Google has announced it will delete Location History (Timeline) data and store new data locally, starting December 2024.

Google announced that it will reduce the amount of personal data it is storing by automatically deleting old data from “Timeline”—the feature that, previously named “Location History,” tracks user routes and trips based on a phone’s location, allowing people to revisit all the places they’ve been in the past.

In an email, Google told users that they will have until December 1, 2024 to save all travels to their mobile devices before the company starts deleting old data. If you use this feature, that means you have about five months before losing your location history.

Moving forward, Google will link the Location information to the devices you use, rather than to the user account(s). And, instead of backing up your data to the cloud, Google will soon start to store it locally on the device.

As I pointed out years ago, Location History allowed me to “spy” on my wife’s whereabouts without having to install anything on her phone. After some digging, I learned that my Google account was added to my wife’s phone’s accounts when I logged in on the Play Store on her phone. The extra account this created on her phone was not removed when I logged out after noticing the tracking issue.

That issue should be solved by implementing this new policy. (Let’s remember, though, that this is an issue that Google formerly considered a feature rather than a problem.)

Once effective, unless you take action and enable the new Timeline settings by December 1, Google will attempt to move the past 90 days of your travel history to the first device you sign in to your Google account on. If you want to keep using Timeline:

*   Open Google Maps on your device.
*   Tap your profile picture (or initial) in the upper right corner.
*   Choose Your Timeline.
*   Select whether to keep you want to keep your location data until you manually delete it or have Google auto-delete it after 3, 18, or 36 months.

In April of 2023, Google Play launched a series of initiatives that gives users control over the way that separate, third-party apps stored data about them. This was seemingly done because Google wanted to increase transparency and control mechanisms for people to control how apps would collect and use their data.

With the latest announcement, it appears that Google is finally tackling its own apps.

Only recently, Google agreed to purge billions of records containing personal information collected from more than 136 million people in the US surfing the internet using its Chrome web browser. But this was part of a settlement in a lawsuit accusing the search giant of illegal surveillance.

It’s nice to see the needle move in the good direction for a change. As Bruce Schneier pointed out in his article Online Privacy and Overfishing:

> “Each successive generation of the public is accustomed to the privacy status quo of their youth. What seems normal to us in the security community is whatever was commonplace at the beginning of our careers.”

This has led us all to a world where we don’t even have the expectation of privacy anymore when it comes to what we do online or when using modern technology in general.

If you want to take firmer control over how your location is tracked and shared, we recommend reading How to turn off location tracking on Android.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Google will start deleting location history 

Cybersecurity researchers have disclosed that the LightSpy spyware allegedly targeting Apple iOS users is in fact a previously undocumented macOS variant of the implant.
The findings come from both Huntress Labs and ThreatFabric, which separately analyzed the artifacts associated with the cross-platform malware framework that likely possesses capabilities to infect Android, iOS, Windows, macOS,

LightSpy Spyware's macOS Variant Found with Advanced Surveillance Capabilities

Google is urging third-party Android app developers to incorporate generative artificial intelligence (GenAI) features in a responsible manner.
The new guidance from the search and advertising giant is an effort to combat problematic content, including sexual content and hate speech, created through such tools.
To that end, apps that generate content using AI must ensure they don't create

The AI Debate: Google's Guidelines, Meta's GDPR Dispute, Microsoft's Recall Backlash

Sophos uncovers “Operation Crimson Palace, a long-term cyberespionage effort targeting a Southeast Asian government. Learn how attackers used…

Sophos uncovers “Operation Crimson Palace, a long-term cyberespionage effort targeting a Southeast Asian government. Learn how attackers used DLL sideloading and VMware exploits to steal sensitive military, economic, and South China Sea data. Discover how Southeast Asia can defend against future cyberattacks.

Cybersecurity firm Sophos has shared details of a large-scale espionage campaign dubbed “Crimson Palace.” This Chinese state-sponsored effort targeted a government agency in Southeast Asia for nearly two years, through tactics like DLL sideloading and VMware exploitation.

As per Sophos MDR’s human-led threat-hunting service, multiple Chinese state-sponsored actors have been active since early 2022, and despite a few weeks of dormancy, intrusion activity continues targeting the organization, which Sophos categorizes as “mixed estate.”

