CyberWire Daily - Can’t escape RCE flaws.
Episode Date: March 20, 2025Veeam patches a critical vulnerability in its Backup & Replication software. A spyware data breach highlights ongoing risks. Clearview AI attempted to purchase sensitive data such as Social Security n...umbers and mug shots. The Netherlands’ parliament looks to reduce reliance on U.S. software firms. A Pennsylvania union notifies over 517,000 individuals of a data breach. Researchers discover a RansomHub affiliate deploying a new custom backdoor called Betruger. A new info-stealer spreads through game cheats and cracks. David Wiseman, Vice President of Secure Communications at BlackBerry, joins us to explore how organizations can effectively implement CISA’s encrypted communications guidelines. What to do when AI casually accuses you of murder? Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest David Wiseman, Vice President of Secure Communications at BlackBerry, joins us to explore how organizations can effectively implement CISA’s encrypted communications guidelines. Don’t miss the full conversation—listen now on the Caveat podcast! Selected Reading Veeam Patches Critical Vulnerability in Backup & Replication (SecurityWeek) The Citizen Lab’s director dissects spyware and the ‘proliferating’ market for it (The Record) Data breach at stalkerware SpyX affects close to 2 million, including thousands of Apple users (TechCrunch) Facial Recognition Company Clearview Attempted to Buy Social Security Numbers and Mugshots for its Database (404 Media) Dutch parliament calls for end to dependence on US software companies (Yahoo) Pennsylvania education union data breach hit 500,000 people (Bleeping Computer) RansomHub Affiliate Deploying New Custom Backdoor Dubbed ‘Betruger’ For Persistence (Cyber Security News) New Arcane infostealer infects YouTube, Discord users via game cheats (Bleeping Computer) Dad demands OpenAI delete ChatGPT’s false claim that he murdered his kids (Ars Technica) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Cyber threats are more sophisticated than ever.
Passwords?
They're outdated and can be cracked in a minute.
Cyber criminals are intercepting SMS codes and bypassing authentication apps.
While businesses invest in network security, they often overlook the front door, the login.
Ubico believes the future is passwordless.
Ubiquis offer unparalleled protection against phishing for individuals, SMBs, and enterprises.
They deliver a fast, frictionless experience that users love.
Ubico is offering N2K followers a limited buy one
get one offer. Visit ubico.com slash N2K to unlock this deal. That's Y-U-B-I-C-O.
Say no to modern cyber threats. Upgrade your security today. Veeam patches a critical vulnerability in its backup and replication software.
A spyware data breach highlights ongoing risks.
Clearview AI attempted to purchase sensitive data such as social security numbers and mug
shots. Clearview AI attempted to purchase sensitive data such as social security numbers and mugshots.
The Netherlands parliament looks to reduce reliance on US software firms.
A Pennsylvania union notifies over half a million individuals of a data breach.
Researchers discover a ransom hub affiliate deploying a new custom backdoor called Betruger.
A new info stealer spreads through game cheats and cracks.
Our guest is David Weissman, Vice President of Secure Communications at BlackBerry, joining
us to explore how organizations can effectively implement CISA's encrypted communications
guidelines.
And what to do when AI casually accuses you of murder.
It's Thursday, March 20th, 2025.
I'm Dave Fittner and this is your CyberWire Intel Briefing. Thanks for joining us here today, it is great to have you with us.
Veeam has released patches for a critical vulnerability with a CVSS score of 9.9 in
its backup and replication software that allows remote code execution
by authenticated users.
The flaw is rooted in improper deserialization handling.
The company urges users to update to the latest version.
Cybersecurity firm Watchtower, which reported the issue, notes that Veeam's reliance on
a block list for deserialization has led to
recurring security gaps.
The flaw is linked to prior RCE vulnerabilities, which have been exploited in ransomware attacks.
While authentication is required for exploitation, Watchtower warns it is weak.
The firm also identified additional vulnerabilities, highlighting ongoing risks.
Users should patch immediately to mitigate potential threats.
Ron Debert, founder of the Citizen Lab, has led investigations into global spyware abuses.
His new book, Chasing Shadows, details the rise of commercial surveillance and efforts
to detect it.
In an interview with Recorded Futures, The Record, Debert explains how his team uncovers
spyware by scanning network infrastructure and analyzing infected devices.
