Sophos uncovers “Operation Crimson Palace, a long-term cyberespionage effort targeting a Southeast Asian government. Learn how attackers used…

Sophos uncovers “Operation Crimson Palace, a long-term cyberespionage effort targeting a Southeast Asian government. Learn how attackers used DLL sideloading and VMware exploits to steal sensitive military, economic, and South China Sea data. Discover how Southeast Asia can defend against future cyberattacks.

Cybersecurity firm Sophos has shared details of a large-scale espionage campaign dubbed “Crimson Palace.” This Chinese state-sponsored effort targeted a government agency in Southeast Asia for nearly two years, through tactics like DLL sideloading and VMware exploitation.

As per Sophos MDR’s human-led threat-hunting service, multiple Chinese state-sponsored actors have been active since early 2022, and despite a few weeks of dormancy, intrusion activity continues targeting the organization, which Sophos categorizes as “mixed estate.”

Sophos initially discovered activity in March 2022 with the detection of NUPAKAGE malware, attributed to Earth Preta and again in December 2022, intrusion activity was discovered using DLL-stitching to deploy malicious backdoors on domain controllers.

During the investigation, Sophos researchers found three distinct clusters of activity named Cluster Alpha, Cluster Bravo, and Cluster Charlie, targeting the same organization. These clusters overlap with multiple Chinese nation-state groups, including Worok, the APT41 subgroup Earth Longzhi, BackdoorDiplomacy, REF5961, TA428 and a relatively new threat group, Unfading Sea Haze that was reported in May 2024 to be carrying out extensive cyberattacks against military targets in the South China Sea.

Cluster Alpha focused on sideloading malware and establishing persistent C2 channels, while Cluster Bravo focused on using valid accounts to spread laterally. Cluster Charlie prioritized access management and aimed to exfiltrate sensitive information for espionage purposes.

These clusters used a mix of custom malware and publicly available tools to gather sensitive political, economic, and military information. These include CCoreDoor, PocoProxy, an updated variant of Cobalt Strike, PowHeartBeat backdoor, EAGERBEE malware, NUPAKAGE, Merlin C2 Agent, PhantomNet backdoor, RUDEBIRD malware, and an LSASS logon credential interceptor.

> _“Sophos MDR has observed the actors attempting to collect documents with file names that indicate they are of intelligence value, including military documents related to strategies in the South China Sea.”_
> 
> Sophos

Sophos believes the campaign’s primary aim is to maintain cyberespionage access for safeguarding Chinese state interests, including accessing critical IT systems, performing reconnaissance, collecting sensitive information, and deploying malware implants for command-and-control communications.

The campaign as per Sophos’ blog post, also included over 15 distinct DLL sideloading scenarios, most of which abused Windows Services, legitimate Microsoft binaries, and AV vendor software.

****Threat Actors Collaborating Worldwide****

This marks the first instance where Chinese threat groups are actively collaborating to target an entity, each with its own working hours and scheduling activities, directed by a central authority.

Last month, cybersecurity researchers at Check Point reported that several Iranian state-sponsored hacker groups are teaming up for large-scale attacks. Similarly, a report from Flashpoint last month highlighted that Russian state-sponsored hacker groups are changing tactics. They are now partnering up and increasingly relying on malicious paid tools instead of the custom-made tools they previously used.

1.  China-Linked Spyware Found in Play Store Apps, 2m Downloads
2.  China’s insidious surveillance against Uyghurs with Android malware
3.  Muddling Meerkat Suspected of Espionage via Great Firewall of China
4.  Chinese Blackwood APT Deploys NSPX30 Backdoor in Cyberespionage
5.  Cyberattacks Surge 325% in Philippines Amid South China Sea Standoff

Crimson Palace: Chinese Hackers Steal Military Secrets Over 2 Years

A husband, now indicted, allegedly used seven Apple AirTags to stalk his ex-wife over a period of several weeks. His trial begins this month.

Following their divorce, a husband carried out a campaign of stalking and abuse against his ex-wife—referred to only as “S.K.”—by allegedly hiding seven separate Apple AirTags on or near her car, according to documents filed by US prosecutors for the Eastern District of Pennsylvania.

The documents, unearthed by 404 Media in collaboration with Court Watch, reveal how everyday consumer tools, like Bluetooth trackers, are sometimes leveraged for abuse against spouses and romantic partners.

 “The Defendant continued to adapt and use increasingly sophisticated efforts to hide the AirTags he placed on S.K.’s car,” US attorneys said. “It is clear from the timing of the placement of the AirTags and corroborating cell-site data, that he was monitoring S.K.’s movements.”

On May 8, the US government filed an indictment against the defendant, Ibodullo Muhiddinov Numanovich, with one alleged count of stalking against his ex-wife, S.K.

