runC Docker threats, lost iPhone scam, Landfall spyware warning

Mon Nov 10 2025

Summary

Cyber Security Headlines - Podcast Summary

Date: November 10, 2025
Host: Steve Prentiss, CISO Series
Episode Theme:
Today's episode breaks down the latest cybersecurity threats and trends, including new container escape vulnerabilities in Docker (runC), a surge in sophisticated iPhone phishing scams, dangerous spyware attacks on Samsung Galaxy phones, and other pressing security industry developments. The show provides actionable insights on recent exploits, ongoing investigations, and the broader implications for both organizations and individual users.

Key Discussion Points & Insights

1. runC Docker Flaws: Container Escape Threats

[00:06–01:43]

Three new vulnerabilities in the runC container runtime were discovered, disclosed by Alexa Sarayin (SUSE, Open Container Initiative).
Impact: Possible for attackers to break Docker/Kubernetes container isolation and gain access to host systems, bypassing critical containment protections.
Details:
- All issues have assigned CVEs.
- runC is fundamental, serving as the low-level runtime for containers and invoked by higher-level tools.
- No signs yet of active exploitation.
Quote ([00:23]):
“The runC container runtime used in Docker and Kubernetes could be exploited to bypass isolation restrictions and get access to the host system.” — Steve Prentiss
Implication: Even core infrastructure requires vigilant patching and scrutiny.

2. Lost iPhone Scam: Targeted Phishing via Find My Phone

[01:44–02:56]

Swiss National Cybersecurity Center Warning: Attackers are using the “found iPhone” lock screen feature as a lure for phishing.
Modus Operandi:
- Attackers harvest contact info (email/phone) from lock screens, then send convincing messages (SMS/iMessage) pretending to be from Apple Find My team.
- Purpose: Steal Apple ID credentials.
Prevention Tip ([02:35]):
“Apple will never contact customers via SMS or email to report a found device.” — Swiss National Cybersecurity Center via Steve Prentiss
Advice: Users should ignore such texts or messages.

3. Landfall Spyware Attacks on Samsung Galaxy Phones

[02:57–04:16]

Palo Alto Networks Unit 42: Unveils a 9-month hacking campaign focused on Middle Eastern Samsung Galaxy users.
Attack Details:
- Uses “Landfall,” a commercial-grade Android spyware.
- Delivered through malicious DNG (Digital Negative) image files sent via WhatsApp.
- Exploits a zero-day in a Samsung image processing library.
- Capabilities: Silent audio recording, GPS tracking, theft of photos, messages, contacts.
Patch Status: Samsung patched the underlying flaw in April 2025.
Quote ([03:42]):
“The spyware could secretly record audio, track location and steal photographs, messages and contacts, possibly without user interaction.” — Steve Prentiss
Uncertainty: Perpetrators and the true scale of the intrusion are unknown, but the campaign is highly targeted.

4. AI Chat Privacy at Risk: Whisper Leak Side Channel Attack

[05:39–06:27]

Discovered by Microsoft: New “Whisper Leak” side-channel allows attackers to infer subjects of encrypted AI chat traffic.
Attack Vector:
- Attackers monitor network metadata (token length, response timing, cache patterns).
- Even if the chat content is encrypted, adversaries can deduce conversation topics.
Concern ([06:05]):
“It lets attackers who can monitor network traffic infer what users discuss with remote language models even when the data is encrypted…” — Steve Prentiss
Implication: Confidentiality risks for both individual and enterprise users engaging with AI tools.

5. Illuminate Education Data Breach: $5.1M Settlement

[06:28–07:17]

Fined by State Attorneys General (49 states): $5.1 million settlement after a 2021 data breach affecting millions of students (including 3M in California).
Security Failures:
- Failure to remove ex-employee credentials (used in hack).
- Ineffective system monitoring for anomalies.
- No separate security for backup and operational databases.
Data Exposed: Student names, race, medical conditions, special education status.
Memorable Note ([06:54]):
“The failings included an alleged failure to delete the login credentials of former employees…” — Steve Prentiss

6. Time Bomb Malware in Industrial Environments

[07:18–07:54]

Follow-up: Malicious NuGet (.NET) packages from 2023 targeting industrial automation, especially Siemens PLCs, have been removed.
Malware Goal: Destruction timed for 2027–2028, especially in critical manufacturing systems.
Obfuscation Tactic: Malicious packages combined mostly legitimate code to evade suspicion.
Insight ([07:44]):
“The packages were comprised mostly of genuinely useful, legitimate code, making them more trustworthy.” — Steve Prentiss
Industry Takeaway: Even widely used development tools and repos can harbor sabotage.

