Summary6 min read

Cybersecurity Today — “iCloud Calendar Invites Disguise New Phishing Campaigns”

Host: Jim Love
Date: September 10, 2025

Episode Overview

This episode dives into the latest wave of targeted phishing attacks using iCloud calendar invites, explores weak points in government livestreaming security, covers critical vulnerabilities affecting billions of Android phones, and analyzes the US government’s high-profile bounty on Russian FSB hackers. Jim Love breaks down each story, offering context, expert insights, and actionable security advice for businesses and individuals.

Key Discussion Points & Insights

1. iCloud Calendar Invite Phishing Campaigns

[00:10–04:00]

Attackers’ New Method:
Cybercriminals are leveraging iCloud calendar invites as a channel to deliver phishing scams, exploiting the inherent trust in Apple’s own infrastructure.
- Instead of standard phishing emails, attackers send fake calendar invites that seem to originate from legitimate Apple addresses.
- Messages in the calendar invite’s notes field typically warn of fraudulent charges (“$599 PayPal charge”) and provide a phone number to call.
Bypassing Security Filters:
- Because invites are sent via official Apple servers, they avoid typical spam filters.
- Attackers then forward the invites via Microsoft 365 using the “sender rewriting scheme,” a tool intended for legitimate email forwarding that helps the scam maintain its apparent legitimacy.
Implications:
Love stresses that the old advice — “verify the sender’s address” — is no longer fully reliable as phishing grows more sophisticated.
Editorial Note:
- Jim recounts receiving a spear-phishing email seemingly from Apple, raising skepticism about whether Apple would ever ask users to click a password reset link.
  - Quote:
    
    “If it was a phishing attempt, and I think it was, it was damn convincing. I think it would have fooled a lot of people. And like this last story, it slipped right past our email filters.”
    — Jim Love [03:30]
  - Advice:
    
    “Treat unexpected calendar invites the same way you treat suspicious emails. Don’t click, verify the claim directly. And what we always tell our users: if it bugs you even a little, don't click, ask somebody.”
    — Jim Love [03:45]
  - Memorable Moment:
    
    “And if I’m a nutcase and Apple really is sending out links that we’re supposed to click on to change our passwords, I have only one question for them. Have you lost your freaking minds?”
    — Jim Love [04:00]

2. US Department of Defense Livestream Credential Exposures

[04:10–07:30]

Incident Background:
The DoD, like many agencies, livestreams events on platforms like YouTube and X. If streaming credentials (“stream keys”) are leaked, anyone can hijack the stream, potentially broadcasting fake or malicious content.
Real-World Lapses:
- In the past, US Cyber Command’s stream keys were publicly available (2018).
- Recently, before a Pentagon event, stream keys for official channels were easily found via public search.
Deepfake & Misinformation Risks:
- AI-generated voice and video impersonations add another layer of danger, as seen in scams mimicking government officials.
- Referenced the 2023 fake Pentagon image that caused stock market turmoil to underline potential damage from short-lived hoaxes.
Cultural Security Issues:
- Repeated lapses suggest organizational security culture problems (“If you’re sloppy in one area, you’re probably sloppy in other areas”).
- Quote:
  
  “It's like handing strangers the keys to your official megaphone.”
  — Jim Love [05:10]
- Advice:
  
  “Stream keys need to be treated like passwords. Rotate them, store them securely, lock them down with the same care as any sensitive system.”
  — Jim Love [06:45]

3. Critical Zero-Day Exploits Affecting Billions of Android Phones

[07:35–10:05]

Active Attacks on Android:
Google confirms attacks exploiting two zero-day vulnerabilities:
- CVE2025-0217: Kernel memory bug.
- CVE2025-0462: Runtime vulnerability.
- Both enable remote device takeover with no user action required.
Patch Disparity:
- Pixel devices were quickly patched, but over a billion Android phones (from other manufacturers) remain exposed, many of which may never be patched due to lack of support.
Business Ramifications:
- Companies with BYOD (Bring Your Own Device) policies risk having vulnerable, unpatchable devices on their networks.
- Analogy:
  
  “You wouldn’t let someone connect an unpatched Windows laptop to your system, so why would you allow an unpatched phone?”
  — Jim Love [09:40]
- Advice:
  - Organizations should set minimum security standards for devices connecting to corporate assets.