The stalking at the center of the government’s indictment allegedly began around March 27, when the FBI first learned about S.K. finding and removing an AirTag from her car. Less than a month later, on April 18, the FBI found a second AirTag that “was taped underneath the front bumper of S.K.’s vehicle with white duct tape.”

The very next day, the FBI found a third AirTag. This time, it was “wrapped in a blue medical mask and secured under the vehicle near the rear passenger side wheel well.”

This pattern of finding an AirTag, removing it, and then finding another was punctuated by physical and verbal intimidation, the government wrote. After a fourth AirTag was removed, the government said that Numanovich called S.K., followed her to a car wash, and “banged on her windows, and demanded to know why S.K. was not answering his calls.” Less than one week later, during a period of just 10 minutes, the government said that Numanovich left five threatening voice mails on S.K.’s phone, calling her “disgusting” and “worse than an animal.”

During the investigation, the FBI retrieved seven AirTags in total. Here is where those AirTags were found:

1.  Found by S.K. with no detail on specific location
2.  Duct-taped underneath the front bumper of S.K.’s car
3.  Underneath S.K.’s car, near the passenger-side wheel well, wrapped in a blue medical mask
4.  Within the frame of SK’s driver-side mirror, wedged between the mirror itself and the casing around it
5.  “An opening within the vehicle’s frame” which, documents say, was previously sealed by a rubber plug that was removed
6.  Underneath the license plate on S.K.’s car
7.  Undisclosed

For two of the retrieved AirTags, the FBI deactivated the trackers and then, away from S.K., placed the AirTags at separate locations. At an undisclosed location in Philadelphia where the FBI placed one AirTag, FBI agents later saw Numanovich “exit his vehicle with his phone in his hand, and begin searching for the AirTag.” At a convenience store where the FBI placed a second AirTag, agents said they again saw Numanovich.

The FBI also received information about attempted pairings and successful unpairings with Numanovich’s Apple account for three of the Apple AirTags.

In addition to the alleged pattern of stalking, the government also accused Numanovich of abusing SK both physically and emotionally, threatening her in person and over the phone, and recording sexually explicit videos of her to use as extortion. After a search warrant was authorized on May 13, agents found “approximately 140 sexually explicit photographs and videos of S.K.” stored on Numanovich’s phone, along with records for “numerous” financial accounts that transferred more than $4 million between 2022 and 2023.

In a follow-on request from the government to detain Numanovich before his trial begins, prosecutors also revealed that S.K. may have been brought into the US through a “Russian-based human smuggling network”—a network of which Numanovich might be a member.

According to 404 Media, a jury trial for Numanovich is scheduled to start on June 8.

**Improving AirTag safety**

Just last month, Apple and Google announced an industry specification for Bluetooth tracking devices such as AirTags to help alert users to unwanted tracking. The specification will make it possible to alert users across both iOS and Android if a device is unknowingly being used to track them. We applaud this development.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Husband stalked ex-wife with seven AirTags, indictment says 

TikTok accounts are being hacked! Celebrities and brands targeted in zero-click attack. Learn more about this major security…

TikTok accounts are being hacked! Celebrities and brands targeted in zero-click attack. Learn more about this major security breach in which accounts have been compromised.

Social media, online shopping and video giant TikTok has experienced a cyberattack in which attackers managed to compromise celebrity and brand accounts, including hotel heiress Paris Hilton, Sony, and CNN. 

While specific details about the nature of the attack are scarce at the moment, VXUnderground explained in its post on X (formerly Twitter) that an unknown threat actor discovered an exploit in TikTok that allows users to hijack accounts. The payload is delivered through TikTok direct messages and executed when read, without requiring external files or user response. 

The number of affected accounts is currently unclear but according to the latest update from TikTok, only two accounts have been compromised, one being CNN’s. 

The attack was first reported by Semafor and Forbes, according to which TikTok was targeted in a zero-click account takeover campaign that allows malware to compromise brand and celebrity accounts without direct interaction. Both the outlets confirmed that CNN temporarily removed its account after being hacked.  

A search for CNN returns no results for the US-based English language account

According to TikTok’s spokesperson, Alex Haurek, the number of compromised accounts is “very small,” but refused to explain how TikTok is protecting other exposed accounts.

“We are dedicated to maintaining the integrity of the platform and will continue to monitor for any further inauthentic activity,” Haurek said, specifically referring to CNN’s account compromise. TikTok is working with the news outlet to restore account access and implement enhanced security measures to safeguard their TikTok account.

TikTok’s privacy and security team spokesperson, Jason Grosse, stated that the company is still investigating the attack and cannot comment on its scale or sophistication, but mentioned that the threat is a “potential exploit.”

For your information, Hilton’s staff and sources at TikTok have confirmed that her account was targeted but not compromised.

Hanna Basha, Partner at Payne Hicks Beach, one of the oldest and known law firms in the United Kingdom, commented on the incident highlighting the threat luring behind data sharing on social media.