He warns that spyware firms evolved to evade detection and that many threats remain undiscovered.
Debert discusses Citizen Labs' findings on Pegasus software, including its use against
Saudi journalist Jamal Khashoggi's associates.
He criticizes Western inaction on spyware regulation and private equities investment
in surveillance firms.
Debert also warns that authoritarian and democratic governments alike misuse spyware, while detection
methods improve adversaries adapt. He stresses
the need for regulation to curb abuses as self-policing by spyware companies is
insufficient. Speaking of which, consumer spyware operation SpyX suffered a
data breach in June of last year, exposing nearly 2 million accounts,
including thousands of Apple users.
The breach, unreported until now, highlights the persistent risks of consumer-grade spyware.
SpyX and its clones, mSafely and Spyphone, operate on Android and iOS, often using iCloud
credentials to monitor victims.
Security expert Troy Hunt confirmed 17,000 plain text Apple account credentials in the
leaked data, validating their authenticity.
Google removed a related Chrome extension, citing spyware violations.
SpyX's operators did not respond to inquiries.
TechCrunch advises users enable Google Play Protect, use two-factor authentication, and
check Apple account security settings.
Spyware removal guides are available, but disabling these apps may alert perpetrators,
requiring careful handling.
Apple was notified, but has not commented.
Court records reveal that Clearview AI, while building its facial recognition database,
also attempted to purchase sensitive data, such as social security numbers and email
addresses, according to 404 Media.
The company, which scrapes images from social media, has stated its goal of making almost
everyone identifiable.
It has contracts with law enforcement but faces legal scrutiny and regulatory fines.
Privacy experts warn that Clearview's use of booking photos and facial recognition could
worsen racial bias, as the technology is less accurate for black and brown individuals.
Critics fear police may disproportionately target those with mugshots in search results.
Regulators and Congress are investigating the purchase of personal data. Clearview faces
ongoing lawsuits, regulatory penalties, and financial setbacks, although it anticipates
growth under a second Trump administration.
The Netherlands Parliament approved motions urging reduced reliance on U.S. software firms,
including creating a Dutch-controlled cloud platform.
Lawmakers cite changing U.S. relations under President Trump as a key concern.
The motions also call for re-evaluating Amazon Web Services for Dutch internet hosting and
prioritizing European
firms in public contracts.
Amazon insists its cloud services allow full data control.
This move follows European tech firms pushing for EU investment in local cloud infrastructure.
Experts say this is an initial step toward digital sovereignty.
The Pennsylvania State Education Association, the PSEA, is notifying over 517,000 individuals
of a data breach from July of last year, where attackers stole personal, financial, and health
data, including Social Security numbers and payment information. The Riceida Ransomware gang claimed responsibility, demanding a 20-bitcoin ransom.
PSEA has not disclosed if it paid.
Riceida has previously attacked major institutions, including the British Library and Lurie Children's
Hospital.
Affected individuals are offered free credit monitoring and urge to
monitor their accounts. Researchers at Symantec have discovered a ransom hub
affiliate deploying a new custom backdoor called Bitruger. The sophisticated
malware streamlines ransomware attacks by consolidating multiple capabilities,
reducing the attacker's digital footprint and making
detection harder.
Betruger enables credential theft, keystroke logging, privilege escalation, and data exfiltration.
Symantec has deployed adaptive and behavior-based protections.
The malware highlights the evolving nature of ransomware as a service, reinforcing the
need for strong security measures, regular system updates, and cybersecurity awareness training.
A new information-stealing malware called Arcane is targeting users by
stealing VPN credentials, gaming accounts, messaging data, and browser
information. Discovered by Kaspersky, Arkane is unrelated to Arkane Stealer 5 and emerged in November
of 2024.
It primarily infects users in Russia, Belarus, and Kazakhstan, unusual for Russian-based
cybercriminals who typically avoid domestic targets.
Arkane spreads through YouTube videos promoting game cheats and cracks, tricking
users into downloading malicious files.
It disables Windows Defender protections and has evolved its distribution methods, including
a fake downloader called Arcana Loader promoted via YouTube and Discord.
The malware steals credentials from VPNs, email clients, gaming platforms, cryptocurrency
wallets and browsers.
It also takes screenshots and retrieves Wi-Fi passwords.
