In today’s cybersecurity news…
Stalkerware company SpyX suffers data breach
SpyX is a consumer-grade spyware operation, described as “mobile monitoring software for Android and Apple devices, ostensibly for granting parental control of a child’s phone.” It suffered a data breach in June 2024, but according to TechCrunch, “it had not been previously reported, and there is no indication that SpyX’s operators ever notified its customers or those targeted by the spyware.” The breach has revealed that SpyX and two other related mobile apps – clones of SpyX had records on almost two million people at the time of the breach, including thousands of Apple users.”
Canadian police appear to be using advanced commercial spyware
In additional spyware news, a new report from researchers at Citizen Lab, which itself is based in Toronto, reveals that the internet protocol address of a spyware customer matches that of the general headquarters for the Ontario Provincial Police (OPP). The spyware in question is made by Paragon Solutions, which itself is owned by a Florida-based private equity firm AE Industrial Partners. A spokesperson for the OPP said in a statement that “the agency is required to receive judicial authorization to intercept private communications, a step it only takes to “advance serious criminal investigations,” adding that the force “uses investigative tools and techniques in full compliance with the laws of Canada.”
Veeam patches backup and replication vulnerabilities
The defect, which has a CVE number and a CVSS score of 9.9, could allow for “remote code execution by authenticated domain users.” It affects numerous backup and replication versions in the 12.x range. According to cybersecurity firm watchTowr, which reported the vulnerability, it is “rooted in a broader issue within Veeam’s deserialization mechanism,” which, watchTowr says, the company has “failed to properly address.” watchTowr also points out that “while the exploitation of the new vulnerability requires for the attacker to be logged in, the authentication requirement is fairly weak.”
Subsea cables can listen for potential sabotage
Following up on our coverage of internet cable sabotage, ostensibly by dragging ships’ anchors across them, technology is now being refined to detect people or machinery lurking near a cable, anchors being dragged toward them on the ocean floor, the sounds of anchors being dropped into water from ships, even “the approximate size of a vessel passing above a subsea cable, as well as its location and, in some circumstances, its direction of travel.” The technique is based on the pulses of light that travel along a fiber optic strand, and tiny reflections that sometimes bounce back along that line based on physical interactions such as temperature, vibrations or physical disturbance to the cable itself. Although this is a relatively new and evolving technique it could give subsea cable operators greater opportunity to protect against sabotage, especially given that 95 percent of all internet traffic travels through them at some point.
(BBC News)
Huge thanks to our sponsor, DeleteMe
DeleteMe scours the web to find – and remove – your private information before it gets into the wrong hands by scanning for exposed information, and completing opt-outs and removals.
With over 100 Million personal listings removed, DeleteMe is your trusted privacy solution for online safety.
Get 20% off your DeleteMe plan when you go to JoinDeleteMe.com/CISO and use promo code CISO at checkout.
Nation-state groups hit organizations with Microsoft Windows zero-day
Researchers at Trend Micro “discovered and reported this particular eight-year-old defect to Microsoft six months ago, but no remediations or fixes have arrived as of yet. The vulnerability does not yet have a CVE number but it “allows attackers to execute hidden malicious commands due to the way Windows displays the contents of shortcut .lnk files, also known as shell link files. According to the researchers’ report, a link to which is included in the show notes, state-sponsored groups have been exploiting the zero-day since 2017, targeting governments, think tanks and organizations in the finance, cryptocurrency, telecom, military and energy sectors, according to researchers.
(Cyberscoop and Trend Micro)
CISA Adds NAKIVO vulnerability to KEV Catalog
This most recent addition to the Known Exploited Vulnerabilities catalog affects NAKIVO backup and replication, for which there is evidence of active exploitation. The vulnerability, which has a CVSS score of 8.6, is “an absolute path traversal bug that could allow an unauthenticated attacker to read files on the target host, including configuration files, backups, and credentials. It affects all versions of the software prior to versions 10.11.3. “Federal Civilian Executive Branch agencies are required to apply the necessary mitigations by April 9, 2025.”
Swiss telecom the latest victim of HellCat’s Jira campaign
Representatives from Ascom, the global telecommunications provider headquartered in Switzerland have confirmed a cyberattack on its IT infrastructure, in which its technical ticketing system was breached. This appears to be the work of a hacker group named Hellcat which is busy targeting Jira servers worldwide using compromised credentials. A member of the hacking group allegedly told BleepingComputer that the Ascom attack resulted in theft of source code for multiple products, details about various projects, invoices, confidential documents, and issues from the ticketing system. The vector for the attack was their Jira ticketing system which has become a common attack method for the HellCat hackers. Other companies that have suffered similar Jira-based attacks of late include Schneider Electric, Spanish telecom group Telefónica, and French telecom company Orange Group, and British multinational car maker Jaguar Land Rover.
Dark Crystal RAT targets Ukrainian defense via malicious Signal messages
Although cyberwarfare is nothing new to the Ukraine war front, this new campaign is targeting defense sectors, specifically employees of enterprises of the defense-industrial complex and individual representatives of the Defense Forces of Ukraine with Dark Crystal RAT (aka DCRat). According to the Computer Emergency Response Team of Ukraine (CERT-UA), the campaign “uses malicious messages via Signal app that contain supposed meeting minutes. Some of these messages are sent from previously compromised Signal accounts so as to increase the likelihood of success of the attacks.”