_“_TikTok is the latest of many companies to be subject to a cyberattack highlighting that it is now almost impossible to avoid these sorts of attacks and therefore incredibly important that individuals consider carefully what they are sharing on social media platforms,_“_ warned Hanna.

_“_Individuals sharing private messages have legal rights in privacy, confidence and data to keep these messages private and prevent them from being published. However, the practical advice must be to try to limit what you do share, even in direct messages, and before sending consider whether it could be damaging or embarrassing if published,” Hanna emphasised.

ByteDance-owned TikTok, with over one billion users globally, has reportedly taken measures to prevent future attacks and is working with affected account owners to restore access if needed.

TikTok has long been criticized for its security practices, particularly when in January 2021 Check Point Research identified a flaw that could have allowed attackers to build a database of TikTok users and in September 2022, Microsoft discovered a one-click exploit affecting the Android app, allowing attackers to take over accounts. It is about time the company strengthens its cybersecurity mechanisms to prevent similar incidents.

1.  TikTok vulnerability allowed hackers to send SMS with malware
2.  TikTok Invisible Body Challenge Trend Abused to Drop Malware
3.  TikTokers promoted adware, earned half a million dollars in profit
4.  TikTok collected MAC addresses for Android against Google’s ToS
5.  New smishing scam spreads fake TikTok App loaded with malware

Few But High-Profile TikTok Accounts Hacked Via Zero-Click Attack in DM

Announcing the latest version of Malwarebytes, which brings a faster, responsive, and consistent user interface, integrated security and privacy, and expert guidance to keep you secure.

Announcing the latest version of Malwarebytes, which brings a faster, responsive, and consistent user interface, integrated security and privacy, and expert guidance to keep you secure.

Here’s what you can expect:

****1\. Unified user experience across platforms** **

The new generation of Malwarebytes now delivers a consistent user experience across all our desktop and mobile platforms. The reimagined user interface is faster, more responsive, and managed through an intuitive dashboard, giving you a streamlined experience wherever you use Malwarebytes. 

**Why?** Sophisticated hacking tactics and various entry points mean you can’t afford to have blind spots in your protection. A seamless experience across all platforms and devices means you don’t have to figure out more than once about what to do next. We’ve also made it easier to find everything, encouraging you to keep your guard up on all your devices. 

****2\. Premium Security and Privacy VPN integration** **

We’ve merged our award-winning Premium Security and ultra fast no-log Privacy VPN into a single dashboard, making it much easier for you to take control of your privacy. With just one click, you can now protect your Wi-Fi or hotspot connections and change your location to visit the site you want at the speed you need. Don’t forget to also use Browser Guard on your desktop to block ad trackers and scam sites from your browser.  

**Why?** We know that the distinction between security and privacy is not clear-cut, and you need both products to work together to minimize your exposure (risk of threats and lack of privacy). Integrating the two makes it much easier to protect both your devices and data (at home and on the go), with an easy set-and-forget experience that doesn’t require adding another program.  You shouldn’t have to guess whether the next attack will compromise your Wi-Fi connection, browser, or files through phishing emails, spyware, or malware. Let the technology do this for you.  

****3\. Trusted Advisor, your security coach**  **

On the Malwarebytes dashboard, Trusted Advisor provides unbiased expert guidance at your fingertips. Your easy-to-understand individual Protection Score enables you to act on any potential security gaps, unlocking the full power of technology.

**Why?** In our recent report, “Everyone’s afraid of the internet, and no one’s sure what to do about it,” we found that only half of the people surveyed felt confident they knew how to stay safe online, and even fewer said they were taking the right measures to protect themselves. Trusted Advisor empowers you with real-time insights, an easy-to-read protection score, and expert guidance that puts you in control of your security and privacy.  We’re by your side guiding you through what to do next to fill your security gaps for each device and platform (Windows, Mac, Android, and iOS).

**Want to try?** You can! With our 14-day free trial.  

Already a customer but not yet seeing it? Log into MyAccount or download the latest build for Windows | Mac | iOS | Android.  

**Software Requirements:** 

*   Windows 7 (or higher) 
*   macOS 11 BigSur (or higher)
*   iOS 16 (or higher) 
*   Android 9 (or higher)

 Say hello to the fifth generation of Malwarebytes 

A list of topics we covered in the week of May 27 to June 2 of 2024

June 1, 2024 - Live Nation has confirmed what everyone has been speculating on for the last week: Ticketmaster has suffered a data breach.

May 31, 2024 - This post will help users find out if their Windows device has been added to the 911 S5 botnet by a malicious VPN application

May 30, 2024 - Scammers and other cybercriminals love to use our name to defraud their victims. Here's what to look out for.

