Daily Brief

Veeam has addressed a severe remote code execution vulnerability tagged CVE-2025-23120 in its Backup & Replication software, affecting domain-joined systems. The security flaw involves a deserialization issue in specific .NET classes, allowing potential attackers to remotely execute malicious code. The vulnerability predominantly affects the Veeam Backup & Replication version 12.3.0.310 and all prior version 12 builds, with a patch issued in version 12.3.1. Security research group watchTowr Labs discovered the flaw, noting Veeam's prior ineffective mitigation strategies, which involved blacklisting exploitable classes or objects. Ransomware gangs have previously targeted Veeam Backup & Replication servers, emphasizing the criticality of this vulnerability due to its potential to facilitate data theft and hinder data restoration. There are no current reports of this flaw being exploited in the wild, but detailed disclosures may prompt imminent threat actor exploration and exploits. Veeam strongly advises all users to promptly upgrade to the latest patched version and to adhere to best practice recommendations, including isolating backup servers from Windows domains.

Gokhan Gun, a U.S. Department of Defense electrical engineer, pleaded guilty to unauthorized retention of classified material. Gun, who held top-secret security clearance, printed 256 documents, totaling 3,412 pages, containing sensitive information. The FBI arrested Gun as he was preparing to leave for a trip to Mexico, with top secret documents found in his possession. He had been specifically trained on the secure handling and storage of classified documents, which he neglected by removing them from government premises. The incident occurred over a span from May to August 2024, with Gun printing many documents after normal working hours. Searches were conducted on Gun’s homes, vehicle, and media storage devices under FBI warrants. Gun faces up to five years in prison with sentencing scheduled for June 17. His actions raise concerns about potential security lapses and the mishandling of classified information within sensitive government sectors.

CISA has issued an alert to U.S. federal agencies regarding a critical vulnerability in NAKIVO's Backup & Replication software, urging immediate security measures. The vulnerability, identified as CVE-2024-48248, allows unauthenticated attackers to read sensitive files on impacted devices through absolute path traversal. Discovered by cybersecurity firm watchTowr, the flaw can lead to data breaches by exposing backups, credentials, and configuration files. Despite NAKIVO releasing a fix in November with Backup & Replication v11.0.0.88174, the flaw was not initially disclosed as actively exploited; however, recent insights have led CISA to classify it as such. Federal agencies have a three-week deadline until April 9 to patch the vulnerability, as per the Binding Operational Directive (BOD) 22-01. NAKIVO has a significant global presence with over 30,000 customers in 183 countries, underscoring the wide potential impact of the exploit. All organizations, not just federal ones, are advised to promptly patch their systems to mitigate potential risks posed by this security flaw.

Two VSCode Marketplace extensions, "ahban.shiba" and "ahban.cychelloworld," were found to contain early-stage ransomware. These extensions bypassed Microsoft's review processes and were available for download; "ahban.cychelloworld" was uploaded on October 27, 2024, and "ahban.shiba" on February 17, 2025. The ransomware, still under development, targeted files in a specific test directory and displayed a mock ransom demand, suggesting testing or proof-of-concept stage. ReversingLabs discovered the malicious code and alerted Microsoft, leading to the removal of the extensions from the VSCode Marketplace. Security researcher Italy Kruk indicated that their notifications about the ransomware went initially unanswered by Microsoft, showing potential oversight issues. This incident highlights significant lapses in Microsoft's extension review process, particularly highlighted by earlier and undetected updates containing the ransomware. Despite Microsoft's proactive removals in other instances, the delayed response here underscores challenges in their security practices and review prioritization.

Critical vulnerabilities in Cisco Smart Licensing Utility (CSLU) are now being actively exploited. Unpatched CSLU instances allow attackers to access systems with administrative privileges due to a hard-coded backdoor account. Two vulnerabilities identified as CVE-2024-20439 and CVE-2024-20440 expose remote administrative access and sensitive data leakage respectively. Attackers can exploit these vulnerabilities by sending crafted HTTP requests or using the hardcoded static password to gain access. The exploitations included chaining these flaws with other known vulnerabilities affecting different devices. Cisco initially patched these flaws in September but recent discoveries indicate ongoing exploitation attempts. Nicholas Starke published a detailed write-up on the vulnerability shortly after Cisco's advisory, which might have aided attackers. Cisco has previously addressed similar backdoor vulnerabilities in other products, indicating recurring issues with hardcoded credentials.

