Stalkerware company breach, Microsoft Zero Day, Global Jira attack - Cybersecurity Headlines

Summary

Cyber Security Headlines – Episode Summary

Hosted by CISO Series, this episode from March 21, 2025, delves into significant cybersecurity incidents and developments impacting organizations and individuals globally. Below is a comprehensive summary capturing all key discussions, insights, and conclusions.

1. Stalkerware Company Spy X Suffers Data Breach

Timestamp: [00:00]

Steve Prentiss opens the episode by reporting a major data breach involving Spy X, a consumer-grade spyware company marketed as a mobile monitoring tool for parents to control their children's smartphones. The breach, which occurred in June 2024, exposed records of nearly 2 million individuals, including thousands of Apple users. Notably, Spy X and its two clone apps failed to notify affected customers or those targeted by the spyware.

Steve Prentiss: “The breach has revealed that Spy X and two other related mobile apps, clones of Spy X, had records on almost 2 million people at the time of the breach, including thousands of Apple users.” [00:00]

This revelation underscores the critical need for transparency and robust security practices in companies handling sensitive personal data.

2. Ontario Provincial Police's Use of Paragon Solutions Spyware

Timestamp: [02:30]

The episode shifts focus to law enforcement, highlighting a report from Citizen Lab based in Toronto. Researchers discovered that the Ontario Provincial Police (OPP) utilized advanced commercial spyware produced by Paragon Solutions, a company owned by Florida-based AE Industrial Partners. The investigation revealed that the spyware's IP address matched that of the OPP headquarters.

Steve Prentiss: “A spokesman for the Ontario Provincial Police... said that the agency is required to receive judicial authorization to intercept private communications.” [05:15]

The OPP spokesperson emphasized compliance with Canadian laws, stating that such measures are reserved for serious criminal investigations. This segment raises important questions about the balance between law enforcement surveillance and privacy rights.

3. VEEAM Patches Critical Vulnerabilities

Timestamp: [07:45]

Attention turns to vulnerabilities in VEEAM’s backup and replication software. A defect with a CVE number and a CVSS score of 9.9 was identified, posing a risk of remote code execution by authenticated domain users. Cybersecurity firm Watchtower reported that this issue stems from flaws in VEEAM’s deserialization mechanism.

Steve Prentiss: “While the exploitation of the new vulnerability requires the attacker to be logged in, the authentication requirement is fairly weak.” [12:00]

The high severity score highlights the urgency for organizations using VEEAM to apply the necessary patches to prevent potential exploitation.

4. Enhancing Security of Subsea Cables

Timestamp: [15:30]

The discussion moves to the physical security of subsea Internet cables, which handle 95% of global Internet traffic. Recent advancements in technology now allow for the detection of underwater sabotage attempts by monitoring light pulses and physical disturbances along fiber optic cables.

Steve Prentiss: “This technique is based on the pulses of light that travel along a fiber optic cable and the tiny reflections that sometimes bounce back.” [18:20]

These innovations provide a proactive approach to safeguarding critical infrastructure from sabotage and ensure the resilience of global communications networks.

5. Nation-State Exploits Microsoft Windows Zero-Day

Timestamp: [22:10]

A significant zero-day vulnerability in Microsoft Windows was highlighted, which has been exploited by nation-state groups since 2017. Despite being reported by Trend Micro six months prior, Microsoft has yet to issue a fix or remediation.

Steve Prentiss: “This vulnerability allows attackers to execute hidden malicious commands due to the way Windows displays the contents of shortcut LNK files.” [25:40]

Targeted sectors include governments, think tanks, finance, cryptocurrency, telecom, military, and energy. The lack of a CVE number and delayed response from Microsoft underscores the challenges in addressing long-standing security flaws.

6. Nakivo Vulnerability Added to KEV Catalog

Timestamp: [30:00]

CISA has added a vulnerability related to Nakivo’s backup and replication service to the Known Exploited Vulnerabilities (KEV) catalog. The flaw, rated with a CVSS score of 8.6, involves an absolute path traversal bug that allows unauthenticated attackers to access sensitive files.

Steve Prentiss: “It affects all versions of the Nakivo software prior to version 10.” [32:15]

Federal civilian executive branch agencies are mandated to implement mitigations by April 9, emphasizing the critical nature of this vulnerability.

