Can’t escape RCE flaws. - CyberWire Daily

Summary5 min read

CyberWire Daily: Episode Summary — "Can’t Escape RCE Flaws"

Release Date: March 20, 2025
Host: N2K Networks
Guest: David Weissman, Vice President of Secure Communications at BlackBerry

1. Critical Veeam Vulnerability Patched

At the outset, the episode highlights a significant security update from Veeam. The company has addressed a critical vulnerability (CVSS score: 9.9) in its backup and replication software that previously allowed remote code execution (RCE) by authenticated users.

[02:00] Dave Bittner: "Veeam has released patches for a critical vulnerability with a CVSS score of 9.9 in its backup and replication software that allows remote code execution by authenticated users."

Key Points:

The flaw stemmed from improper deserialization handling.
Veeam urges all users to update immediately to mitigate potential threats.
Cybersecurity firm Watchtower identified additional vulnerabilities, linking them to past RCE exploits used in ransomware attacks.
Despite requiring authentication, the exploitation risk remains due to weak authentication mechanisms.

2. Ongoing Risks from Spyware and Data Breaches

The podcast delves into recent spyware operations and data breaches that underscore the persistent risks in the cybersecurity landscape.

a. Spy X Data Breach

A significant breach in the consumer spyware sector is discussed, where Spy X exposed nearly 2 million accounts, including thousands of Apple users. The breach remained unreported until recently, emphasizing the vulnerabilities of consumer-grade spyware.

[06:00] Dave Bittner: "A spyware data breach highlights ongoing risks... Security expert Troy Hunt confirmed 17,000 plain text Apple account credentials in the leaked data."

Recommendations:

Enable Google Play Protect.
Utilize two-factor authentication.
Regularly check and secure Apple account settings.
Follow spyware removal guides cautiously to avoid alerting perpetrators.

b. Clearview AI’s Data Acquisition Attempts

Clearview AI is under scrutiny for attempting to purchase sensitive personal data, including Social Security numbers and mugshots, to enhance its facial recognition database.

[09:50] Dave Bittner: "Court records reveal that Clearview AI... also attempted to purchase sensitive data such as Social Security numbers and email addresses."

Concerns:

Potential exacerbation of racial bias in facial recognition technologies.
Legal and regulatory challenges facing Clearview AI, including ongoing lawsuits and investigations.

3. International Moves Towards Digital Sovereignty

The Netherlands Parliament is taking steps to reduce reliance on U.S. software firms, aiming to bolster national digital sovereignty.

[11:30] Dave Bittner: "The Netherlands Parliament approved motions urging reduced reliance on US Software firms... creating a Dutch controlled cloud platform."

Highlights:

Legislative efforts to prioritize European tech firms in public contracts.
Evaluation of Amazon Web Services for Dutch internet hosting needs.
Encouragement for EU investment in local cloud infrastructure as a strategic initiative.

4. Pennsylvania Union Data Breach

A significant data breach affecting over half a million individuals within the Pennsylvania State Education Association (PSEA) is discussed, with the Raisida ransomware gang claiming responsibility.

[13:00] Dave Bittner: "The Pennsylvania State Education association is notifying over 517,000 individuals of a data breach... Raisida has previously attacked major institutions."

Details:

Attackers stole personal, financial, and health data, including Social Security numbers.
PSEA is offering affected individuals free credit monitoring and urging vigilant account monitoring.
Uncertainty remains regarding whether a ransom was paid.

5. Emergence of New Malware Threats

The episode covers the discovery of sophisticated malware variants that are complicating cybersecurity defenses.

a. Betruger Backdoor by Ransom Hub

Symantec researchers identified "Betruger," a custom backdoor deployed by a Ransom Hub affiliate, designed to streamline ransomware attacks.

[14:30] Dave Bittner: "Researchers at Symantec have discovered a Ransom Hub affiliate deploying a new custom backdoor called Betruger."

Capabilities of Betruger:

Credential theft and keystroke logging.
Privilege escalation and data exfiltration.
Consolidation of multiple malicious functionalities to reduce detectability.

b. Arcane Information Stealer Malware

Kaspersky uncovered "Arcane," an info-stealer targeting VPN credentials, gaming accounts, and more, primarily affecting users in Russia, Belarus, and Kazakhstan.

[16:00] Dave Bittner: "A new information stealing malware called Arcane is targeting users by stealing VPN credentials, gaming accounts, messaging data and browser information."