May 30, 2024 - A database has been put up for sale that allegedly contains the data of 560 million Ticketmaster users. But is it real?

May 29, 2024 - This post explains how to disable various location services on Android devices.

 A week in security (May 27 &#8211; June 2) 

Drivers from New York to Georgia and Pennsylvania have received these types of texts with equally convincing phishing text messages and lure pages.

Thursday, May 30, 2024 14:00

My wife (no stranger to weird types of scams) recently received a fake text message from someone claiming to be New Jersey’s E-ZPass program saying that she had an outstanding balance from highway tolls that she owed, prompting her to visit a site so she could pay and avoid additional fines. 

There was plenty of reason to believe this was a legitimate ask. Her family is from New Jersey, so we make frequent trips there, paying $20-plus in tolls along the way. We had also just completed a trip from there a few weeks prior (though I’m not sure if this was a coincidence to the timing of the spam text or not), and we both have E-ZPass accounts. 

For the uninitiated, or anyone who lives in a country where taxes are paid as normal and therefore pay for appropriate road repairs, E-ZPass is a small device drivers in more than a dozen countries in the U.S. can register for so they can automatically pay tolls along highways rather than having to stop and use cash or coins, or spending a few extra minutes manually processing a transaction.  

Each state or city has its own agencies that deal with E-ZPass, each with its own payment processing system and website. For this case with New Jersey, the phishing site the scammers set up was shockingly convincing and looked remarkably similar to the legitimate New Jersey E-ZPass website.  

The phishing website set up by scammers (left) meant to look like the legitimate New Jersey E-ZPass website (right).

Once we logged into our legitimate E-ZPass account to check to make sure we had, in fact, paid all the appropriate tolls, I alerted my team about this scam, and we appropriately blocked the phishing URL in question in Cisco Secure products.  

Since this victory and foray into threat hunting, I have learned that this is a problem everywhere, not just for New Jersey drivers. 

Since this experience, E-ZPass has sent out an alert in all the states they operate in warning about these types of scams. Drivers from New York to Georgia and Pennsylvania have received these types of texts with equally convincing phishing text messages and lure pages.  

It’s unclear what the adversaries’ goals are in this case, but it’s probably safe to assume they’re looking to collect users’ credit card information after they go in to pay the alleged overdue toll. They could also be collecting E-ZPass login information to collect further data about the drivers. 

In April, the FBI also warned of SMS phishing scams, in which adversaries pretended to be toll collection services from three different U.S. states. SunPass, the equivalent to E-ZPass in Florida, also alerted about similar scams around the same time as these E-ZPass scams started being reported. And in March, the FasTrak service in California warned of the same problems.  

My hunch is that these types of services are being impersonated all over the U.S. for several reasons — thousands of drivers use these services (especially in states with a high commuter population), which makes it likely that whoever receives the text will be familiar with these devices and will have recently driven on a highway that makes drivers pay tolls. The amounts they’re asking for are also small, no more than $5 USD, so it doesn’t set off any immediate alarm bells, unlike similar scams that ask for hundreds of dollars for health care services. The requests coming through as SMS messages also make the targets more likely to open them on their mobile devices, which may not have the same security in place as a laptop or managed company device. 

No individual state or local agency is immune from this style of scam, so if you’re ever in doubt of receiving a text like this, it’s best to call your area government program in question and ask them about any suspicious activity before clicking on any links or submitting payment information. 

**The one big thing **

Cisco Talos’ Vulnerability Research team has helped to disclose and patch more than 20 vulnerabilities over the past three weeks, including two in the popular Adobe Acrobat Reader software. Acrobat, one of the most popular PDF readers currently available, contains two out-of-bounds read vulnerabilities that could lead to the exposure of sensitive contents of arbitrary memory in the application. There are also eight vulnerabilities in a popular line of PLC CPU modules commonly used in automated environments. We have more detailed information in our full Vulnerability Roundup from this week. 

**Why do I care? **

Several vulnerabilities were identified in the AutomationDirect P3 line of CPU modules. The P3-550E is the most recent CPU module released in the Productivity3000 line of Programmable Automation Controllers from AutomationDirect. The device communicates remotely via ethernet, serial and USB and exposes a variety of control services, including MQTT, Modbus, ENIP and the engineering workstation protocol DirectNET. Four of the vulnerabilities found in these PLC CPU modules received a CVSS security score of 9.8 out of 10, making them particularly notable. TALOS-2024-1942 (CVE-2024-21785) is a leftover debug code vulnerability that allow an adversary who can communicate to the device over ModbusRTU to enable the device’s diagnostic interface without any other knowledge of the target device. There is also TALOS-2024-1943 (CVE-2024-23601) which can lead to remote code execution if the attacker sends a specially crafted file to the targeted device and TALOS-2024-1939 (CVE-2024-24963 and CVE-2024-24962) which are stack-based buffer overflows that can also lead to remote code execution if the attacker sends a specially formatted packet to the device. 

