Security

Attackers using an unpatched exploit for Progress Software’s MOVEit Transfer product breached a number of large companies. TechCrunch lists BBC, BA, and Nova Scotia’s government as known victims already.

Microsoft Threat Intelligence linked these to an affiliate of the Clop ransomware group, which TechCrunch notes has previously attacked exploits in other file transfer tools like GoAnywhere, and typically demands payment to not post the stolen records online.

Moscow-based security firm Kaspersky said it uncovered a new cyberattack delivered via iMessage. Dubbed Operation Triangulation, it apparently infected “dozens” of employees’ iPhones and was detected due to some anomalous traffic on the company’s network.

But, as TechCrunch reports, Russia’s FSB claimed the attack is the work of US intelligence, using vulnerabilities “provided by the manufacturer,” without providing any evidence to back that up. In a statement to the outlet, Apple spokesperson Scott Radcliffe said, “We have never worked with any government to insert a backdoor into any Apple product and never will.”

My phone just ran out of storage, which is perfect timing as I’ll be flying out on vacation tomorrow. Thankfully, I was able to quickly free up storage by backing up my photos to iCloud and removing them from my phone. You might want to learn how to do this, too, if you’re planning on traveling this summer!

Managed Care of North America Dental — a benefits provider for people enrolled in state Medicaid and CHIP — has disclosed a data breach that revealed the SSNs, driver’s licenses, insurance details, and other private information of 8.9 million people (via Engadget).

The MCNA says “a criminal accessed our computer system without our permission” between February 26th and March 7th, 2023, allowing them to “see and take copies” of the information in its database.

Hvaldimir — a belgua whale (and alleged former Russian spy) — has been spotted in Sweden this week, reheating international concern regarding how best to deal with the free-roaming former intelligence asset.

Hvaldimir was first seen in 2019 by Norwegian fishermen who removed his Russian-made harness. He’s since become a local celebrity around the Norwegian coast, seeking human interaction and retrieving fallen mobile phones from the ocean floor.

The company says a group called Volt Typhoon has been targeting critical US infrastructure, notably in Guam, since 2021 with information-gathering code. The group’s traffic has been routed through ordinary routers and other edge networking gear, which often never get updated.

Microsoft says its access could be leveraged for attacks on utilities and that shutting it down could be difficult. The New York Times has a good write-up. As always, update your tech, folks.

The plan supports up to six users and includes up to 3TB of storage space (along with 20GB of bonus storage every year) across Proton’s Mail, Drive, and Calendar apps.

It will eventually include Proton Pass as well, the company’s new end-to-end encrypted password manager. To compare, Google One’s highest plan costs $9.99 per month for 2TB of storage and other perks.

That’s the takeaway from this 60 Minutes report. And if your son/daughter/favorite nephew calls asking for emergency cash, definitely ask them a question that only they can answer.

For anyone keeping their Android phone current with the latest patches, Google has two new patch levels, dated for the first and the fifth of this month, to address security issues discovered on the platform; you can get all the info on those right here.

And for Google Pixel owners, here are the details on the May update, which is supposed to improve touch screen response on the Pixel 7 Pro and address a glitch that could make lock screen elements overlap with the home screen launcher UI.

I’ve been hearing this as received wisdom for years: never plug your phone into the USB charging ports at hotels or airports, because hackers will hijack it. But an Ars Technica deep dive concludes that while this is possible, it’s very complicated — and for the average person, not much of a threat.

“At a high level, if nobody can point to a real-world example of it actually happening in public spaces, then it’s not something that is worth stressing about for the general public,” Mike Grover, a researcher who designs offensive hacking tools and does offensive hacking research for large companies, said.

Authenticator, which enables you to protect your apps with 2FA, now syncs with your Google account so that it’s a lot easier to switch phones. But what if you don’t want it to? And what if you change your mind later? Here’s how to enable or disable the new sync feature, and how to move your Authenticator codes to a new phone if you chose not to sync.