Distribution Methods:

Disseminated through YouTube videos promoting game cheats and cracks.
Utilizes fake downloaders like "Arcana loader" to deceive users.

6. Interview with David Weissman: Implementing CISA’s Encrypted Communications Guidelines

The centerpiece of the episode is an in-depth discussion with David Weissman from BlackBerry, focusing on the implementation of the Cybersecurity and Infrastructure Security Agency (CISA) guidelines for encrypted communications.

[13:45] David Weissman: "I think there are two sets of guidelines... The first is for telecom carriers, networking equipment organizations, and the second is more for the general public."

Key Insights:

For the General Public:
- Transition from SMS-based communications to encrypted applications like Signal or WhatsApp.
- Importance of end-to-end encryption to mitigate risks associated with traditional SMS vulnerabilities.
[13:45] David Weissman: "They recommend using some of the popular free applications... like Signal WhatsApp, those types of things."
Security Configurations:
- Basic security settings for both iOS and Android devices to enhance protection.
[13:45] David Weissman: "They also give guidance on... basic security configuration settings you should put on your phone."

Challenges and Recommendations:

User Adoption:
- Encouraging the shift to encrypted messaging apps for improved privacy.
- Balancing ease of use with enhanced security measures.
[15:35] David Weissman: "I think the vast majority of people, if they're already doing texting, they can use a messaging app... increasing their own levels of privacy."
Advanced Threats:
- Addressing risks like identity spoofing and deepfakes despite enhanced encryption.
- The evolving nature of AI-driven attacks requiring heightened skepticism and vigilance.
[18:08] David Weissman: "People are just going to have to be much more skeptical if anything seems off at all, that they're communicating with who they think they are."

7. AI-Generated Defamation: A Case Study

The episode concludes with a discussion on the ramifications of AI models generating false and defamatory statements about individuals, citing the case of Norwegian man Arve Jalmar Holman.

[20:30] Dave Bittner: "Imagine casually asking ChatGPT about yourself, only to discover it has labeled you as a child murderer... a clear violation of GDPR."

Implications:

Legal and Ethical Concerns:
- Violations of data accuracy and correction rights under GDPR.
- Potential for reputational damage and legal actions against AI providers like OpenAI.
Regulatory Actions:
- Norway's regulators considering stringent measures against AI models that propagate defamatory content.
- Ongoing debates about the responsibilities of AI developers in ensuring data integrity and preventing misuse.

Conclusion: The episode underscores the relentless evolution of cyber threats, from sophisticated RCE vulnerabilities and spyware breaches to the challenges posed by AI-generated misinformation. Through expert insights and detailed analyses, "CyberWire Daily" delivers a comprehensive overview of the current cybersecurity landscape, emphasizing the need for proactive measures and regulatory vigilance.

For more detailed information on today's stories, visit The CyberWire Daily Briefing. Your feedback is valuable—share your thoughts and help us bring you the insights you need to stay ahead in cybersecurity.