**So now what? **

Each of the vendors mentioned in this week’s Vulnerability Roundup have released patches for affected products, and users should download these patches as soon as possible. For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website. 

**Top security headlines of the week **

**Security researchers are warning about the dangers of a new AI “Recall” feature for Microsoft Windows 11.** Microsoft recently announced a new update, that will allow a computer to remember past actions taken by the user and then use a simple search to query that information (ex., “Where did I store that document again?”). However, because Recall essentially takes individual snapshots of a machine and stores them locally, there are several security concerns. If an adversary were to infect a targeted machine with information-stealing malware, they could steal important databases stored locally and anything stored by Windows Recall. Recall also contains what are essentially keylogging functions, leaving the door open for adversaries to easily steal login credentials or other personal information that had been entered into the machine over the previous three months. The United Kingdom’s data protection agency has already contacted Microsoft inquiring about the way this information is stored and used, and they’ve asked for assurance that users’ data will be properly safeguarded and not used by the company.  Other unauthorized users may be able to access and query Recall’s information, should they obtain physical access to the device. (Bleeping Computer, Double Pulsar) 

**Popular spyware app pcTattletale had to completely shut down after a data breach and having its website seized.** The company that operates the app, which quietly and remotely tracks users’ activities on infected machines and takes screenshots, had its website defaced earlier this week by a hacker, along with a dump of data belonging to alleged pcTattletale customers and victims. Just days before the disruption, reports surfaced that the software was quietly installed on computers that handled the check-in process at least three Wyndham hotels across the U.S. A vulnerability in the platform could have allowed anyone on the internet who exploits it can download screenshots captured by the software directly from its servers. pcTattletale advertised itself as software that could allow anyone to control it remotely and view the target’s Android or Windows devices and their data from anywhere in the world. The founder of the spyware said that, after the data breach, the company was “out of business and completely done.” The now-defunct app had 138,000 registered customers, according to data breach notification website Have I Been Pwned. (TechCrunch, TechCrunch (again)) 

**Ascension hospitals across the U.S. still have to delay patient care more than three weeks after a cyber attack.** As of earlier this week, the national hospital system is still experiencing network disruptions, forcing staff to write care notes by hand and deliver orders for tests and prescriptions in person. Patients have also been unable to use their online portals to contact their doctors or view their medical records. Ascension is one of the largest health systems in the U.S., with more than 140 hospitals across the country. It first alerted patients and doctors about “unusual activity” on May 8, and there is no timeline for when services will be fully restored. News reports indicate that the disruption is a ransomware attack that can be attributed to the BlackBasta threat actor, which has links to Russia. Large health care organizations have increasingly become the target of ransomware attacks, with a previous campaign targeting Change Healthcare earlier this year disrupting payments to medical providers across the U.S. for weeks. (NPR, The New York Times) 

**Can’t get enough Talos? **

*   Attackers are probing Check Point Remote Access VPN devices 
*   Out-of-bounds reads in Adobe Acrobat; Foxit PDF Reader contains vulnerability that could lead to SYSTEM-level privileges 
*   New Generative AI category added to Talos reputation services 
*   From trust to trickery: Brand impersonation over the email attack vector 

**Upcoming events where you can find Talos **

**Cisco Live** **(June 2 - 6)** 

_Las Vegas, Nevada_ 

> _B_ill Largent from Talos' Strategic Communications team will be giving our annual "State of Cybersecurity" talk at Cisco Live on Tuesday, June 4 at 11 a.m. Pacific time. Jaeson Schultz from Talos Outreach will have a talk of his own on Thursday, June 6 at 8:30 a.m. Pacific, and there will be several Talos IR-specific lightning talks at the Cisco Secure booth throughout the conference.

**_AREA41_** **_(June 6 – 7)_** 

_Zurich, Switzerland_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will highlight the primordial importance of actionable incident response documentation for the overall response readiness of an organization. During this talk, she will share commonly observed mistakes when writing IR documentation and ways to avoid them. She will draw on her experiences as a responder who works with customers during proactive activities and actual cybersecurity breaches._ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0    
**MD5:** 8c69830a50fb85d8a794fa46643493b2    
**Typical Filename:** AAct.exe    
**Claimed Product:** N/A     
**Detection Name:** PUA.Win.Dropper.Generic::1201 

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c       
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c       
**Typical Filename:** AAct.exe       
**Claimed Product:** N/A         
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

Attackers are impersonating a road toll payment processor across the U.S. in phishing attacks

Making sure that your iPhone can't be tracked is virtually impossible once someone has access to your Apple account

On iOS and iPadOS, location services are typically turned on when you first set up your device. However, there may be reasons why you don’t want your device to be located, perhaps because you don’t want to be found but need to keep the device with you.