Sophos initially discovered activity in March 2022 with the detection of NUPAKAGE malware, attributed to Earth Preta and again in December 2022, intrusion activity was discovered using DLL-stitching to deploy malicious backdoors on domain controllers.

During the investigation, Sophos researchers found three distinct clusters of activity named Cluster Alpha, Cluster Bravo, and Cluster Charlie, targeting the same organization. These clusters overlap with multiple Chinese nation-state groups, including Worok, the APT41 subgroup Earth Longzhi, BackdoorDiplomacy, REF5961, TA428 and a relatively new threat group, Unfading Sea Haze that was reported in May 2024 to be carrying out extensive cyberattacks against military targets in the South China Sea.

Cluster Alpha focused on sideloading malware and establishing persistent C2 channels, while Cluster Bravo focused on using valid accounts to spread laterally. Cluster Charlie prioritized access management and aimed to exfiltrate sensitive information for espionage purposes.

These clusters used a mix of custom malware and publicly available tools to gather sensitive political, economic, and military information. These include CCoreDoor, PocoProxy, an updated variant of Cobalt Strike, PowHeartBeat backdoor, EAGERBEE malware, NUPAKAGE, Merlin C2 Agent, PhantomNet backdoor, RUDEBIRD malware, and an LSASS logon credential interceptor.

> _“Sophos MDR has observed the actors attempting to collect documents with file names that indicate they are of intelligence value, including military documents related to strategies in the South China Sea.”_
> 
> Sophos

Sophos believes the campaign’s primary aim is to maintain cyberespionage access for safeguarding Chinese state interests, including accessing critical IT systems, performing reconnaissance, collecting sensitive information, and deploying malware implants for command-and-control communications.

The campaign as per Sophos’ blog post, also included over 15 distinct DLL sideloading scenarios, most of which abused Windows Services, legitimate Microsoft binaries, and AV vendor software.

****Threat Actors Collaborating Worldwide****

This marks the first instance where Chinese threat groups are actively collaborating to target an entity, each with its own working hours and scheduling activities, directed by a central authority.

Last month, cybersecurity researchers at Check Point reported that several Iranian state-sponsored hacker groups are teaming up for large-scale attacks. Similarly, a report from Flashpoint last month highlighted that Russian state-sponsored hacker groups are changing tactics. They are now partnering up and increasingly relying on malicious paid tools instead of the custom-made tools they previously used.

1.  China-Linked Spyware Found in Play Store Apps, 2m Downloads
2.  China’s insidious surveillance against Uyghurs with Android malware
3.  Muddling Meerkat Suspected of Espionage via Great Firewall of China
4.  Chinese Blackwood APT Deploys NSPX30 Backdoor in Cyberespionage
5.  Cyberattacks Surge 325% in Philippines Amid South China Sea Standoff

Crimson Palace: Chinese Hackers Steal Military Secrets Over 2 Years

A husband, now indicted, allegedly used seven Apple AirTags to stalk his ex-wife over a period of several weeks. His trial begins this month.

Following their divorce, a husband carried out a campaign of stalking and abuse against his ex-wife—referred to only as “S.K.”—by allegedly hiding seven separate Apple AirTags on or near her car, according to documents filed by US prosecutors for the Eastern District of Pennsylvania.

The documents, unearthed by 404 Media in collaboration with Court Watch, reveal how everyday consumer tools, like Bluetooth trackers, are sometimes leveraged for abuse against spouses and romantic partners.

 “The Defendant continued to adapt and use increasingly sophisticated efforts to hide the AirTags he placed on S.K.’s car,” US attorneys said. “It is clear from the timing of the placement of the AirTags and corroborating cell-site data, that he was monitoring S.K.’s movements.”

On May 8, the US government filed an indictment against the defendant, Ibodullo Muhiddinov Numanovich, with one alleged count of stalking against his ex-wife, S.K.

The stalking at the center of the government’s indictment allegedly began around March 27, when the FBI first learned about S.K. finding and removing an AirTag from her car. Less than a month later, on April 18, the FBI found a second AirTag that “was taped underneath the front bumper of S.K.’s vehicle with white duct tape.”