Users are urged to avoid downloading pirated software and cheats.
Of course, you already knew that. Coming up after the break, my conversation with David Weissman from BlackBerry, we're
discussing how organizations can effectively implement CISA's encrypted communications
guidelines and what to do when AI casually accuses you of murder.
Stay with us.
We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast? Well, it's easy. Just use Indeed. When it
comes to hiring, Indeed is all you need. Stop struggling to get your job post
noticed. Indeed's Sponsored Jobs helps you stand out and hire fast. Your post
jumps to the top of search results so the right candidates
see it first. And it works. Sponsored jobs on Indeed get 45% more applications than non-sponsored
ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do
actually use Indeed for hiring here at N2K Cyberwire. Many of my colleagues here came
to us through Indeed.
Plus, with sponsored jobs, there are no subscriptions,
no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you,
23 hires were made on Indeed,
according to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75 sponsored job credit
to get your jobs more visibility at indeed.com slash cyberwire.
Just go to indeed.com slash cyberwire right now
and support our show by saying you heard about Indeed
on this podcast.
Indeed.com slash CyberWire. Terms and conditions apply. Hiring Indeed is all you need.
Do you know the status of your compliance controls right now?
Like right now?
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you
get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. David Weissman is vice president of secure communications at BlackBerry.
I recently interviewed him for our Caveat podcast where we discussed implementing CISA's
encrypted communications guidelines.
I think there's two sets of guidelines and they're both actually pretty pragmatic.
So the first is for telecom carriers, networking equipment organizations, and the second is
more for the general public.
So maybe we kind of focus on that second one for a moment.
Sure. And what they've really done is summarize the risk of salt typhoon, which is any typical
phone call that you make, any use of SMS, whether for communicating with someone or
using it as a tool to validate identity, is a risk at this point in time. So they recommend that people move to
encrypted applications and end encryption. For the general public they
recommend you're using some of the popular free applications that people
are aware of things like signal, WhatsApp, those types of things. And then they also
give guidance on you know what are some basic security configuration settings you should put on your phone, whether you have an iOS phone or an Android phone.
And so, you know, I think what they provided is very consumable for the most part. There's some areas getting into authentication that, you know, maybe you'd probably need a bit more of a tech background to really
understand what they're talking about.
For the most part, they're providing solid advice that I think the typical person on
the street can take advantage of.
Yeah, that's what I wanted to dig in with you a little bit on.
From your perspective, how achievable is this for folks who are just going about their lives, trying
to keep their messaging private?
Are these apps within their reach?
I think if we look at it from just an individual keeping their data private and by their data,
because we need to talk about this more in a moment, I really mean
what they're saying to people, what they're sharing.
I think it's within reach.
I think the vast majority of people, or if they're already doing texting, they can use
a messaging app.
And I think by doing that, that they are increasing their own levels of privacy for their information.
But at the same time, they need to be aware of, you know, it's a public system.
Anyone can sign up.
You still need to really think about how do I know for sure who I'm talking to?
Is that really the right person?
You still have that risk.
You had that risk before.
And also, it's free.
So what's the cost? Well, the cost is you're giving up control
over your communications metadata,
who you're communicating with,
different sets of information about yourself,
even though they're protecting what you're actually saying,
there's a lot of information around that.
How do you recommend that folks go about choosing
what app they wanna use here?
I mean, I think for a lot of folks who are coming from just regular text messaging, SMS
messaging on their phone, which is sort of effortlessly cross-platform and interoperable,
not all of these platforms talk to each other.
For the most part, they don't.
That's starting to evolve.
There's some new regulations coming out of
the EU that are pushing these applications once they reach a certain size to that they
have to support interconnectivity between the platforms. So that's a new emerging area.
I think it's still going to take a few years to see how that plays out. But I think for
most people, the answer to the question is,
which one should I use? Which one are their family members and their friends already using?
And I think the other thing to think about is you probably want to segregate what you might use for
business from what you might want to use personally just as a good data hygiene technique to one just keep
yourself from you know accidentally sending things to the wrong people but
also keeping you know your business information your company information
separate from your personal information is just a good practice in general.
Yeah. How about people protecting themselves from things like identity spoofing,
deep fakes,
things like that?
Any recommendations there?