There are a few options to hide your location from prying eyes.

_Please note: I will only mention iOS from here on, but the instructions are almost the same for iPadOS._

**Turn off location services by app**

Some apps will not work properly without location services, but it’s certainly worth checking which ones are actually using them.

*   Go to **Settings** > **Privacy & Security** > **Location Services**.
*   If **Location Services** is on, you will see a list of apps with permissions.

*   Scroll down to select an app.
*   Now you can tap the app and select an option of **Never**, **Ask Next Time Or When I Share**, **While Using the App**, or **Always**.
*   From here, apps should provide an explanation of how they will use your location information. Some apps might offer only two options.

**Turn location services off entirely**

You can turn Location Services on or off at **Settings** > **Privacy & Security** > **Location Services**. Move the slider control to the left to turn Location Services off.

Note that turning Location Services of will also disable the Find My feature for the device.

**Turn off Find My iPhone**

Find My iPhone allows a user to track their devices. It allows you to locate the device from another device, make it play a sound if you are close, and even remotely erase your device if you suspect it has fallen in the wrong hands.

To disable Find My iPhone:

*   Go to **Settings**
*   Select your account name.
*   Choose **Find My**
*   Turn the feature off. You will need to enter your iCloud password.

An iPhone can still be tracked in some cases, even if it is in Airplane Mode. The only way tracking is not possible is to turn the iPhone off completely.  And even then, since iOS 15, iPhone models 11 and up will transmit their location even when powered off if the **Find My Network** is enabled in your settings.

To turn off **Find My network:**

*   Go to **Settings**
*   Select your account name.
*   Choose **Find My**
*   Turn **Find My network** off.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 How to turn off location tracking on iOS and iPadOS 

