning and testing alerts. RunReveal believes that enriching and standardizing data to make it easier for LLMs to query is the future of its product. The Windows Registry Adventure #6: Kernel-mode objects (66 minute read) This blog post focuses on kernel-mode registry objects essential for runtime hive management. It meticulously examines key internal structures, including _CMHIVE, _HHIVE, memory mapping mechanisms, cell maps, and key control blocks that collectively enable registry functionality like transaction management and synchronization. The post provides detailed explanations of these previously undocumented structures based on reverse engineering of Windows Server 2019, noting these findings apply to Windows 11 as well. ⚡ Quick Links Krebs Exits SentinelOne After Security Clearance Pulled (2 minute read) Chris Krebs resigned from SentinelOne after his security clearance was revoked and a presidential order was issued to review CISA's conduct under his leadership. BidenCash Market Dumps 1 Million Stolen Credit Cards on Russian Forum (3 minute read) BidenCash Market leaked over 910,000 stolen credit card records on a Russian forum without names but with card details. Microsoft warns of blue screen crashes caused by April updates (2 minute read) Microsoft has advised Windows 11 users of blue screen crashes following recent updates and suggests using Known Issue Rollback or Group Policy for fixes - deployment guidance is available on its support website. Love TLDR? Tell your friends and get rewards! Share your referral link below with friends to get free TLDR swag! https://refer.tldr.tech/dc263000/8 Track your referrals here. Want to advertise in TLDR? 📰 If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us. Want to work at TLDR? 💼 Apply here or send a friend's resume to jobs@tldr.tech and get $1k if we hire them! If you have any comments or feedback, just respond to this email! Thanks for reading, Prasanna Gautam, Eric Fernandez & Sammy Tbeile Manage your subscriptions to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please unsubscribe.