7. ASCOM Targeted in Hellcat's JIRA Attack

Timestamp: [35:50]

The episode covers a cyberattack on ASCOM, a Swiss telecommunications provider, attributed to the hacker group Hellcat. The breach compromised ASCOM’s JIRA ticketing system, leading to the theft of source code, confidential documents, and other sensitive information.

Steve Prentiss: “The vector for the attack was their JIRA ticketing system, which has become a common attack method for the Hellcat hackers.” [38:00]

Other notable victims include Schneider Electric, Telefonica, Orange Group, and Jaguar Land Rover, indicating a broad targeting strategy against organizations utilizing JIRA servers.

8. Dark Crystal RAT Targets Ukrainian Defense via Signal Messages

Timestamp: [41:30]

Highlighting cyber warfare tactics, the episode discusses the Dark Crystal RAT campaign targeting Ukraine’s defense sectors. The malware is distributed through malicious Signal app messages that appear as legitimate meeting minutes, some sent from previously compromised accounts to enhance credibility.

Steve Prentiss: “The campaign uses malicious messages via Signal app that contain supposed meeting minutes.” [44:10]

This sophisticated method demonstrates the evolving nature of cyber threats in conflict zones, aiming to infiltrate Defense Industrial Complex enterprises and individual defense representatives.

Conclusion

This episode of Cyber Security Headlines provided in-depth analysis of recent cybersecurity incidents, emphasizing the evolving threats and the critical importance of robust security measures across various sectors. From data breaches in spyware companies to sophisticated nation-state exploits and advancements in infrastructure protection, the discussions underline the dynamic landscape of information security.

For those interested in further discussions and expert insights, Steve Prentiss encourages participation in upcoming shows and exploring detailed stories on CISOseries.com.

Note: Advertisements, sponsor messages, and non-content sections were intentionally omitted to focus solely on the episode’s substantial content.

Transcript

Steve Prentiss (0:00)