Ubuntu Security Notice 6795-1 - Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux kernel contained a race condition during device removal, leading to a use- after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service. It was discovered that the Open vSwitch implementation in the Linux kernel could overflow its stack during recursive action operations under certain conditions. A local attacker could use this to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6795-1May 28, 2024linux-intel-iotg vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-intel-iotg: Linux kernel for Intel IoT platformsDetails:Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linuxkernel contained a race condition during device removal, leading to a use-after-free vulnerability. A physically proximate attacker could possiblyuse this to cause a denial of service (system crash). (CVE-2023-47233)It was discovered that the Open vSwitch implementation in the Linux kernelcould overflow its stack during recursive action operations under certainconditions. A local attacker could use this to cause a denial of service(system crash). (CVE-2024-1151)Sander Wiebing, Alvise de Faveri Tron, Herbert Bos, and Cristiano Giuffridadiscovered that the Linux kernel mitigations for the initial Branch HistoryInjection vulnerability (CVE-2022-0001) were insufficient for Intelprocessors. A local attacker could potentially use this to expose sensitiveinformation. (CVE-2024-2201)Chenyuan Yang discovered that the RDS Protocol implementation in the Linuxkernel contained an out-of-bounds read vulnerability. An attacker could usethis to possibly cause a denial of service (system crash). (CVE-2024-23849)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:   - PowerPC architecture;   - S390 architecture;   - Core kernel;   - Block layer subsystem;   - Android drivers;   - Power management core;   - Bus devices;   - Hardware random number generator core;   - Cryptographic API;   - Device frequency;   - DMA engine subsystem;   - ARM SCMI message protocol;   - GPU drivers;   - HID subsystem;   - Hardware monitoring drivers;   - I2C subsystem;   - IIO ADC drivers;   - IIO subsystem;   - IIO Magnetometer sensors drivers;   - InfiniBand drivers;   - Media drivers;   - Network drivers;   - PCI driver for MicroSemi Switchtec;   - PHY drivers;   - SCSI drivers;   - DesignWare USB3 driver;   - BTRFS file system;   - Ceph distributed file system;   - Ext4 file system;   - F2FS file system;   - JFS file system;   - NILFS2 file system;   - NTFS3 file system;   - Pstore file system;   - SMB network file system;   - Memory management;   - CAN network layer;   - Networking core;   - HSR network protocol;   - IPv4 networking;   - IPv6 networking;   - Logical Link layer;   - MAC80211 subsystem;   - Multipath TCP;   - Netfilter;   - NFC subsystem;   - SMC sockets;   - Sun RPC protocol;   - TIPC protocol;   - Unix domain sockets;   - Tomoyo security module;   - Realtek audio codecs;(CVE-2023-52616, CVE-2024-26679, CVE-2024-26608, CVE-2023-52594,CVE-2024-26622, CVE-2023-52643, CVE-2024-26594, CVE-2023-52598,CVE-2023-52627, CVE-2023-52491, CVE-2024-26592, CVE-2024-26717,CVE-2023-52638, CVE-2024-26704, CVE-2023-52637, CVE-2024-26645,CVE-2023-52602, CVE-2024-26722, CVE-2024-26671, CVE-2023-52599,CVE-2024-26720, CVE-2023-52631, CVE-2023-52486, CVE-2024-26640,CVE-2023-52606, CVE-2023-52633, CVE-2024-26593, CVE-2024-26664,CVE-2023-52618, CVE-2024-26625, CVE-2023-52604, CVE-2024-26695,CVE-2024-26644, CVE-2024-26826, CVE-2024-26600, CVE-2024-26808,CVE-2023-52619, CVE-2023-52597, CVE-2024-26602, CVE-2024-26635,CVE-2023-52623, CVE-2024-26665, CVE-2024-26916, CVE-2024-26689,CVE-2023-52635, CVE-2024-26712, CVE-2023-52614, CVE-2024-26606,CVE-2024-26610, CVE-2024-26675, CVE-2023-52617, CVE-2024-26697,CVE-2023-52595, CVE-2023-52494, CVE-2024-26641, CVE-2024-26698,CVE-2024-26707, CVE-2024-26673, CVE-2023-52493, CVE-2024-26676,CVE-2024-26910, CVE-2023-52601, CVE-2024-26660, CVE-2023-52608,CVE-2024-26615, CVE-2023-52587, CVE-2024-26825, CVE-2023-52498,CVE-2023-52492, CVE-2024-26668, CVE-2024-26715, CVE-2024-26685,CVE-2024-26702, CVE-2024-26663, CVE-2024-26636, CVE-2024-26627,CVE-2024-26696, CVE-2023-52583, CVE-2023-52642, CVE-2023-52489,CVE-2024-26614, CVE-2024-26829, CVE-2024-26684, CVE-2023-52615,CVE-2023-52435, CVE-2023-52530, CVE-2023-52607, CVE-2024-26920,CVE-2023-52622, CVE-2023-52588)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS   linux-image-5.15.0-1057-intel-iotg  5.15.0-1057.63   linux-image-intel-iotg          5.15.0.1057.57After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6795-1   CVE-2023-47233, CVE-2023-52435, CVE-2023-52486, CVE-2023-52489,   CVE-2023-52491, CVE-2023-52492, CVE-2023-52493, CVE-2023-52494,   CVE-2023-52498, CVE-2023-52530, CVE-2023-52583, CVE-2023-52587,   CVE-2023-52588, CVE-2023-52594, CVE-2023-52595, CVE-2023-52597,   CVE-2023-52598, CVE-2023-52599, CVE-2023-52601, CVE-2023-52602,   CVE-2023-52604, CVE-2023-52606, CVE-2023-52607, CVE-2023-52608,   CVE-2023-52614, CVE-2023-52615, CVE-2023-52616, CVE-2023-52617,   CVE-2023-52618, CVE-2023-52619, CVE-2023-52622, CVE-2023-52623,   CVE-2023-52627, CVE-2023-52631, CVE-2023-52633, CVE-2023-52635,   CVE-2023-52637, CVE-2023-52638, CVE-2023-52642, CVE-2023-52643,   CVE-2024-1151, CVE-2024-2201, CVE-2024-23849, CVE-2024-26592,   CVE-2024-26593, CVE-2024-26594, CVE-2024-26600, CVE-2024-26602,   CVE-2024-26606, CVE-2024-26608, CVE-2024-26610, CVE-2024-26614,   CVE-2024-26615, CVE-2024-26622, CVE-2024-26625, CVE-2024-26627,   CVE-2024-26635, CVE-2024-26636, CVE-2024-26640, CVE-2024-26641,   CVE-2024-26644, CVE-2024-26645, CVE-2024-26660, CVE-2024-26663,   CVE-2024-26664, CVE-2024-26665, CVE-2024-26668, CVE-2024-26671,   CVE-2024-26673, CVE-2024-26675, CVE-2024-26676, CVE-2024-26679,   CVE-2024-26684, CVE-2024-26685, CVE-2024-26689, CVE-2024-26695,   CVE-2024-26696, CVE-2024-26697, CVE-2024-26698, CVE-2024-26702,   CVE-2024-26704, CVE-2024-26707, CVE-2024-26712, CVE-2024-26715,   CVE-2024-26717, CVE-2024-26720, CVE-2024-26722, CVE-2024-26808,   CVE-2024-26825, CVE-2024-26826, CVE-2024-26829, CVE-2024-26910,   CVE-2024-26916, CVE-2024-26920Package Information:   https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1057.63

Ubuntu Security Notice USN-6795-1

This post explains how to disable various location services on Android devices.

Android devices come with location services. Some apps need access to location services to function properly. However, there may be reasons why you don’t want your device to be located, often because you don’t want to be found and the device is always with you.

Depending on who you are trying to hide your location from, there are several levels of hiding your location.

