Handler on Duty: Johannes Ullrich
Threat Level: green
Podcast Detail
SANS Stormcast Wednesday, November 5th, 2025: Apple Patches; Exploits against Trucking and Logistic; Google Android Patches
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9686.mp3
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
| Network Monitoring and Threat Detection In-Depth | Online | Central European Time | Dec 15th - Dec 20th 2025 |
Apple Patches Everything, Again
Apple released a minor OS upgrade across its lineup, fixing a number of security vulnerabilities.
https://isc.sans.edu/diary/Apple%20Patches%20Everything%2C%20Again/32448
Remote Access Tools Used to Compromise Trucking and Logistics
Attackers infect trucking and logistics companies with regular remote management tools to inject malware into other companies or learn about high-value loads in order to steal them.
https://www.proofpoint.com/us/blog/threat-insight/remote-access-real-cargo-cybercriminals-targeting-trucking-and-logistics
Google Android Patch Day
Google released its usual monthly Android updates this week
https://source.android.com/docs/security/bulletin/2025-11-01
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
| Network Monitoring and Threat Detection In-Depth | Online | Central European Time | Dec 15th - Dec 20th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Mar 29th - Apr 3rd 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Apr 20th - Apr 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 11th - May 16th 2026 |
| Network Monitoring and Threat Detection In-Depth | Online | Arabian Standard Time | Jun 20th - Jun 25th 2026 |
| Network Monitoring and Threat Detection In-Depth | Riyadh | Jun 20th - Jun 25th 2026 |
Podcast Transcript
Hello and welcome to the Wednesday, November 5th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu graduate certificate program in cloud security. And we got patches from Apple. Now the patches were actually released on Monday. I didn't get them into the Monday or Tuesday podcast. So covering them now, we got a total of 110 vulnerabilities addressed in these patches. And as typical for Apple, we got updates for pretty much every single product of theirs with a lot of overlap between those products, just because the underlying operating system has a lot of overlap as well. There are a couple of vulnerabilities here that I sort of point out, and that's memory corruption vulnerabilities in ImageIO, also in font parser. These type of vulnerabilities have in the past been exploited for remote code execution. Apple's nodes to their patches are always very sparse. So really hard to tell how exploitable these memory corruptions are and whether they actually will lead to code execution. Also, we got at least one memory corruption in WebKit that of course affects Safari and anything sort of exposed via a website that a user may visit. There's also, as usual for Apple, a separate Safari update. The reason you have this is because some of the older operating systems, well, they may now need a newer version of Safari to address the WebKit issues that Apple patched because they originally came with an older version of Safari. But for the current operating systems, you shouldn't really see a separate Safari update. Xcode also was updated, and that's also whenever they update the operating system. Of course, Xcode, which is Apple's development environment, well, has to be updated as well. So overall, nothing terribly exciting, nothing that's already being exploited, but certainly patches that you probably want to apply sometime this week if possible. Well, I've got an interesting blog post by Proofpoint showing how cyber criminals are targeting trucking and logistic. So what's happening here is that these criminals, their end goal is to steal trucks or to load being transported by those trucks. But in order to do so, they need to know which trucks actually has load worth stealing. A lot of times, it sort of happens randomly, where basically just parked trailers and such are being stolen with whatever load they have. But for cyber criminals, of course, much better to then being able to figure out which truck actually has a high value load. The way this particular scheme works is that they initially compromise one company, one trucking or logistics company, just via standard fake emails and phishing. And once they take control of one company, they're using legitimate remote managing and monitoring tools like your standard log me in and things like that, in order to then basically see what they're working on. But they're also using that initial access to then infect other trucking companies by, for example, posting fake loads and fake offers for work on various systems that these trucking companies use. And those fake offers are then often being used to trick a victim into clicking on malicious links and downloading, installing malicious malware just by, for example, posting PDFs and the likes. So basically, standard phishing tricks. But by being inside these systems, it's, of course, a lot more convincing than to get a user to execute or open an attachment. The end goal, as I said, is just to figure out which truck has a particular value below it and then steal it. And apparently the losses for these particular schemes are ranging in the billions at this point. From a defensive point of view, well, you always need to control these remote management tools. That's probably, I think, the biggest lesson here from this particular compromise. They're often used as ransomware attacks and other attacks where an attacker, in order to gain persistent access to a system, just installs a legitimate remote management tool instead of an obvious malicious one, which, of course, is much easier to detect by anti-malware endpoint protection systems. And we don't just have patches from Apple. Google also released its usual scheduled monthly update. This is the November 2025 update that they published for Android. The vulnerability is actually kind of so similar in scope to what I just talked about when it came to Apple. So we have a couple of vulnerabilities here that sort of could lead to these single click or no click exploits, where just viewing an image or something like this will lead to a system compromise. For example, we have here one vulnerability in what Google refers to as system. So basically, the basic operating system that does allow remote code execution and is assigned a severity of critical affecting Android back to version 13. A little bit more detail here from Google than we do get from Apple with this severity and also the type actually indicating that remote code execution is possible here with this particular vulnerability. As usual, apply these Android patches as as they become available for your particular device. Of course, there may be a delay depending on your carrier and what device you are using. Well, and that's it for today. So thanks for listening and special thanks to anybody who is recommending this podcast on Apple's podcast site and also leaving a comment there. And that's it for today and talk to you again tomorrow. Bye.
Have you seen our swag? Buy SANS ISC Gear
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 