The very next day, the FBI found a third AirTag. This time, it was “wrapped in a blue medical mask and secured under the vehicle near the rear passenger side wheel well.”

This pattern of finding an AirTag, removing it, and then finding another was punctuated by physical and verbal intimidation, the government wrote. After a fourth AirTag was removed, the government said that Numanovich called S.K., followed her to a car wash, and “banged on her windows, and demanded to know why S.K. was not answering his calls.” Less than one week later, during a period of just 10 minutes, the government said that Numanovich left five threatening voice mails on S.K.’s phone, calling her “disgusting” and “worse than an animal.”

During the investigation, the FBI retrieved seven AirTags in total. Here is where those AirTags were found:

1.  Found by S.K. with no detail on specific location
2.  Duct-taped underneath the front bumper of S.K.’s car
3.  Underneath S.K.’s car, near the passenger-side wheel well, wrapped in a blue medical mask
4.  Within the frame of SK’s driver-side mirror, wedged between the mirror itself and the casing around it
5.  “An opening within the vehicle’s frame” which, documents say, was previously sealed by a rubber plug that was removed
6.  Underneath the license plate on S.K.’s car
7.  Undisclosed

For two of the retrieved AirTags, the FBI deactivated the trackers and then, away from S.K., placed the AirTags at separate locations. At an undisclosed location in Philadelphia where the FBI placed one AirTag, FBI agents later saw Numanovich “exit his vehicle with his phone in his hand, and begin searching for the AirTag.” At a convenience store where the FBI placed a second AirTag, agents said they again saw Numanovich.

The FBI also received information about attempted pairings and successful unpairings with Numanovich’s Apple account for three of the Apple AirTags.

In addition to the alleged pattern of stalking, the government also accused Numanovich of abusing SK both physically and emotionally, threatening her in person and over the phone, and recording sexually explicit videos of her to use as extortion. After a search warrant was authorized on May 13, agents found “approximately 140 sexually explicit photographs and videos of S.K.” stored on Numanovich’s phone, along with records for “numerous” financial accounts that transferred more than $4 million between 2022 and 2023.

In a follow-on request from the government to detain Numanovich before his trial begins, prosecutors also revealed that S.K. may have been brought into the US through a “Russian-based human smuggling network”—a network of which Numanovich might be a member.

According to 404 Media, a jury trial for Numanovich is scheduled to start on June 8.

**Improving AirTag safety**

Just last month, Apple and Google announced an industry specification for Bluetooth tracking devices such as AirTags to help alert users to unwanted tracking. The specification will make it possible to alert users across both iOS and Android if a device is unknowingly being used to track them. We applaud this development.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Husband stalked ex-wife with seven AirTags, indictment says 

TikTok accounts are being hacked! Celebrities and brands targeted in zero-click attack. Learn more about this major security…

TikTok accounts are being hacked! Celebrities and brands targeted in zero-click attack. Learn more about this major security breach in which accounts have been compromised.

Social media, online shopping and video giant TikTok has experienced a cyberattack in which attackers managed to compromise celebrity and brand accounts, including hotel heiress Paris Hilton, Sony, and CNN. 

While specific details about the nature of the attack are scarce at the moment, VXUnderground explained in its post on X (formerly Twitter) that an unknown threat actor discovered an exploit in TikTok that allows users to hijack accounts. The payload is delivered through TikTok direct messages and executed when read, without requiring external files or user response. 

The number of affected accounts is currently unclear but according to the latest update from TikTok, only two accounts have been compromised, one being CNN’s. 

The attack was first reported by Semafor and Forbes, according to which TikTok was targeted in a zero-click account takeover campaign that allows malware to compromise brand and celebrity accounts without direct interaction. Both the outlets confirmed that CNN temporarily removed its account after being hacked.  

A search for CNN returns no results for the US-based English language account

According to TikTok’s spokesperson, Alex Haurek, the number of compromised accounts is “very small,” but refused to explain how TikTok is protecting other exposed accounts.

“We are dedicated to maintaining the integrity of the platform and will continue to monitor for any further inauthentic activity,” Haurek said, specifically referring to CNN’s account compromise. TikTok is working with the news outlet to restore account access and implement enhanced security measures to safeguard their TikTok account.