Loading summary

Transcript15 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire network.
[00:04]
David Weissman
Powered by N2K.
[00:12]
Dave Bittner
Cyber threats are more sophisticated than ever. Passwords. They're outdated and can be cracked in a minute. Cybercriminals are intercepting SMS codes and bypassing authentication apps. While businesses invest in network security, they often overlook the front door. The login Yubico believes the future is passwordless. Yubikeys offer unparalleled protection against phishing for individuals, SMBs, and enterprises. They deliver a fast, frictionless experience that users love. Yubico is offering N2K followers a limited buy one, get one offer. Visit yubico.com N2K to unlock this deal. That's Yubico. Say no to modern cyber threats. Upgrade your security Today Veeam patches a critical vulnerability in its backup and replication software A spyware data breach highlights ongoing risks Clearview AI attempted to purchase sensitive data such as Social Security numbers and mugshots. The Netherlands Parliament looks to reduce reliance on US Software firms. The Pennsylvania Union notif over half a million individuals of a data breach. Researchers discover a ransom Hub affiliate deploying a new custom backdoor called Betruger. A new info stealer spreads through game cheats and cracks. Our guest is David Weissman, vice president of secure communications at BlackBerry, joining us to explore how organizations can effectively implement CISA's encrypted communications guidelines and what to do when AI casually accuses you of murder. It's Thursday, March 20, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It is great to have you with us. Veeam has released patches for a critical vulnerability with a CVSS score of 9.9 in its backup and replication software that allows remote code execution by authenticated users. The flaw is rooted in improper deserialization handling. The company urges users to update to the latest version. Cybersecurity firm Watchtower, which reported the issue, notes that Veeam's reliance on a blocklist for deserialization has led to recurring security gaps. The flaw is linked to prior RCE vulnerabilities, which have been exploited in ransomware attacks. While authentication is required for exploitation, Watchtower warns, it is weak. The firm also identified additional vulnerabilities, highlighting ongoing risks. Users should patch immediately to mitigate potential threats. Ron Deibert, founder of the Citizen Lab, has led investigations into global spyware abuses. His new book, Chasing Shadows, details the rise of commercial surveillance and efforts to detect it. In an interview with Recorded Futures, the Record, Deibert explains how his team uncovers spyware by scanning network infrastructure and analyzing infected devices. He warns that spyware firms evolve to evade detection and that many threats remain undiscovered. Deibert discusses Citizen Lab's findings on Pegasus software, including its use against Saudi journalist Jamal Khashoggi's associates. He criticizes Western inaction on spyware regulation and private equity's investment in surveillance firms. Deibert also warns that authoritarian and democratic governments alike misuse spyware while detection methods improve, adversaries adapt. He stresses the need for regulation to curb abuses as self policing by spyware companies is insufficient. Speaking of which, consumer spyware operation Spy X suffered a data breach in June of last year, exposing nearly 2 million accounts, including thousands of Apple users. The breach, unreported until now, highlights the persistent risks of consumer grade spyware. Spy X and its clones M Safely and Spyphone operate on Android and iOS, often using iCloud credentials to monitor victims. Security expert Troy Hunt confirmed 17,000 plain text Apple account credentials in the leaked data, validating their authenticity. Google removed a related Chrome extension citing spyware violations. Spy X's operators did not respond to inquiries. TechCrunch advises users enable Google Play Protect, use two factor authentication and check Apple account security settings. Spyware removal guides are available, but disabling these apps may alert perpetrators requiring careful handling. Apple was notified but has not commented. Court records reveal that Clearview AI, while building its facial recognition database, also attempted to purchase sensitive data such as Social Security numbers and email addresses, according to 404 Media. The company, which scrapes images from social media, has stated its goal of making almost everyone identifiable. It has contracts with law enforcement but faces legal scrutiny and regulatory fines. Privacy experts warn that Clearview's use of booking photos and facial recognition could worsen racial bias, as the technology is less accurate for black and brown individuals. Critics fear police may disproportionately target those with mugshots in search results. Regulators and Congress are investigating the purchase of personal data. Clearview faces ongoing lawsuits, regulatory penalties and financial setbacks, although it anticipates growth under a second Trump administration. The Netherlands Parliament approved motions urging reduced reliance on US Software firms, including creating a Dutch controlled cloud platform. Lawmakers cite changing U.S. relations under President Trump as a key concern. The motions also call for re evaluating Amazon Web Services for Dutch Internet hosting and prioritizing European firms in public contracts. Amazon insists its cloud services allow full data control. This move follows European tech firms pushing for EU investment in local cloud infrastructure. Experts say this is an initial step toward digital sovereignty. The Pennsylvania State Education association is notifying over 517,000 individuals of a data breach from July of last year where attackers stole personal, financial and health data, including Social Security numbers and payment information. The Raisida ransomware gang claimed responsibility demanding a 20 bitcoin ransom. PSEA has not disclosed if it paid. Raisita has previously attacked major institutions including the British Library and Lurie Children's Hospital. Affected