Veeam patched a critical Remote Code Execution (RCE) vulnerability, CVE-2025-23120, with a severity score of 9.9, affecting its Backup and Replication software, version 12.3.0.310 and earlier. The vulnerability can be exploited by any authenticated domain user if the Veeam server is part of the domain, despite Veeam's claim that joining a domain goes against its best practices. Critics, including researchers from watchTowr and Rapid7, argue that the authentication requirement is weak and that Veeam's software is frequently targeted by ransomware attacks. Over 20 percent of incident response cases handled by Rapid7 in 2024 involved attacks exploiting Veeam software, usually after initial network footholds were established by attackers. Veeam uses a blocklist to mitigate deserialization vulnerabilities, which has been criticized as insufficient compared to an allowlist, with researchers demonstrating how blocklist-based protections can be bypassed. Researcher Piotr Bazydlo criticized Veeam for assigning a single CVE identity to the bug despite discovering two separate gadgets that could lead to RCE, indicating potential oversight in addressing the full scope of the vulnerability. The criticism extends to Veeam’s approach to security updates, with suggestions that relying on updating a blocklist is reactive and consistently behind attacker capabilities.

A custom backdoor named Betruger has been linked to RansomHub ransomware operations, offering a range of malicious capabilities. Betruger aids in espionage activities like keylogging, credential dumping, network scanning, and other pre-ransomware deployment functions. Unlike typical ransomware attacks that rely on publicly available tools, Betruger is engineered to perform multiple malicious functions to streamline attacks. The malware disguises itself using filenames similar to legitimate mailing apps, such as 'mailer.exe' and 'turbomailer.exe'. RansomHub, utilizing Betruger, emerged as a major player in ransomware-as-a-service, targeting high-profile entities across various sectors including healthcare and government. Symantec's analysis suggests that the adoption of custom tools like Betruger signifies a strategic evolution in ransomware tactics. Although the primary function of most ransomware is data encryption for extortion, RansomHub has been more focused on data theft and extortion without necessarily encrypting data.

The UK's National Cyber Security Centre (NCSC) has issued guidelines for critical organizations to migrate to post-quantum cryptography (PQC) by 2035. The directive is aimed at government agencies, large enterprises, and critical infrastructure operators to protect against quantum computing threats. NCSC's guidelines include a structured migration plan with specific milestones and emphasize adopting NIST-approved PQC algorithms. These algorithms include ML-KEM, ML-DSA, and SLH-DSA, with HQC selected as an official backup algorithm. The guidance highlights the importance of upgrading security systems in response to advancing quantum technologies to maintain data security. Challenges identified in the migration process include issues with legacy systems, the need for specialized expertise, and complexities in the supply chain. The UK plans to introduce a pilot scheme to assist organizations with the migration by providing access to cryptography specialists for planning and execution. This initiative aligns with similar timelines set by the United States for federal systems through the National Security Memorandum 10 (NSM-10).

YouTube videos offering game cheats have been identified distributing a new type of stealer malware called Arcane, primarily among Russian-speaking users. Kaspersky's research shows that Arcane targets sensitive data, including VPN details, network utilities, and browser stored information like passwords and cookies. The malware spreads through password-protected archives linked in YouTube videos, with execution facilitated by batch files and PowerShell, which also disables Windows SmartScreen protections. Arcane not only gathers login credentials and system data but also collects screenshots, lists running processes, and Wi-Fi network passwords. The stealer utilizes the Data Protection API (DPAPI) to decrypt sensitive browser data and employs a unique utility, Xaitax, for cracking browser encryption keys. Recently, the attackers have introduced ArcanaLoader, promoted as a game cheat download tool, which further distributes the malware. This campaign has been primarily observed in Russia, Belarus, and Kazakhstan, reflecting targeted cybercriminal strategies in these regions. The flexibility in tool and method updates by the threat actors highlights their adaptability and focus on continuous malware evolution.