7. US Government Considers TP-Link Ban: National Security Spotlight

[07:55–08:22]

Brian Krebs' Take: The US may ban sales of TP-Link routers over security concerns and Chinese ties.
TP-Link Defense: Asserts U.S. HQ, Vietnamese/Singapore manufacturing, no China-parent affiliation.
Krebs' Broader Warning:
- Risk isn’t limited to any one brand; many budget routers use China-sourced components, have weak defaults.
- Systemic issue: Insecure routers threaten national and home network security.
Quote ([08:17]):
“The challenge is less about one brand than systemic security in home networking.” — Steve Prentiss via Brian Krebs

Notable Quotes & Moments

Container Risks Reality Check:
“Even core infrastructure requires vigilant patching and scrutiny.” — Essential summary of runC flaws
Advice for Swiss iPhone Owners:
“Apple will never contact customers via SMS or email… ignore any text messages like these.” — Swiss National Cybersecurity Center ([02:35])
Spyware’s Power:
“The spyware could secretly record audio, track location and steal … possibly without user interaction.” — Steve Prentiss ([03:42])
Systemic Hardware Risks:
“The challenge is less about one brand than systemic security in home networking.” — Brian Krebs, paraphrased by Steve Prentiss ([08:17])

Timestamps Recap

00:06: Major container (runC) vulnerabilities explained
01:44: Lost iPhone scam target details and advice
02:57: Landfall spyware targeting Samsung Galaxy in the Middle East
05:39: AI side-channel privacy risk (“Whisper Leak”)
06:28: Illuminate Education fined for lax student data practices
07:18: Industrial malware “time bomb” .NET packages removed
07:55: TP-Link router ban debate and broader industry risk

Final Thoughts

This episode spotlights vulnerabilities at every layer—from development pipelines and critical infrastructure to widely used consumer devices and AI systems. The recurring lesson: attackers are adapting quickly, frequently exploiting overlooked features, insecure defaults, or even subtle metadata to bypass conventional security controls. Vigilance, timely patching, staff access hygiene, and security by design remain non-negotiable for every organization.

Loading summary...

Transcript

A (0:00)

From the CISO series. It's Cybersecurity Headlines.

B (0:06)