individuals are offered free credit, monitoring and urge to monitor their accounts. Researchers at Symantec have discovered a Ransom Hub affiliate deploying a new custom backdoor called Betruger. This sophisticated malware streamlines ransomware attacks by consolidating multiple capabilities, reducing the attacker's digital footprint and making detection harder. Betruger enables credential theft, keystroke logging, privilege escalation and data exfiltration. Symantec has deployed adaptive and behavior based protections. The malware highlights the evolving nature of ransomware as a service, reinforcing the need for strong security measures, regular system updates and cybersecurity awareness training. A new information stealing malware called Arcane is targeting users by stealing VPN credentials, gaming accounts, messaging data and browser information. Discovered by Kaspersky, Arcane is unrelated to Arcane Stealer 5 and emerged in November of 2024. It primarily infects users in Russia, Belarus and Kazakhstan. Unusual for Russian based cybercriminals who typically avoid domestic targets, arcane spreads through YouTube videos promoting game cheats and cracks, tricking users into downloading malicious files. It disables Windows Defender protections and has evolved its distribution methods, including a fake downloader called Arcana loader, promoted via YouTube and Discord. The malware steals credentials from VPNs, email clients, gaming platforms, cryptocurrency wallets and browsers. It also takes screenshots and retrieves WI fi passwords. Users are urged to avoid downloading pirated software and cheats. Of course you already know do that. Coming up after the break, my conversation with David Weissman from BlackBerry. We're discussing how organizations can effectively implement CISA's encrypted communications guidelines and what to do when AI casually accuses you of murder. Stay with us. We've all been there. You realize your business needs to hire someone yesterday. How can you find amazing candidates fast? Well, it's easy. Just use Indeed when it comes to hiring, Indeed is all you need. Stop struggling to get your job post noticed. Indeed's Sponsored Jobs helps you stand out and hire fast. Your post jumps to the top of search results so the right candidates see it first and it works. Sponsored jobs on indeed get 45% more applications than non sponsored ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K CyberWire. Many of my colleagues here came to us through Indeed plus with sponsored jobs. There are no subscriptions, no long term contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been Talking to you, 23 hires were made on Indeed according to Indeed Data Worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed and listeners to this show will get a $75 sponsored job credit. To get your jobs more visibility at indeed.com cyberwire just go to indeed.com cyberwire right now and support our show by saying you heard about Indeed on this podcast. Indeed.com cyberwire terms and conditions apply. Hiring Indeed is all you need.
[12:17]
David Weissman
Foreign.
[12:22]
Dave Bittner
Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off. David Weissman is vice president of secure communications at BlackBerry. I recently interviewed him for our Caveat podcast where we discussed implementing CISA's encrypted communications guidelines.
[13:46]
David Weissman
I think there's two sets of guidelines, and they're both actually pretty pragmatic. So the first is for telecom carriers, networking equipment organizations, and the second is more for the general public. So maybe we kind of focus on that second one for a moment. Sure, and what they've really done is summarize the risk of salt typhoon, which is any typical phone call that you make. Any use of sms, whether for communicating with someone or using it as a tool to validate identity, is at risk at this point in time. So they recommend that people move to encrypted applications end to end encryption. For the general public, they recommend using some of the popular free applications people are aware of things like Signal WhatsApp, those types of things. And then they also give guidance on, you know, what are some basic security configuration settings you should put on your phone, whether you have an iOS phone or an Android phone. And so, you know, I think what they provided is very consumable for the most part. There's some areas getting into authentication that, you know, maybe you probably need a bit more of a tech background to really understand what they're talking about. But for the most part, you know, they're providing solid advice that I think, you know, the typical person on the street can take advantage of.
[15:15]
Dave Bittner
Yeah, that's what I wanted to dig in with you a little bit on. I mean, from your perspective, how achievable is this for folks who are, you know, just going about their lives trying to keep their messaging private? Are these apps within their reach?
[15:35]
David Weissman
I think if we look at it from just an individual keeping their data private and by their data, because we need to talk about this more in a moment. I really mean what they're saying to people, what they're sharing, I think it's within reach. I think the vast majority of people, if they're already doing texting, they can use a messaging app. And I think by doing that they are increasing their own levels of privacy for their information. But at the same time they need to be aware of, you know, it's a public system, anyone can sign up. You still need to really think about how do I know for sure who I'm talking to? Is that really the right person? You still have that risk. You had that risk before. And also it's free. So what's the cost? Well, the cost is you're giving up control over your communications, metadata, who you're communicating with, you know, different sets of information about yourself. Even though they're protecting what you're actually saying, there's a lot of information around that.
[16:40]
Dave Bittner
How do you recommend that folks go about choosing what app they want to use here? I mean, I think for a lot of folks who are coming from just regular text messaging, SMS messaging on their phone, which is sort of effortlessly cross platform and interoperable, not all of these platforms talk to each other.