TikTok’s privacy and security team spokesperson, Jason Grosse, stated that the company is still investigating the attack and cannot comment on its scale or sophistication, but mentioned that the threat is a “potential exploit.”

For your information, Hilton’s staff and sources at TikTok have confirmed that her account was targeted but not compromised.

Hanna Basha, Partner at Payne Hicks Beach, one of the oldest and known law firms in the United Kingdom, commented on the incident highlighting the threat luring behind data sharing on social media.

_“_TikTok is the latest of many companies to be subject to a cyberattack highlighting that it is now almost impossible to avoid these sorts of attacks and therefore incredibly important that individuals consider carefully what they are sharing on social media platforms,_“_ warned Hanna.

_“_Individuals sharing private messages have legal rights in privacy, confidence and data to keep these messages private and prevent them from being published. However, the practical advice must be to try to limit what you do share, even in direct messages, and before sending consider whether it could be damaging or embarrassing if published,” Hanna emphasised.

ByteDance-owned TikTok, with over one billion users globally, has reportedly taken measures to prevent future attacks and is working with affected account owners to restore access if needed.

TikTok has long been criticized for its security practices, particularly when in January 2021 Check Point Research identified a flaw that could have allowed attackers to build a database of TikTok users and in September 2022, Microsoft discovered a one-click exploit affecting the Android app, allowing attackers to take over accounts. It is about time the company strengthens its cybersecurity mechanisms to prevent similar incidents.

1.  TikTok vulnerability allowed hackers to send SMS with malware
2.  TikTok Invisible Body Challenge Trend Abused to Drop Malware
3.  TikTokers promoted adware, earned half a million dollars in profit
4.  TikTok collected MAC addresses for Android against Google’s ToS
5.  New smishing scam spreads fake TikTok App loaded with malware

Few But High-Profile TikTok Accounts Hacked Via Zero-Click Attack in DM

Announcing the latest version of Malwarebytes, which brings a faster, responsive, and consistent user interface, integrated security and privacy, and expert guidance to keep you secure.

Announcing the latest version of Malwarebytes, which brings a faster, responsive, and consistent user interface, integrated security and privacy, and expert guidance to keep you secure.

Here’s what you can expect:

****1\. Unified user experience across platforms** **

The new generation of Malwarebytes now delivers a consistent user experience across all our desktop and mobile platforms. The reimagined user interface is faster, more responsive, and managed through an intuitive dashboard, giving you a streamlined experience wherever you use Malwarebytes. 

**Why?** Sophisticated hacking tactics and various entry points mean you can’t afford to have blind spots in your protection. A seamless experience across all platforms and devices means you don’t have to figure out more than once about what to do next. We’ve also made it easier to find everything, encouraging you to keep your guard up on all your devices. 

****2\. Premium Security and Privacy VPN integration** **

We’ve merged our award-winning Premium Security and ultra fast no-log Privacy VPN into a single dashboard, making it much easier for you to take control of your privacy. With just one click, you can now protect your Wi-Fi or hotspot connections and change your location to visit the site you want at the speed you need. Don’t forget to also use Browser Guard on your desktop to block ad trackers and scam sites from your browser.  

**Why?** We know that the distinction between security and privacy is not clear-cut, and you need both products to work together to minimize your exposure (risk of threats and lack of privacy). Integrating the two makes it much easier to protect both your devices and data (at home and on the go), with an easy set-and-forget experience that doesn’t require adding another program.  You shouldn’t have to guess whether the next attack will compromise your Wi-Fi connection, browser, or files through phishing emails, spyware, or malware. Let the technology do this for you.  

****3\. Trusted Advisor, your security coach**  **

On the Malwarebytes dashboard, Trusted Advisor provides unbiased expert guidance at your fingertips. Your easy-to-understand individual Protection Score enables you to act on any potential security gaps, unlocking the full power of technology.

