Security News > 2021

Apple on Monday shipped the long-awaited iOS and iPadOS 14.5 update with patches for at least 50 documented security vulnerabilities. The patch, which is currently being rolled out via iOS and iPadOS automatic-updating mechanism, includes cover for a WebKit vulnerability that Apple believes may have been exploited in the wild by attackers.

In 2017, KrebsOnSecurity showed how easy it is for identity thieves to undo a consumer's request to freeze their credit file at Experian, one of the big three consumer credit bureaus in the United States. Last week, KrebsOnSecurity heard from a reader who had his freeze thawed without authorization through Experian's website, and it reminded me of how truly broken authentication and security remains in the credit bureau space.

Popular musical instrument marketplace Reverb has suffered a data breach after an unsecured database containing customer information was exposed online. Reverb is the largest online marketplace devoted to selling new, used, and vintage musical instruments and equipment.

Roid mobile phone users across the U.K. and Europe are being targeted by text messages containing a particularly nasty piece of spyware called "Flubot," according to the U.K.'s National Cyber Security Centre. The malware is delivered to targets through SMS texts and prompts them to install a "Missed package delivery" app.

The REvil ransomware gang has mysteriously removed Apple's schematics from their data leak site after privately warning Quanta that they would leak drawings for the new iPad and new Apple logos. Earlier this month, the ransomware gang conducted an attack on Quanta, a Taiwan-based original design manufacturer that helps manufacture the Apple Watch, Apple Macbook Air, and the Apple Macbook Pro.

HashiCorp, an open-source company whose Terraform product is widely used for automated cloud deployments, has revealed a private code-signing key was exposed thanks to the compromised Codecov script discovered earlier this month. Specifically, it said "a subset of HashiCorp's CI pipelines used the affected Codecov component" and "The GPG private key used for signing hashes used to validate HashiCorp product downloads... was exposed."

The data breaches caused by the Clop ransomware gang exploiting a zero-day vulnerability have led to a sharp increase in the average ransom payment calculated for the first three months of the year. Clop's attacks did not encrypt a single byte but stole data from large companies that relied on Accellion's legacy File Transfer Appliance and tried to extort them with high ransom demands.

Apple has fixed a zero-day vulnerability in macOS exploited in the wild by Shlayer malware to bypass Apple's File Quarantine, Gatekeeper, and Notarization security checks and download second-stage malicious payloads. The Jamf Protect detection team discovered that starting January 2021, the Shlayer threat actors created unsigned and unnotarized Shlayer samples have begun exploiting a zero-day vulnerability, discovered and reported to Apple by security engineer Cedric Owens.

Researchers in Germany say they reported what they consider to be an AirDrop privacy hole to Apple in 2019, but never heard back. They went away and worked on what they consider an improved version, dubbed Privacy Drop, and recently announced it to the world.

Nvidia has disclosed a group of security vulnerabilities in the Nvidia graphics processing unit display driver, which could subject gamers and others to privilege-escalation attacks, arbitrary code execution, denial of service and information disclosure. The Nvidia virtual GPU software also has a group of bugs that could lead to a range of similar attacks.