4. US Puts $10 Million Bounty on Russian FSB Hackers

[10:10–13:00]

Bounty Announcement:
- The US offers $10 million for information leading to three “Turla” group hackers linked to attacks on critical infrastructure.
- The group hacked over 500 energy companies across 135 countries, exploiting old Cisco vulnerabilities (CVE-2018-0171).
Effectiveness & Symbolism:
- Likelihood of capturing sophisticated FSB officers is low, as they operate from protected jurisdictions.
- But large bounties foster distrust within hacker circles, encouraging betrayal.
  - Quote:
    
    “Dangling millions of dollars introduces a different kind of risk. Sowing distrust inside hacker organizations and between individuals is a new tactic for law enforcement, but one that’s working.”
    — Jim Love [11:40]
  - Message:
    
    “You can hide behind borders, but a price on your head will follow you forever. Not a bad message to send, actually.”
    — Jim Love [12:55]
- Callback:
  - Jim mentions a previous show about the disunity among ransomware groups, encouraging listeners to revisit it for more context.

Notable Quotes & Memorable Moments

On new phishing risks:

“We’ve all been trained and we’ve trained our staff to check that stuff comes from a legitimate email address. But that might not be good enough anymore.”
— Jim Love [02:50]
On stream key management:

“Stream keys need to be treated like passwords. Rotate them, store them securely, lock them down with the same care as any sensitive system.”
— Jim Love [06:45]
On Android device security:

“If more than a billion phones are unpatched, and a large number of those might be unpatchable, organizations may need to set minimum standards for any phone that connects to your corporate networks, if you haven’t done that already.”
— Jim Love [09:10]
On the US bounty tactic:

“It might not stop an operation entirely, but it can slow them down... While the odds of an arrest are slim, the message is strong.”
— Jim Love [12:30]

Summary Table of Key Segments

| Segment | Topic | Timestamp | |--------------------------------------|----------------------------------------|---------------| | Phishing via iCloud Calendar Invites | New trend, bypassing traditional filters | 00:10–04:00 | | DoD Livestream Credentials Exposed | Dangers of poor credential management | 04:10–07:30 | | Android Zero-Day Vulnerabilities | Massive risk for business and users | 07:35–10:05 | | US Bounty on FSB Hackers | Tactics, symbolism, and deterrence | 10:10–13:00 |

Actionable Takeaways

Treat all unexpected digital communications (including calendar invites) with skepticism.
Secure credentials for streaming and digital services rigorously; rotate and store them with care.
Enforce strict device standards for all devices accessing corporate systems, especially in BYOD environments.
Understand that global cybersecurity tactics now include psychological disruption within criminal groups, not just arrests.

This episode is a must-listen for anyone charged with protecting business or personal information, focusing on both evolving technical tactics and the essential role of organizational security culture.

