Apple fixes issues for iOS and MacOS devices, Royal Mail investigates data leak, Oracle privately confirms Cloud breach…
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Google Patches Quick Share Vulnerability Enabling Silent File Transfers Without Consent
Cybersecurity researchers have disclosed details of a new vulnerability impacting Google’s Quick Share data transfer utility for Windows that could be exploited to achieve a denial-of-service (DoS) or send arbitrary files to a target’s device without their approval.
The flaw, tracked as CVE-2024-10668 (CVSS score: 5.9), is a bypass for two of the 10 shortcomings that were originally disclosed by SafeBreach Labs in August 2024 under the name QuickShell. It has been addressed in Quick Share for Windows version 1.0.2002.2 following responsible disclosure in August 2024. A consequence of these 10 vulnerabilities, collectively tracked as CVE-2024-38271 (CVSS score: 5.9) and CVE-2024-38272 (CVSS score: 7.1), was that they could have been fashioned into an exploit chain to obtain arbitrary code execution on Windows hosts. Quick Share (previously Nearby Share) is a peer-to-peer file-sharing utility like Apple AirDrop that allows users to transfer files, photos, videos, and other documents between Android devices, Chromebooks, and Windows desktops and laptops in close physical proximity.
A follow-up analysis by the cybersecurity company found that two of the vulnerabilities were not fixed correctly, once again causing the application to crash or bypass the need for a recipient to accept a file transfer request by directly transmitting a file to the device instead. Specifically, the DoS bug could be triggered by using a file name that starts with a different invalid UTF8 continuation byte (e.g., “xc5xff”) instead of a file name that begins with a NULL terminator (“x00”). On the other hand, the initial fix for the unauthorized file write vulnerability marked such transferred files as “unknown” and deleted them from the disk after the file transfer session was complete.
Apple Backports Critical Fixes for 3 Recent 0-Days Impacting Older iOS and macOS Devices
Apple on Monday backported fixes for three vulnerabilities that have come under active exploitation in the wild to older models and previous versions of the operating systems.
The vulnerabilities in question are listed below:
- CVE-2025-24085 (CVSS score: 7.3) – A use-after-free bug in the Core Media component that could permit a malicious application already installed on a device to elevate privileges.
- CVE-2025-24200 (CVSS score: 4.6) – An authorization issue in the Accessibility component that could make it possible for a malicious actor to disable USB Restricted Mode on a locked device as part of a cyber physical attack.
- CVE-2025-24201 (CVSS score: 8.8) – An out-of-bounds write issue in the WebKit component that could allow an attacker to craft malicious web content such that it can break out of the Web Content sandbox.
The updates are now available for the following operating system versions –
- CVE-2025-24085 – Fixed in macOS Sonoma 14.7.5, macOS Ventura 13.7.5, and iPadOS 17.7.6
- CVE-2025-24200 – Fixed in iOS 15.8.4, iPadOS 15.8.4, iOS 16.7.11, and iPadOS 16.7.11
- CVE-2025-24201 – Fixed in iOS 15.8.4, iPadOS 15.8.4, iOS 16.7.11, and iPadOS 16.7.11
Cyber Attacks
Nearly 24,000 IPs Target PAN-OS GlobalProtect in Coordinated Login Scan Campaign
Cybersecurity researchers are warning of a spike in suspicious login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect gateways, with nearly 24,000 unique IP addresses attempting to access these portals. “This pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation,” threat intelligence firm GreyNoise said.
The surge is said to have commenced on March 17, 2025, sustaining at nearly 20,000 unique IP addresses per day before dropping off on March 26. At its peak, 23,958 unique IP addresses are estimated to have participated in the activity. Of these, only a smaller subset of 154 IP addresses has been flagged as malicious. The United States and Canada have emerged as the top sources of traffic, followed by Finland, the Netherlands, and Russia. The activity has primarily targeted systems in the United States, the United Kingdom, Ireland, Russia, and Singapore.
It’s currently not clear what’s driving the activity, but it points to a systemic approach to testing network defences, which could likely pave the way for later exploitation. “Over the past 18 to 24 months, we’ve observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack, and reconnaissance attempts against specific technologies,” Bob Rudis, VP of Data Science at GreyNoise, said. “These patterns often coincide with new vulnerabilities emerging 2 to 4 weeks later”. Considering the unusual activity, it’s imperative that organizations with internet-facing Palo Alto Networks instances take steps to secure their login portals. GreyNoise has since revealed that it has observed a significant spike in activity targeting multiple technologies, including edge devices, from F5, Ivanti, Linksys, SonicWall, Zoho ManageEngine, and Zyxel starting March 28, 2025.