_Disclaimer: the exact instructions for your make and model of Android device may look a bit different._

**Turn off location for particular apps**

There are apps active on most Android devices that could give away the location of the device. To check which apps have access to your device’s location:

*   Swipe down from the top of the screen.
*   Find the Location icon 
*   Touch and hold Location.
*   Tap App location permissions.
*   Under **Allowed all the time**, **Allowed only while in use**, and **Not allowed**, find the apps that can use your device’s location.
*   To change the app’s permissions, tap it. Then, choose the location access for the app.
*   If you see any apps that you don’t recognize, be sure to turn the permission off.

**Turn off location entirely**

Alternatively, you can turn Location off entirely:

*   Swipe down from the top of the screen.
*   Find the location icon 
*   If it’s highlighted, tap it to turn it off.
*   You’ll see a warning that some apps may not function properly. Confirm by tapping **Close**.

**Turn off Find My Device**

Find My Device is a service which makes your device’s most recent location available to the first account activated on the device. Find My Device is included with most Android phones, and it’s automatically turned on once you add a Google account to your device.

How to turn off **Find My Device:**

*   Open **Settings**.
*   Tap (**Biometrics &**) **Security**.
*   Tap **Find My Device**, then tap the switch to turn it off.

Turning off Find My Device may backfire if you ever truly need to find your device because you lost it. But if someone may have the login credentials for the Google account associated with the phone, you may want to turn it off.

The last resort is to turn your phone off.

Even in airplane mode, GPS on your phone is still working. As long as a phone isn’t turned off, it’s possible to track the location because the device sends signals to nearby cell towers. Even when it’s turned off, the service provider or internet provider can show the last location once it’s switched back on.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 How to turn off location tracking on Android 

Stalkerware app pcTattleWare had its websites defaced and databases leaked after researchers found several security flaws.

The idea behind the software is simple. When the spying party installs the stalkerware, they grant permission to record what happens on the targeted Android or Windows device. The observer can then log in on an online portal and activate recording, at which point a screen capture is taken on the target’s device.

What goes around comes around, you might say. As you may have read many times before on our blog, some spyware companies have a surprisingly low standard of security .

In 2021, we reported that “employee and child-monitoring” software vendor pcTattleTale hadn’t been very careful about securing the screenshots it sneakily took from its victims’ phones. A security researcher found an issue while using a trial version of pcTattleTale, noticing that the company uploaded the screenshots to an unsecured online database (meaning anyone could view the screenshots as they weren’t protected by any form of authentication—such as a user name and password).

Last week another security researcher, Eric Daigle, found the company appears to have learned nothing from its previous security issue. Daigle found that pcTattleTale’s Application Programming Interface (API) allows any attacker to access the most recent screen capture recorded from any device on which the spyware is installed. Despite repeated warnings from Daigle and others, no improvements were made.

Then, yet another researcher found yet another bug in pcTattletale which allowed them to gain full access to the backend infrastructure. This allowed them to deface the website and steal the AWS credentials which turned out to be the same for all devices. Amazon has now locked pcTattletale’s entire AWS infrastructure.

After a quick sweep, stalkerware researcher, Maia Crimew stated:

> “pcTattletale currently holds over 17 terabytes of victim device screenshots (upwards of 300 million of them from over 10 thousand devices), with some of them dating back to 2018.”

According to 2023 research from Malwarebytes, 62 percent of people in the United States and Canada admitted to monitoring their romantic partners online in one form or another, from looking through a spouse’s or significant other’s text messages, to tracking their location, to rifling through their search history, to even installing monitoring software onto their devices.

Given the low security of the apps available to home users, this is extremely concerning. Installing monitoring software is not just a huge invasion of privacy, there is a big chance that it will backfire.

**Removing stalkerware**

Malwarebytes, as one of the founding members of the Coalition Against Stalkerware, makes it a priority to detect and remove stalkerware-type apps from your device. It is good to keep in mind however that by removing the stalkerware-type app you will alert the person spying on you that you know the app is there.

Because the apps install under a different name and hide themselves from the user, it can be hard to find and remove them. That is where Malwarebytes can help you.

1.  Open your Malwarebytes dashboard
2.  Tap **Scan** **now**
3.  It may take a few minutes to scan your device.

 If malware is detected you can act on it in the following ways:

*   **Uninstall**. The threat will be deleted from your device.
*   **Ignore Always**. The file detection will be added to the Allow List, and excluded from future scans. Legitimate files are sometimes detected as malware. We recommend reviewing scan results and adding files to Ignore Always that you know are safe and want to keep.
*   **Ignore Once**: A file has been detected as a threat, but you are not sure whether to add it to your Allow List or delete. This option will ignore the detection this time only. It will be detected as malware on your next scan.

On Windows machines Malwarebytes detects pcTattleTale as PUP.Optional.PCTattletale.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Tag

#android