Loading summary

Transcript1 lines

[00:01]
A
ICLOUD calendar invites are hijacked for a phishing scam. U.S. department of Defense livestream credentials are left exposed. Billions of Android phones are vulnerable as critical zero days are exploited. And the US puts a $10 million bounty on Russian FSB hackers. Justice or just PR? This is cybersecurity today. I'm your host, Jim Love. Attackers have found a new way to send phishing messages that look like they come straight from Apple. They're using icloud calendar invites to push their scams through Apple's own servers. Here's how it works. Instead of sending a normal email, criminals create fake calendar invites. In the notes section, they type the scam message like a warning about a $599 PayPal charge with a phone number to call. But here's the thing. Because the calendar invite is sent through Apple's icloud system, it shows up as coming from a real Apple address. That means it passes the usual checks that email systems use to catch fakes. So it sails past things like spam filters. And then the attackers forward the invite through Microsoft 365 using something called the sender rewriting scheme. Now, that tool is there to help legitimate forward emails pass security checks. But in this case, it keeps the phishing invite looking valid even after it's forwarded. The result is the scam lands in your calendar looking trustworthy. And if you call the number, the attackers will try to trick you into giving remote access, downloading malware, or handing over personal information. I'll add a quick editorial note to this. We've seen a similar trick with PayPal earlier. This isn't just about calendar invites. It's part of a bigger trend. We've all been trained and we've trained our staff to check that stuff comes from a legitimate email address. But that might not be good enough anymore. Just this past week, I got what I'm sure is a spear phishing email that also came from an authentic Apple address. It wasn't the same as this attack. I checked it out pretty carefully, but I couldn't believe that Apple would ever ask me to follow a link in an email to change my password. And I wouldn't do it anyway. But you think they would. Or at least they should say, just go change your password. So that was the trigger for me, because if it was a phishing attempt, and I think it was, it was damn convincing. I think it would have fooled a lot of people. And like this last story, it slipped right past our email filters. The key takeaway, you have to Treat unexpected calendar invites the same way you treat suspicious emails. Don't click verify the claim directly. And what we always tell our users if it bugs you even a little, don't click, ask somebody. And if I'm a nutcase and Apple really is sending out links that we're supposed to click on to change our passwords, I have only one question for them. Have you lost your freaking minds? The U.S. department of Defense, like many other organizations, will broadcast live videos to platforms like YouTube and X. But those live streams can often easily be hacked. When the stream key, the password that allows the video to go live, is exposed, anyone can take control. It's like handing strangers the keys to your official megaphone. And this isn't hypothetical. In 2018, stream keys for US Cyber Command were publicly accessible. More recently, just before the Defense secretary's livestream, where they handed out burgers to the troops, the keys for Pentagon channels on x, Facebook, and YouTube were easily discoverable with simple searches. That means attackers could hijack an official feed or insert fake content that looks authoritative. In today's environment, where artificial intelligence can create convincing fake audio or video, the danger is even bigger. Imposters have already used AI to mimic Secretary of State Marco Rubio's voice in calls to US Politicians and even foreign ministers and security experts are warning that if something like this appears on an official livestream, you can imagine this being used for some sort of confusion event. We've all seen how powerful even a short lived hoax can be. In 2023, a fake image of smoke rising near the Pentagon caused a dip in the stock market. If such deceptive content were broadcast through an official defense channel, even for a few minutes, the impact could be global. But the other point is that if you're sloppy in one area, it's an indication of a cultural issue. You're probably sloppy in other areas. Not only does that make for bad security, but it also makes you a target. Because this isn't the only lapse. Earlier this year, officials reportedly discussed a bombing campaign in Yemen on Signal in a group chat that included a journalist. But back to this case, the lesson is clear. Stream keys need to be treated like passwords. Rotate them, store them securely, lock them down with the same care as any sensitive system. Because the idea of never leaving access to anything exposed should be part of a culture of security or of good defense. Google has confirmed that attackers are actively exploiting two critical zero day vulnerabilities in Android. But here's the problem. While Google has issued an emergency fix for Pixel devices, more than a billion other Android phones remain unpatched. The flaws are tracked as CVE2025 0217, a kernel memory bug, and CVE2025 0462, a runtime vulnerable vulnerability. Both can be used to take control of a device without any action from the user. These aren't theoretical. They're already being used in real world attacks. Pixel phones are protected because Google controls the update process. But for the vast Android ecosystem, updates depend on phone makers and carriers, and these will take time to get patched. And that's for the devices that are supported. Believe it or not, there are an enormous amount of Android devices still in use, often years old, that are now outside of support. So that leaves a huge number of phones permanently exposed for businesses. This raises an issue in an age of bring your own device. If more than a billion phones are unpatched, and a large number of those might be unpatchable, organizations may need to set minimum standards for any phone that connects to your corporate networks, if you haven't done that already. Otherwise, one vulnerable handset could be the entry point for an attacker. Put it this way, you wouldn't let someone connect an unpatched Windows laptop to your system, so why would you allow an unpatched phone? And finally, the US State Department has put a $10 million bounty on three Russian FSB cyber operatives accused of target critical infrastructure. The group is tied to attacks on more than 500 energy companies in 135 countries. They exploited an old Cisco flaw CVE 20180171 to break into these networks. And you might think, how big a deal could that be? Well, their campaigns even reached into nuclear facilities and refinery safety systems, and that's just one example. Let's just say they got people's attention. But it's been a long time since these hackers were doing those attacks. And the three of them, Marat Chukov, Mikhail Gavrilov and Pavel Akulov, are intelligence officers. So realistically, are they likely to ever try to set foot in a western country where extradition would be possible? The question is, is this more symbolic than practical? Maybe. But it does send a clear signal that crimes won't be forgotten no matter how much time passes. And the other thing is that dangling millions of dollars introduces a different kind of risk. It encourages crooks to turn on crooks. Sowing distrust inside hacker organizations and between individuals is a new tactic for law enforcement, but one that's working. It might not stop an operation entirely, but it can slow them down. If you caught our show we did a couple weeks back on ransomware groups, you'll find out often they don't like each other very much. Some even hate each other. And if you didn't catch that show, go back and look it up. It's good. I'll put a link in the show notes later today. But while the odds of an arrest are slim, the message is strong. You can hide behind borders, but a price on your head will follow you forever. Not a bad message to send, actually. And that's our show for today. You can reach me with tips, comments, or even constructive criticism. Find me@technewsday.com or ca. Use the contact Us forum. I'm your host, Jim Love. Thanks for listening.