Yeah, there's some in the CISA guide that really have to do with authentication techniques
and using things like hardware devices and that's the part of the advice that I think
the vast majority of people are going to find difficult to act on. Now, the part of it is, hey, don't use just a simple text message for authentication.
I think people are becoming more comfortable with authentication apps where you scan the
QR code, you get a two-factor authentication.
But a lot of times, that's driven by... It's not necessarily the consumer's choice.
That's driven by the website's not necessarily the consumer's choice, that's driven by the website
or the application they're using.
But that's still the biggest risk,
I think, that people are still exposed to.
The end-to-end encryption does a lot
to protect the privacy or data,
but the more people start to use these applications,
the more exposed they're gonna be to spoofing attacks.
I think even if you use popular apps today, you get messages that say, hey, I found your
number in my book, who are you again?
Something along those lines.
Those happen even in these encrypted applications.
So that's a risk.
And then the other risk is, particularly with the salt typhoon and the
information that's already been exposed, when you use AI
techniques, it's now going to be, even going forward, it's
going to be easier for these to be very compelling. And what
I mean by that is, if you want to target a particular
person, the data is available to identify
what are their communication patterns.
Who do they typically message?
What time of day might they message these people?
And if you're trying to do an attack based on that,
if you mimic those patterns, the person is going to be
much more open to accepting that I'm really talking to
who I think I'm talking with.
And then you layer on the next level of that, which is since the
salt typhoon was able to actually read SMS messages, actually listen
in to voice calls, that data is there forever now. And people don't
really typically change their phone numbers. If you have someone's
number, it's probably going to be good for a decade or more.
And so, since the data was already there,
the AI models can take that and not just
the when you engage and who you engage with,
but the tone of your message,
how do you text,
or your voice that sounds like you if you leave a message.
All of these things mean that people are just going to
have to be much more skeptical,
if anything seems off at all, that they're communicating with who they think they are.
And that's something the advice of moving to an encrypted commercial app doesn't really
help.
That's David Weissman from BlackBerry.
Be sure to check out the Caveat podcast wherever you get your favorite podcasts.
And we'll see you next time.
Bye.
Bye.
Bye.
Bye.
Bye.
Bye.
Bye.
Bye.
Bye.
Bye.
Bye.
Bye.
Bye.
Bye.
Bye.
Bye.
Bye.
Bye. Bye. Bye. Bye. Bye. Tired of investigation tools that only do one thing at a time?
Spending more time juggling contracts with data vendors than actually investigating?
Maltigo changes that for good.
Get one investigation platform, one bill to pay, and all the data you need in one place.
It comes with curated data and a full suite of tools to handle any digital investigation. Connect the dots so fast, cybercriminals won't even have time to Google what Maltigo is.
See the platform in action at Maltigo.com. And finally, courtesy of our false accusations desk, imagine casually asking ChatGPT about
yourself only to discover it has labeled you as a child murderer.
That's exactly what happened to Norwegian man Arve Jomar Holmen, who was horrified when
the AI falsely claimed he was imprisoned for killing two of his kids.
Adding insult to injury, the chatbot mixed real details like his hometown and his family
size with the fabricated crime, making the lie seem oddly credible.
Holman and a digital rights group say this is a clear violation of GDPR,
which requires data accuracy and correction rights. But OpenAI has argued
it can't fix individual errors, only block outputs. That means Holman's AI-
generated horror story may still be lurking in chat
GPT's training data. This isn't OpenAI's first brush with defamation complaints. Past
victims include an Australian mayor, a law professor, and a radio host. Now, Norway's
regulators might push OpenAI to overhaul its model or risk another hefty EU fine.
It's cold comfort at best, but the only thing that actually got murdered here was Mr. Holman's
reputation. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity. If you like our show, please share a rating and review in your favorite
podcast app. Please also fill out the survey and the show notes or send an email to cyberwire
at n2k.com.
N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed
by Trey Hester with original music and Sound Design by Elliot Peltsman.
Our executive producer is Jennifer Iben.
Peter Kilpey is our publisher and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Hey, everybody. Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data
brokers.
I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly
what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, today get 20% off your DeleteMe plan when
you go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
The only way to get 20% off is to go to joindeleteeme.com slash n2k and enter code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter
code n2k at checkout. That's joindeleteme.com slash n2k code n2k.