**Why?** In our recent report, “Everyone’s afraid of the internet, and no one’s sure what to do about it,” we found that only half of the people surveyed felt confident they knew how to stay safe online, and even fewer said they were taking the right measures to protect themselves. Trusted Advisor empowers you with real-time insights, an easy-to-read protection score, and expert guidance that puts you in control of your security and privacy.  We’re by your side guiding you through what to do next to fill your security gaps for each device and platform (Windows, Mac, Android, and iOS).

**Want to try?** You can! With our 14-day free trial.  

Already a customer but not yet seeing it? Log into MyAccount or download the latest build for Windows | Mac | iOS | Android.  

**Software Requirements:** 

*   Windows 7 (or higher) 
*   macOS 11 BigSur (or higher)
*   iOS 16 (or higher) 
*   Android 9 (or higher)

 Say hello to the fifth generation of Malwarebytes 

A list of topics we covered in the week of May 27 to June 2 of 2024

June 1, 2024 - Live Nation has confirmed what everyone has been speculating on for the last week: Ticketmaster has suffered a data breach.

May 31, 2024 - This post will help users find out if their Windows device has been added to the 911 S5 botnet by a malicious VPN application

May 30, 2024 - Scammers and other cybercriminals love to use our name to defraud their victims. Here's what to look out for.

May 30, 2024 - A database has been put up for sale that allegedly contains the data of 560 million Ticketmaster users. But is it real?

May 29, 2024 - This post explains how to disable various location services on Android devices.

 A week in security (May 27 &#8211; June 2) 

Drivers from New York to Georgia and Pennsylvania have received these types of texts with equally convincing phishing text messages and lure pages.

Thursday, May 30, 2024 14:00

My wife (no stranger to weird types of scams) recently received a fake text message from someone claiming to be New Jersey’s E-ZPass program saying that she had an outstanding balance from highway tolls that she owed, prompting her to visit a site so she could pay and avoid additional fines. 

There was plenty of reason to believe this was a legitimate ask. Her family is from New Jersey, so we make frequent trips there, paying $20-plus in tolls along the way. We had also just completed a trip from there a few weeks prior (though I’m not sure if this was a coincidence to the timing of the spam text or not), and we both have E-ZPass accounts. 

For the uninitiated, or anyone who lives in a country where taxes are paid as normal and therefore pay for appropriate road repairs, E-ZPass is a small device drivers in more than a dozen countries in the U.S. can register for so they can automatically pay tolls along highways rather than having to stop and use cash or coins, or spending a few extra minutes manually processing a transaction.  

Each state or city has its own agencies that deal with E-ZPass, each with its own payment processing system and website. For this case with New Jersey, the phishing site the scammers set up was shockingly convincing and looked remarkably similar to the legitimate New Jersey E-ZPass website.  

The phishing website set up by scammers (left) meant to look like the legitimate New Jersey E-ZPass website (right).

Once we logged into our legitimate E-ZPass account to check to make sure we had, in fact, paid all the appropriate tolls, I alerted my team about this scam, and we appropriately blocked the phishing URL in question in Cisco Secure products.  

Since this victory and foray into threat hunting, I have learned that this is a problem everywhere, not just for New Jersey drivers. 

Since this experience, E-ZPass has sent out an alert in all the states they operate in warning about these types of scams. Drivers from New York to Georgia and Pennsylvania have received these types of texts with equally convincing phishing text messages and lure pages.  

It’s unclear what the adversaries’ goals are in this case, but it’s probably safe to assume they’re looking to collect users’ credit card information after they go in to pay the alleged overdue toll. They could also be collecting E-ZPass login information to collect further data about the drivers. 

In April, the FBI also warned of SMS phishing scams, in which adversaries pretended to be toll collection services from three different U.S. states. SunPass, the equivalent to E-ZPass in Florida, also alerted about similar scams around the same time as these E-ZPass scams started being reported. And in March, the FasTrak service in California warned of the same problems.  

My hunch is that these types of services are being impersonated all over the U.S. for several reasons — thousands of drivers use these services (especially in states with a high commuter population), which makes it likely that whoever receives the text will be familiar with these devices and will have recently driven on a highway that makes drivers pay tolls. The amounts they’re asking for are also small, no more than $5 USD, so it doesn’t set off any immediate alarm bells, unlike similar scams that ask for hundreds of dollars for health care services. The requests coming through as SMS messages also make the targets more likely to open them on their mobile devices, which may not have the same security in place as a laptop or managed company device. 