[16:59]
David Weissman
For the most part they don't. That's starting to evolve. There's some new regulations coming out of the EU that are pushing these applications once they reach a certain size, that they have to support interconnectivity between the platforms. But that's a new emerging area. I think it's going to still take a few years, see how that plays out. But I think for most people, the Answer to the question is which one should I use? Is which one are their family members and their friends already using? And I think the other thing to think about is you probably want to segregate what you might use for business from what you might want to use personally. Just as a good data hygiene technique to one, just keep yourself from accidentally sending things to the wrong people. But also keeping your business information, your company information separate from your personal information is just a good practice in general.
[17:59]
Dave Bittner
Yeah, how about people protecting themselves from things like identity spoofing, deep fakes, things like that. Any recommendations there?
[18:08]
David Weissman
Yeah, there's some in the CISA guy that really have to do with authentication techniques and using things like, you know, hardware, devices and things. And that's the part of the advice that I think the vast majority of people are going to find difficult to act on now. The part of it is, hey, don't use just a simple text message for authentication. So there are, I think people are becoming more comfortable with authentication apps where you scan the QR code, you get a two factor authentication. But a lot of times that's driven by, it's not necessarily the consumer's choice, that's driven by the website or the application they're using. But that's still the biggest risk I think that people are still exposed to the end to end encryption does a lot to protect the privacy or data. But the more people start to use these applications, the more exposed they're going to be to spoofing attacks. I think even if you use popular apps today, you get messages that says hey I found your number in my book who are you again? Or something along those lines, those happen even in these, these encrypted applications. So that's a risk. And then the other risk is particularly with the Salt Typhoon and the information that's already been exposed when you use AI techniques, it's now going to be, even going forward, it's going to be easier for these to be very compelling. And what I mean by that is if you want to target a particular person, the data is available to identify what are their communication patterns, who do they typically message, what time of day might they message these people? And if you're trying to do an attack based on that, if you mimic those patterns, the person's going to be much more open to accepting that I'm really talking to who I think I'm talking with. And then you layer on the next level of that, which is since the Salt Typhoon was able to actually read SMS messages, actually listen in to voice calls that data is there forever now, and people don't really typically change their phone numbers. If you have someone's number, it's probably going to be good for a decade or more. And so since the data was already there, the AI models can take that. And not just when you engage and who you engage with, but the tone of your message that how do you text, or your voice that sounds like you if you leave a message. And all of these things mean that people are just going to have to be much more skeptical if anything seems off at all, that they're communicating with who they think they are. And that's something the the advice of moving to an encrypted commercial app doesn't really help.
[21:00]
Dave Bittner
That's David Weissman from BlackBerry. Be sure to check out the Caveat podcast wherever you get your favorite podcast.
[21:06]
David Weissman
Tests.
[21:21]
Dave Bittner
Tired of investigation tools that only do one thing at a time? Spending more time juggling contracts with data vendors than actually investigating Maltego changes that for good. Get one investigation platform, one bill to pay, and all the data you need in one place. It comes with curated data and a full suite of tools to handle any digital investigation. Connect the dots so fast cybercriminals won't even have time to Google what Maltego is. See the platform in action@maltego.com and finally, courtesy of our False Accusations desk, Imagine casually asking chatgpt about yourself, only to discover it has labeled you as a child murderer. That's exactly what happened to Norwegian man Arve Jalmar Holman, who was horrified when the AI falsely claimed he was imprisoned for killing two of his kids. Adding insult to injury, the chatbot mixed real details like his hometown and his family size with the fabricated crime, making the lie seem oddly credible. Holman and a digital rights group say this is a clear violation of GDPR, which requires data accuracy and correction rights. But OpenAI has argued it can't fix individual errors, only block outputs. That means Holman's AI generated horror story may still be lurking in ChatGPT's training data. This isn't OpenAI's first brush with defamation complaints. Past victims include an Australian mayor, a law professor, and a radio host. Now Norway's regulators might push OpenAI to overhaul its model or risk another hefty EU fine. It's cold comfort at best, but the only thing that actually got murdered here was Mr. Holman's reputation. And that's the cyber wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2n2k's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Hey, everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers, so I decided to try Deleteme. I have to say, Delete me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data Privacy is protected. DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Deleteme now at a special discount for our listeners today. Get 20% off your DeleteMe plan when you go to JoinDeleteMe.com n2k and use promo code n2k at checkout. The only way to get 20% off is to go to JoinDeleteMe.com N2K and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K.