These are the cybersecurity headlines for Monday, November 10, 2025. I'm Steve Prentiss. Run C flaws could allow attackers to escape Docker containers There are actually three new vulnerabilities disclosed by Alexa Sarayin, a software engineer at Luxembourg based open source software company SUSE and also a board member at the Open Container Initiative. The Run C container runtime used in Docker and Kubernetes could be exploited to bypass isolation restrictions and get access to the host system, he says. The three issues all have CVE numbers and runc is a universal container runtime and the OCI reference implementation for running containers. It is responsible for low level operations such as creating the container process, setting up namespaces, mounts and cgroups that higher level tools like Docker and Kubernetes can call. Currently, there have been no reports of any of the flaws being actively exploited in the wild Lost iPhone scam Warning the Swiss National Cybersecurity center is warning iPhone users about a phishing scam that claims to have found a lost or stolen iPhone with the true motive of stealing Apple ID credentials. The campaign is based on a message that users can set in Apple's Find My Phone app that appears on the lock screen, which can include an email address or phone number of another iPhone owned by the lost iPhone's owner or someone close to them. The threat actors may be using this information to send targeted phishing texts through SMS or imessage to the displayed contact information, claiming to be from Apple's Find My team and stating that their phone had been found. The Swiss Security center advises users to ignore any text messages like these, stating that Apple will never contact customers via SMS or email to report a found device. Landfall Android spyware targets Samsung Galaxy phones Security researchers from Palo Alto Networks Unit 42 uncovered a nine month hacking campaign targeting Samsung Galaxy phones primarily in the Middle East. The attackers used a commercial grade Android spyware called Landfall, which exploited a previously unknown vulnerability in Galaxy image processing libraries. Delivered through WhatsApp as malicious DNG files, the spyware could secretly record audio, track location and steal photographs, messages and contacts, possibly without user interaction. Dng, by the way, stands for Digital Negative Images, a variation of TIF image files. The flaw was patched in April 2025. Unit 42 noted similarities to Middle Eastern commercial spyware operations, but the perpetrators and number of victims remain unknown. The campaign's goal appeared to be a targeted surveillance, huge thanks to our sponsor vanta. What's your 2am worry? Is it Do I have the right controls in place or are my vendors secure? Or the really scary one? How do I get out from under these old tools and manual processes? Enter Vanda. Vanta automates manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. Vanta also fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and get back to sleep. Get started at Vanta.com headlines that is V-A-N-T A.com headlines AI chat privacy at Risk through Whisper Leak side Channel Attack Microsoft describes this attack as a side channel attack that lets network snoopers infer AI chat topics despite encryption, risking user privacy. It lets attackers who can monitor network traffic infer what users discuss with remote language models even when the data is encrypted, an activity that could expose sensitive details from user or enterprise conversations with streaming AI systems, creating serious privacy risks. In short, despite the encryption models used, attackers can infer token length, timing or cache patterns to guess prompt topics. Microsoft's Whisper Leak expands on these, showing how encrypted traffic patterns alone can reveal conversation themes illuminate education find $5.1 million for poor data security practices leading to hack three state attorneys general announced on Thursday that the educational technology company Illuminate Education will pay a $5.1 million fine and agree changes to its business to settle allegations that shoddy security practices led to a 2021 data breach. The breach exposed student names, races, coded medical conditions and whether they received special education accommodations. This impacted students in 49 states and 3 million in California alone. The failings included an alleged failure to delete the login credentials of former employees, which is thought to be the resource used by the hackers. The company also allegedly failed to monitor its systems for suspicious activity and did not separately secure backup and active databases, which meant the backup databases were also compromised when the active database was breached. Destructive Time bomb malware in industrial.net extensions found and removed following up on a story covered by Sean Kelly In March of 2023, security experts have now helped remove malicious NuGet packages that had been planted in that year and were designed to destroy systems, especially in safety critical systems in manufacturing environments and specifically in Siemens S7 programmable logic controllers. This destruction was scheduled to occur in 2027 and 2028. Researchers from Socket identified nine malicious packages on the. Net Package Manager and noted that the packages were comprised mostly of genuinely useful, legitimate code, making them more trustworthy. Brian Krebs Assesses US Government's Proposed TP Link Ban in his recent blog, Brian Krebs states that the US Government is considering banning sales of networking gear from TP Link, a major player in consumer and small business routers, citing national security concerns over its reported ties to China and the high stakes of sensitive data passing through its hardware. TP Link denies these risks, claiming it severed connections with its China based parent and is US headquartered with with design and manufacturing in Vietnam and Singapore. The article from Krebs warns that the issue is broader. Many other budget routers rely on China sourced components and ship with known weak default settings, meaning the challenge is less about one brand than systemic security in home networking what are you doing at 4 o' clock Eastern this afternoon? Today? Monday? If the answer isn't joining us for the Department of no, you better have a good excuse if you haven't caught it yet. The Department of Know is your weekly stand up to help you kick off your week in cybersecurity and we want you to join us live. Get in on the chat, ask questions of our guests and have some fun with the rest of our audience. It all happens over on the CISO Series YouTube channel every Monday at 4pm Eastern Time. Just subscribe to the channel and join us this Monday to join in on the fun. And if you have some thoughts on the news from today or about this show in general, please be sure to reach out to us at feedback@cisoseries.com, we would love to hear from you. I'm Steve Prentiss reporting for the CISO Series.