No individual state or local agency is immune from this style of scam, so if you’re ever in doubt of receiving a text like this, it’s best to call your area government program in question and ask them about any suspicious activity before clicking on any links or submitting payment information. 

**The one big thing **

Cisco Talos’ Vulnerability Research team has helped to disclose and patch more than 20 vulnerabilities over the past three weeks, including two in the popular Adobe Acrobat Reader software. Acrobat, one of the most popular PDF readers currently available, contains two out-of-bounds read vulnerabilities that could lead to the exposure of sensitive contents of arbitrary memory in the application. There are also eight vulnerabilities in a popular line of PLC CPU modules commonly used in automated environments. We have more detailed information in our full Vulnerability Roundup from this week. 

**Why do I care? **

Several vulnerabilities were identified in the AutomationDirect P3 line of CPU modules. The P3-550E is the most recent CPU module released in the Productivity3000 line of Programmable Automation Controllers from AutomationDirect. The device communicates remotely via ethernet, serial and USB and exposes a variety of control services, including MQTT, Modbus, ENIP and the engineering workstation protocol DirectNET. Four of the vulnerabilities found in these PLC CPU modules received a CVSS security score of 9.8 out of 10, making them particularly notable. TALOS-2024-1942 (CVE-2024-21785) is a leftover debug code vulnerability that allow an adversary who can communicate to the device over ModbusRTU to enable the device’s diagnostic interface without any other knowledge of the target device. There is also TALOS-2024-1943 (CVE-2024-23601) which can lead to remote code execution if the attacker sends a specially crafted file to the targeted device and TALOS-2024-1939 (CVE-2024-24963 and CVE-2024-24962) which are stack-based buffer overflows that can also lead to remote code execution if the attacker sends a specially formatted packet to the device. 

**So now what? **

Each of the vendors mentioned in this week’s Vulnerability Roundup have released patches for affected products, and users should download these patches as soon as possible. For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website. 

**Top security headlines of the week **

**Security researchers are warning about the dangers of a new AI “Recall” feature for Microsoft Windows 11.** Microsoft recently announced a new update, that will allow a computer to remember past actions taken by the user and then use a simple search to query that information (ex., “Where did I store that document again?”). However, because Recall essentially takes individual snapshots of a machine and stores them locally, there are several security concerns. If an adversary were to infect a targeted machine with information-stealing malware, they could steal important databases stored locally and anything stored by Windows Recall. Recall also contains what are essentially keylogging functions, leaving the door open for adversaries to easily steal login credentials or other personal information that had been entered into the machine over the previous three months. The United Kingdom’s data protection agency has already contacted Microsoft inquiring about the way this information is stored and used, and they’ve asked for assurance that users’ data will be properly safeguarded and not used by the company.  Other unauthorized users may be able to access and query Recall’s information, should they obtain physical access to the device. (Bleeping Computer, Double Pulsar) 

**Popular spyware app pcTattletale had to completely shut down after a data breach and having its website seized.** The company that operates the app, which quietly and remotely tracks users’ activities on infected machines and takes screenshots, had its website defaced earlier this week by a hacker, along with a dump of data belonging to alleged pcTattletale customers and victims. Just days before the disruption, reports surfaced that the software was quietly installed on computers that handled the check-in process at least three Wyndham hotels across the U.S. A vulnerability in the platform could have allowed anyone on the internet who exploits it can download screenshots captured by the software directly from its servers. pcTattletale advertised itself as software that could allow anyone to control it remotely and view the target’s Android or Windows devices and their data from anywhere in the world. The founder of the spyware said that, after the data breach, the company was “out of business and completely done.” The now-defunct app had 138,000 registered customers, according to data breach notification website Have I Been Pwned. (TechCrunch, TechCrunch (again)) 