WP Ghost, a popular WordPress security plugin, is critically flawed allowing potential remote code execution. The vulnerability, identified as CVE-2025-26909, affects all WP Ghost versions up to 5.4.01. The flaw is due to insufficient input validation in the "showFile()" function, leading to possible arbitrary file inclusion. This vulnerability triggers Remote Code Execution depending on the server setup, specifically when WP Ghost’s "Change Paths" feature is in Lite or Ghost mode. Even without RCE, the flaw could facilitate dangerous actions like information disclosure and session hijacking. The issue was first reported internally by researcher Dimas Maulana, with a subsequent fix released in WP Ghost versions 5.4.02 and 5.4.03. Users are advised to update their WP Ghost plugin immediately to mitigate the risk associated with this vulnerability.

A supply chain attack on GitHub Action tj-actions/changed-files exposed secrets in 218 out of 23,000 repositories. The malicious commit added on March 14, 2025, was designed to extract CI/CD secrets from repositories. Publicly accessible workflow logs allowed unauthorized reading of exposed secrets. The initial breach may trace back to another supply chain attack on "reviewdog/action-setup@v1", jeopardizing a GitHub personal access token. During the compromised period, 5,416 repositories across 4,072 organizations used the affected GitHub Action. Only 218 repositories actually printed secrets to console logs; others avoided exposure by adhering to best practices. Exposed secrets primarily included GitHub tokens that expire quickly, but some included longer-lived credentials for DockerHub, npm, and AWS. Users of tj-actions are advised to review security practices and rotate exposed credentials immediately.

Annual penetration tests may be insufficient due to the rapid pace of development and frequent deployment of new features in applications. Verizon’s 2024 Data Breach Investigation Report highlights that gaps in security testing contribute to data breaches, with exploited vulnerabilities in web applications being a significant issue. Continuous Penetration Testing as a Service (PTaaS) aligns better with agile development practices by integrating continuous security assessments throughout the development lifecycle. PTaaS not only identifies vulnerabilities but also facilitates rapid remediation by enhancing collaboration between security teams and developers. Transitioning to continuous testing demands breaking down silos between security, development, and operations teams and establishing new workflows for quick vulnerability identification and remediation. Organizations should seek PTaaS solutions that integrate with their existing development tools, offer real-time dashboards, and provide automated scanning with direct communication channels. Continuous penetration testing improves both compliance and security posture by providing thorough documentation and regular updates, also encouraging ongoing adjustments to security protocols.

Veeam has issued security updates for a critical flaw in its Backup & Replication software, capable of remote code execution. The vulnerability, identified as CVE-2025-23120 with a CVSS score of 9.9, affects versions up to 12.3.0.310. The flaw was discovered by security researcher Piotr Bazydlo, and is due to improper handling in the deserialization process in Veeam's software. IBM has concurrently released patches for two critical vulnerabilities in its AIX operating systems that could allow command execution. Both Veeam and IBM have advised users to apply these patches urgently to mitigate potential exploitation risks. No evidence currently suggests these flaws have been exploited in the wild, but the severity of the risks they pose necessitates immediate action.

Swiss telecommunication firm Ascom confirmed a cyberattack by HellCat hackers, targeting its Jira servers. The breach involved theft of about 44GB of data spanning source codes, project details, and internal documents. Despite the breach on Ascom's ticketing system, the incident reportedly did not affect company operations, and no customer or partner action was necessary. HellCat's recent activities also include attacks on Jira systems of major companies like Schneider Electric, Telefónica, and Jaguar Land Rover. In several cases, HellCat utilized compromised credentials acquired from third-party breaches for accessing Jira servers. Notably, Jira servers have been highlighted as valuable targets for cybercriminals due to the extensive sensitive information they host. The breach incidents underline the importance of regular credential updates and robust cyber defenses to mitigate such risks.

A new preprint paper from North Carolina State University and Yahoo! focuses on mitigating software supply chain risks. It emphasizes implementing role-based access control, system monitoring, and boundary protection. The study examines recent attacks such as SolarWinds, Log4j, and XZ Utils to extract practical defense strategies. Authors suggest it's challenging for organizations to select appropriate tools from diverse available frameworks. They analyzed 106 incident reports, mapping these to 203 MITRE attack techniques, to develop a prioritized list of mitigation tasks. A newly created "starter kit" by the researchers aims to integrate recommendations from various authoritative frameworks. The kit highlights crucial tasks missing from existing frameworks, identifying areas still vulnerable to attacks despite current measures. Future framework revisions planned to close these identified gaps in supply chain security strategies.