Royal Mail investigates data leak claims, no impact on operations
Royal Mail is investigating claims of a security breach after a threat actor leaked over 144GB of data allegedly stolen from the company’s systems.
When asked to confirm the authenticity of the leaked data, a Royal Mail spokesperson said that the British postal service is aware of an incident at Spectos GmbH, a third-party data collection and analytics service provider. “We are aware of an incident which is alleged to have affected Spectos, a supplier of Royal Mail. We are working with the company to investigate the issue and establish what impact there may be regarding their data,”. “We can confirm there has been no impact on Royal Mail operations and services continue to function as normal”. Spectos also confirmed in a statement that its systems were breached on March 29, and the attackers gained access to customer data. “Spectos GmbH has been the target of an ongoing cyber-attack since March 29, 2025. According to the status, unauthorized access to systems and personal customer data has occurred. The exact scope of the incident is currently the subject of intensive forensic investigations,” a spokesperson said.
The threat actor behind this leak (who uses the “GHNA” handle on BreachForums) released 16,549 files allegedly containing Royal Mail customers’ personally identifiable information (including names, addresses, planned delivery dates, and more) and other confidential documents. GHNA says the leaked documents also include Mailchimp mailing lists, datasets containing delivery/post office locations, the WordPress SQL database for mail agents.uk, internal Zoom meeting video recordings between Spectos and the Royal Mail Group, and more. While Royal Mail and Spectos have yet to share more information on the breach, cybersecurity company Hudson Rock says the attackers gained access to Royal Mail systems using the credentials of a Spectos employee compromised in a 2021 info stealer malware incident.
In Other News…
Google Brings End-to-End Encrypted Emails to All Enterprise Gmail Users
Google on Tuesday announced that enterprise users can now send end-to-end encrypted (E2EE) email messages to Gmail inboxes within their organisation.
Currently rolling out in beta, the capability will soon allow enterprise users to send E2EE emails to any Gmail inbox, and then to any inbox, by the end of the year. The improved security measure, the internet giant explains, is an alternative to the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol, which requires the acquisition, management, and per-user deployment of certificates to use. “And end users have to figure out whether they and the recipient have S/MIME configured (few do) and then go through the hassle of exchanging certificates before the encrypted emails can be exchanged,” Google notes.
While other alternatives to S/MIME exist, they also require the sharing of encryption keys or complex resources, impacting the user experience and adding burden to the IT staff. Google says its approach significantly simplifies things by allowing the use of E2EE for any message, regardless of its recipient, using encryption keys controlled by the organization, without the need for additional resource investment, such as S/MIME setup or certificate management. Messages sent to Gmail inboxes are automatically decrypted and made available to the recipients. If sent to a different email service, the recipient will receive an invitation to view the message in a restricted version of Gmail and offered the option to use a guest Google Workspace account to interact with it. If the recipient’s email service has S/MIME configured, Gmail will deliver the E2EE message using this protocol. On Tuesday, Google also announced the general availability of several security features in Gmail, including CSE default mode, data loss prevention (DLP), message classification labels, and a new threat protection AI model.
Oracle privately confirms Cloud breach to customers
Oracle has finally acknowledged to some customers that attackers have stolen old client credentials after breaching a “legacy environment” last used in 2017, Bloomberg reported. However, while Oracle told clients this is old legacy data that is not sensitive, the threat actor behind the attack has shared data with BleepingComputer from the end of 2024 and posted newer records from 2025 on a hacking forum. According to Bloomberg, the company also informed clients that cybersecurity firm CrowdStrike and the FBI are investigating the incident.
Cybersecurity firm CybelAngel first revealed that Oracle told clients that an attacker who gained access to the company’s Gen 1 (also known as Oracle Cloud Classic) servers as early as January 2025 used a 2020 Java exploit to deploy a web shell and additional malware. During the breach, detected in late February, the attacker allegedly exfiltrated data from the Oracle Identity Manager (IDM) database, including user emails, hashed passwords, and usernames. This comes after a threat actor (known as rose87168) put up for sale 6 million data records on BreachForums on March 20 and released multiple text files containing a sample database, LDAP information, and a list of the companies as proof that the data was legitimate, all of them allegedly stolen from Oracle Cloud’s federated SSO login servers.
When asked to confirm the authenticity of the leaked data, Oracle told BleepingComputer that “There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data”. Oracle denied this even after an archived URL showed that the threat actor uploaded a file containing their email address to one of Oracle’s servers. This URL was subsequently removed from Archive.org, but an archive of the archive still exists. However, days later, BleepingComputer confirmed with multiple companies that additional samples of the leaked data (including associated LDAP display names, email addresses, given names, and other identifying information) received from the threat actor were valid.