From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Friday, March 21, 2025. I'm Steve Prentiss. Stalkerware Company Spy X Suffers data Breach Spy X is a consumer grade spyware operation described as a mobile monitoring software for Android and Apple services, ostensibly for granting parental control of a child's phone. It suffered a data breach in June of 2024, but according to TechCrunch, it had not been previously reported and there is no indication that Spy X's operators ever notified its customers or those targeted by the spyware. End quote the breach has revealed that Spy X and two other related mobile apps, clones of Spy X, had records on almost 2 million people at the time of the breach, including thousands of Apple user End quote Canadian police appear to be using advanced commercial spyware in additional spyware news, a new report from researchers at Citizen Lab, which itself is based in Toronto, reveals that the Internet Protocol IP address of a spyware customer matches that of the general headquarters for the Ontario Provincial Police. The spyware in question is made by Paragon Solutions, which itself is owned by a Florida based private equity firm, AE Industrial Partners. A spokesman for the Ontario Provincial Police, otherwise known as the opp, said in a statement that the agency is required to receive judicial authorization to intercept private communications, a step it only takes to advance serious criminal investigations, adding that the force also uses investigative tools and techniques in full compliance with the laws of Canada. VEEAM Patches, backup and replication vulnerabilities this particular defect, which has a CVE number and a CVSS score of 9.9, could allow for remote code execution by authenticated domain users. It affects numerous backup and replication versions in the 12x range, according to cybersecurity firm Watchtower, which reported the vulnerability. It is rooted in a broader issue within veeam's deserialization mechanism, which which Watchtower says the company has failed to properly address. Watchtower also points out that while the exploitation of the new vulnerability requires the attacker to be logged in, the authentication requirement is fairly weak. Subsea cables can listen for potential sabotage following up on our coverage of subsea Internet cable sabotage, especially off Scandinavia, ostensibly by dragging ships anchors across them. Technology is now being refined to detect people or machinery lurking near a cable or anchors being dragged toward them on the ocean floor, or even the sounds of anchors being dropped into the water from ships. This technique is based on the pulses of light that travel along a fiber optic cable and the tiny reflections that sometimes bounce back along that line. Based on physical interactions such as temperature, vibrations or physical disturbance to the cable itself. Although this is a relatively new and evolving technique, it could give subsea cable operators greater opportunity to protect against sabotage, especially given that 95% of all Internet traffic travels through them at some point. Thanks to Our episode's sponsor, DeleteMe Data Brokers bypass online safety measures to sell your name, address and Social Security number to scammers Deleteme scours the web to find and remove your private information before it gets into the wrong hands by scanning for exposed information and completing opt outs and removals. With over 100 million personal listings removed, Deleteme is your trusted privacy solution for online safety. Get 20% off your DeleteMe plan when you go to JoinDeleteMe.com so and use the promo code CISO at checkout. Again, the only way to get 20% off is to go to JoinDeleteMe.com CISO and enter the code CISO. One other quick note, the CISO series has just launched a new podcast called Security. You should know we have more details about this at the end of the episode. Nation state groups hit organizations with Microsoft Windows Zero day Researchers at Trend Micro discovered and reported this particular eight year old defect to Microsoft six months ago, but no remediations or fixes have arrived as of yet. This vulnerability does not yet even have a CVE number, but it allows attackers to execute hidden malicious commands due to the way Windows displays the contents of shortcut LNK files, also known as shell link fil. According to the researcher's report, a link to which is included in the show notes, State sponsored groups have been exploiting the zero day since 2017, targeting governments, think tanks and organizations in the finance, cryptocurrency, telecom, military and energy sectors. This again, according to Trend Micro CISA adds Nakivo vulnerability to KEV catalog this most recent addition to the known exploited vulnerabilities catalog affects nakivo, I.e. n a k I V O, specifically their backup and replication service for which there is evidence of active exploitation. The vulnerability, which has a CVSS score of 8.6, is an absolute path traversal bug that could allow an unauthenticated attacker to read files on the target host, including configuration files, backups and credentials. It affects all versions of the Nakivo software prior to version 10. And of course federal civilian executive branch agencies are now required to apply the necessary mitigations by April 9. Swiss Telecom Co. The latest victim of Hellcat's Jira campaign Representatives from ASCOM ASCOM, the global telecommunications provider headquartered in Switzerland, have confirmed a cyber attack on their IT infrastructure in which its technical ticketing system was breached. This attack appears to be the work of a hacker group named Hellcat, which is busy targeting JIRA servers worldwide using compromised credentials. A member of the hacking group allegedly told Bleeping Computer that the ASCOM attack resulted in theft of source code from multiple products, the details about various projects, invoices, confidential documents and issues from the ticketing system. The vector for the attack was their JIRA ticketing system, which has become a common attack method for the Hellcat hackers. Other companies who have suffered similar JIRA based attacks of late include Schneider Electric, Spanish telecom group Telefonica, French telecom company Orange Group, as well as British multinational carmaker Jaguar Land Rover Dark Crystal Rat targets Ukrainian Defense via malicious signal messages Although cyber warfare is nothing new to the Ukraine war front, this new campaign is targeting defense sectors, specifically employees of enterprises of the Defense Industrial Complex and individual representatives of the defense forces of Ukraine with Dark Crystal rat, also known as DC rat. According to the Computer Emergency Response Team of Ukraine CERT ua, the campaign uses malicious messages via signal app that contain supposed meeting minutes. Some of these messages are sent from previously compromised signal accounts so as to increase the likelihood of success of the attacks. End quote. Make sure to join us later today at 3:30pm Eastern for our Week in Review show. Christina Shannon, CIO at Kik Consumer Products, will be our guest providing her expert commentary on the news of the week. And we encourage participation and comments through our YouTube live channel. So just go to the events page@cisoseries.com to register and be part of the conversation. As a security practitioner, you will want to learn about new cybersecurity solutions on the market, but you don't want to get immediately sucked into the sales funnel. That's why we designed our new podcast, Security. You should know in 15 minutes you will get answers about how to prove the value of a specific vendor solution to company leadership, get pricing information and get answers to a bevy of questions posed by our expert security guests. You can check it out now@cisoseries.com I'm Steve Prentiss reporting four the CISO series Cybersecurity headlines are available every weekday. Head to csoseries.com for the full stories behind the headlines.