**Ascension hospitals across the U.S. still have to delay patient care more than three weeks after a cyber attack.** As of earlier this week, the national hospital system is still experiencing network disruptions, forcing staff to write care notes by hand and deliver orders for tests and prescriptions in person. Patients have also been unable to use their online portals to contact their doctors or view their medical records. Ascension is one of the largest health systems in the U.S., with more than 140 hospitals across the country. It first alerted patients and doctors about “unusual activity” on May 8, and there is no timeline for when services will be fully restored. News reports indicate that the disruption is a ransomware attack that can be attributed to the BlackBasta threat actor, which has links to Russia. Large health care organizations have increasingly become the target of ransomware attacks, with a previous campaign targeting Change Healthcare earlier this year disrupting payments to medical providers across the U.S. for weeks. (NPR, The New York Times) 

**Can’t get enough Talos? **

*   Attackers are probing Check Point Remote Access VPN devices 
*   Out-of-bounds reads in Adobe Acrobat; Foxit PDF Reader contains vulnerability that could lead to SYSTEM-level privileges 
*   New Generative AI category added to Talos reputation services 
*   From trust to trickery: Brand impersonation over the email attack vector 

**Upcoming events where you can find Talos **

**Cisco Live** **(June 2 - 6)** 

_Las Vegas, Nevada_ 

> _B_ill Largent from Talos' Strategic Communications team will be giving our annual "State of Cybersecurity" talk at Cisco Live on Tuesday, June 4 at 11 a.m. Pacific time. Jaeson Schultz from Talos Outreach will have a talk of his own on Thursday, June 6 at 8:30 a.m. Pacific, and there will be several Talos IR-specific lightning talks at the Cisco Secure booth throughout the conference.

**_AREA41_** **_(June 6 – 7)_** 

_Zurich, Switzerland_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will highlight the primordial importance of actionable incident response documentation for the overall response readiness of an organization. During this talk, she will share commonly observed mistakes when writing IR documentation and ways to avoid them. She will draw on her experiences as a responder who works with customers during proactive activities and actual cybersecurity breaches._ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0    
**MD5:** 8c69830a50fb85d8a794fa46643493b2    
**Typical Filename:** AAct.exe    
**Claimed Product:** N/A     
**Detection Name:** PUA.Win.Dropper.Generic::1201 

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c       
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c       
**Typical Filename:** AAct.exe       
**Claimed Product:** N/A         
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

Attackers are impersonating a road toll payment processor across the U.S. in phishing attacks

Making sure that your iPhone can't be tracked is virtually impossible once someone has access to your Apple account

On iOS and iPadOS, location services are typically turned on when you first set up your device. However, there may be reasons why you don’t want your device to be located, perhaps because you don’t want to be found but need to keep the device with you.

There are a few options to hide your location from prying eyes.

_Please note: I will only mention iOS from here on, but the instructions are almost the same for iPadOS._

**Turn off location services by app**

Some apps will not work properly without location services, but it’s certainly worth checking which ones are actually using them.

*   Go to **Settings** > **Privacy & Security** > **Location Services**.
*   If **Location Services** is on, you will see a list of apps with permissions.

*   Scroll down to select an app.
*   Now you can tap the app and select an option of **Never**, **Ask Next Time Or When I Share**, **While Using the App**, or **Always**.
*   From here, apps should provide an explanation of how they will use your location information. Some apps might offer only two options.

**Turn location services off entirely**

You can turn Location Services on or off at **Settings** > **Privacy & Security** > **Location Services**. Move the slider control to the left to turn Location Services off.

Note that turning Location Services of will also disable the Find My feature for the device.

**Turn off Find My iPhone**

Find My iPhone allows a user to track their devices. It allows you to locate the device from another device, make it play a sound if you are close, and even remotely erase your device if you suspect it has fallen in the wrong hands.

To disable Find My iPhone:

*   Go to **Settings**
*   Select your account name.
*   Choose **Find My**
*   Turn the feature off. You will need to enter your iCloud password.

An iPhone can still be tracked in some cases, even if it is in Airplane Mode. The only way tracking is not possible is to turn the iPhone off completely.  And even then, since iOS 15, iPhone models 11 and up will transmit their location even when powered off if the **Find My Network** is enabled in your settings.

To turn off **Find My network:**

*   Go to **Settings**
*   Select your account name.
*   Choose **Find My**
*   Turn **Find My network** off.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Tag

#android