Can’t escape RCE flaws.

Veeam patches a critical vulnerability in its Backup & Replication software. A spyware data breach highlights ongoing risks. Clearview AI attempted to purchase sensitive data such as Social Security numbers and mug shots. The Netherlands’ parliament looks to reduce reliance on U.S. software firms. A Pennsylvania union notifies over 517,000 individuals of a data breach. Researchers discover a RansomHub affiliate deploying a new custom backdoor called Betruger. A new info-stealer spreads through game cheats and cracks. David Wiseman, Vice President of Secure Communications at BlackBerry, joins us to explore how organizations can effectively implement CISA’s encrypted communications guidelines. What to do when AI casually accuses you of murder?

Today is Thursday March 20th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Veeam patches a critical vulnerability in its Backup & Replication software. 

Veeam has released patches for a critical vulnerability (CVE-2025-23120, CVSS 9.9) in its Backup & Replication software that allows remote code execution (RCE) by authenticated users. The flaw affects version 12.3.0.310 and earlier and is rooted in improper deserialization handling. The company urges users to update to version 12.3.1.

Cybersecurity firm watchTowr, which reported the issue, notes that Veeam’s reliance on a block-list for deserialization has led to recurring security gaps. The flaw is linked to prior RCE vulnerabilities (CVE-2024-40711 and CVE-2024-42455), which have been exploited in ransomware attacks. While authentication is required for exploitation, watchTowr warns it is weak. The firm also identified additional vulnerabilities, highlighting ongoing risks. Users should patch immediately to mitigate potential threats.

A spyware data breach highlights ongoing risks. 

Ron Deibert, founder of the Citizen Lab, has led investigations into global spyware abuses. His new book, Chasing Shadows, details the rise of commercial surveillance and efforts to detect it. In an interview with Recorded Future’s The Record, Deibert explains how his team uncovers spyware by scanning network infrastructure and analyzing infected devices. He warns that spyware firms evolve to evade detection, and that many threats remain undiscovered.

Deibert discusses Citizen Lab’s findings on Pegasus spyware, including its use against Saudi journalist Jamal Khashoggi’s associates. He criticizes Western inaction on spyware regulation and private equity’s investment in surveillance firms. Deibert also warns that authoritarian and democratic governments alike misuse spyware. While detection methods improve, adversaries adapt. He stresses the need for regulation to curb abuses, as self-policing by spyware companies is insufficient.

Speaking of which, consumer spyware operation SpyX suffered a data breach in June 2024, exposing nearly two million accounts, including thousands of Apple users. The breach, unreported until now, highlights the persistent risks of consumer-grade spyware. SpyX and its clones, MSafely and SpyPhone, operate on Android and iOS, often using iCloud credentials to monitor victims.

Security expert Troy Hunt confirmed 17,000 plaintext Apple Account credentials in the leaked data, validating their authenticity. Google removed a related Chrome extension, citing spyware violations. SpyX’s operators did not respond to inquiries.

TechCrunch advises users to enable Google Play Protect, use two-factor authentication, and check Apple account security settings. Spyware removal guides are available, but disabling these apps may alert perpetrators, requiring careful handling. Apple was notified but has not commented.

Clearview AI attempted to purchase sensitive data such as Social Security numbers and mug shots. 

Court records reveal that Clearview AI, while building its facial recognition database, also attempted to purchase sensitive data such as Social Security numbers and email addresses, according to 404 Media.  The company, which scrapes images from social media, has stated its goal of making almost everyone identifiable. It has contracts with law enforcement but faces legal scrutiny and regulatory fines.

Privacy experts warn that Clearview’s use of booking photos and facial recognition could worsen racial bias, as the technology is less accurate for Black and brown individuals. Critics fear police may disproportionately target those with mugshots in search results.

Regulators and Congress are investigating the purchase of personal data. Clearview faces ongoing lawsuits, regulatory penalties, and financial setbacks, though it anticipates growth under a second Trump administration.

The Netherlands’ parliament looks to reduce reliance on U.S. software firms. 

The Netherlands’ parliament approved motions urging reduced reliance on U.S. software firms, including creating a Dutch-controlled cloud platform. Lawmakers cite changing U.S. relations under Trump as a key concern. The motions also call for reevaluating Amazon Web Services for Dutch internet hosting and prioritizing European firms in public contracts. Amazon insists its cloud services allow full data control. The move follows European tech firms pushing for EU investment in local cloud infrastructure. Experts say this is an initial step toward digital sovereignty.

A Pennsylvania union notifies over 517,000 individuals of a data breach. 

The Pennsylvania State Education Association (PSEA) is notifying over 517,000 individuals of a data breach from July 2024, where attackers stole personal, financial, and health data, including Social Security numbers and payment information. The Rhysida ransomware gang claimed responsibility, demanding a 20 BTC ransom. PSEA has not disclosed if it paid. Rhysida has previously attacked major institutions, including the British Library and Lurie Children’s Hospital. Affected individuals are offered free credit monitoring and urged to monitor their accounts.

Researchers discover a RansomHub affiliate deploying a new custom backdoor called Betruger. 

Researchers at Symantec have discovered a RansomHub affiliate deploying a new custom backdoor called Betruger. This sophisticated malware streamlines ransomware attacks by consolidating multiple capabilities, reducing the attacker’s digital footprint and making detection harder. Betruger enables credential theft, keystroke logging, privilege escalation, and data exfiltration. Symantec has deployed adaptive and behavior-based protections. The malware highlights the evolving nature of Ransomware-as-a-Service (RaaS), reinforcing the need for strong security measures, regular system updates, and cybersecurity awareness training.

A new info-stealer spreads through game cheats and cracks. 

A new information-stealing malware, Arcane, is targeting users by stealing VPN credentials, gaming accounts, messaging data, and browser information. Discovered by Kaspersky, Arcane is unrelated to Arcane Stealer V and emerged in November 2024. It primarily infects users in Russia, Belarus, and Kazakhstan—unusual for Russian-based cybercriminals, who typically avoid domestic targets.

Arcane spreads through YouTube videos promoting game cheats and cracks, tricking users into downloading malicious files. It disables Windows Defender protections and has evolved its distribution methods, including a fake downloader called ArcanaLoader, promoted via YouTube and Discord.

The malware steals credentials from VPNs, email clients, gaming platforms, cryptocurrency wallets, and browsers. It also takes screenshots and retrieves Wi-Fi passwords. Users are urged to avoid downloading pirated software and cheats.

What to do when AI casually accuses you of murder? 

And finally, courtesy of our false accusations desk — Imagine casually asking ChatGPT about yourself, only to discover it has labeled you a child murderer. That’s exactly what happened to Norwegian man Arve Hjalmar Holmen, who was horrified when the AI falsely claimed he was imprisoned for killing two of his kids. Adding insult to injury, the chatbot mixed real details—his hometown, family size—with the fabricated crime, making the lie seem oddly credible.

Holmen and digital rights group Noyb say this is a clear violation of the GDPR, which requires data accuracy and correction rights. But OpenAI has argued it can’t fix individual errors—only block outputs. That means Holmen’s AI-generated horror story may still be lurking in ChatGPT’s training data.

This isn’t OpenAI’s first brush with defamation complaints. Past victims include an Australian mayor, a law professor, and a radio host. Now, Norway’s regulators might push OpenAI to overhaul its model—or risk another hefty EU fine.

It’s cold comfort at best, but the only thing that actually got murdered here was Mr. Holmen’s reputation. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.