Daily News Update: Thursday, March 20, 2025 (Australia/Melbourne)

Arcane Infostealer Targeting YouTube and Discord Users

A new information-stealing malware called Arcane is targeting users via game cheats promoted on YouTube and Discord. The malware steals extensive user data, including VPN account credentials, gaming clients, messaging apps, and information stored in web browsers.

The Arcane campaign began in November 2024, with most infections occurring in Russia, Belarus, and Kazakhstan. The malware is distributed through password-protected archives downloaded from links in YouTube videos. These archives contain a 'start.bat' script that fetches a second password-protected archive with malicious executables.

Arcane profiles infected systems, stealing hardware and software details, and targets account data, settings, and configuration files from various apps, including VPN clients, messaging apps, gaming clients, and cryptocurrency wallets. It also captures screenshots and retrieves saved Wi-Fi network passwords.

Kaspersky notes that Arcane's broad data theft capabilities make it stand out in the infostealer landscape.

_{Bleeping Computer | "New Arcane infostealer infects YouTube, Discord users via game cheats"}

Signal Spear-Phishing Attacks Targeting Ukrainian Military

Ukraine's Computer Emergency Response Team (CERT-UA) has issued a warning about targeted attacks using compromised Signal accounts to deliver malware to employees of defense industry firms and members of the Ukrainian army. These attacks, which began in March 2025, involve sending Signal messages containing archives disguised as meeting reports.

The archives contain a PDF lure and an executable file. The executable is identified as the DarkTortilla cryptor/loader, which decrypts and executes the Dark Crystal RAT (DCRAT). This activity is tracked under UAC-0200, a threat cluster known for similar attacks since June 2024.

"Starting in February 2025, the bait messages have shifted their focus to topics related to UAVs, electronic warfare systems, and other military technologies,"

Signal users are advised to disable automatic downloads, scrutinize messages, regularly check linked devices, update their apps, and enable two-factor authentication.

_{Bleeping Computer | "Ukrainian military targeted in new Signal spear-phishing attacks"}

WhatsApp Zero-Click Flaw Exploited by Paragon Spyware

WhatsApp has patched a zero-click, zero-day vulnerability used to install Paragon's Graphite spyware. The vulnerability was discovered by security researchers at the University of Toronto's Citizen Lab. WhatsApp addressed the issue late last year "without the need for a client-side fix" and did not assign a CVE-ID.

The attacks targeted approximately 90 Android users, including Italian journalists and activists. Attackers added targets to a WhatsApp group before sending a PDF, which, when processed, exploited the vulnerability to load the Graphite spyware. The spyware could then compromise other apps by escaping the Android sandbox.

Infections can be detected using a forensic artifact called BIGPRETZEL, but its absence does not rule out compromise due to the sporadic nature of Android logs.

_{Bleeping Computer | "WhatsApp patched zero-click flaw exploited in Paragon spyware attacks"}

Critical Vulnerabilities in IBM's AIX Operating System

IBM has disclosed two critical vulnerabilities in its Advanced Interactive eXecutive (AIX) operating system, urging customers to apply patches immediately. The vulnerabilities, CVE-2024-56346 (severity score of 10) and CVE-2024-56347 (severity score of 9.6), allow remote attackers to execute arbitrary commands due to improper process controls (CWE-114).

CVE-2024-56346 affects AIX's nimesis Network Installation Management (NIM) master service, while CVE-2024-56347 relates to AIX's nimsh service SSL/TLS protection mechanisms. Exploitation of these vulnerabilities could lead to attackers accessing sensitive data, deploying ransomware, corrupting backups, and implanting backdoors.

Versions 7.2 and 7.3 of AIX are vulnerable and require immediate updates. Given that AIX is commonly used for mission-critical applications in finance, banking, healthcare, and telecommunications, these vulnerabilities pose a significant risk.

_{The Register | "IBM scores perfect 10 ... vulnerability in mission-critical OS AIX"}

Data Breach at Pennsylvania State Education Association (PSEA)

The Pennsylvania State Education Association (PSEA) reported a "security incident" in July 2024 that compromised the sensitive personal data of over 500,000 individuals. The breach, which occurred on July 6, 2024, exposed financial and health information. While PSEA's disclosure didn't explicitly mention ransomware, the Rhysida ransomware gang claimed responsibility in September 2024, suggesting a potential double extortion case.

The compromised data includes personally identifiable information (PII) such as full names, dates of birth, driver's licenses, state IDs, and Social Security numbers (SSNs). Additionally, account numbers, PINs, security codes, passwords, routing numbers, payment card numbers, card PINs, expiration dates, passport numbers, taxpayer ID numbers, usernames, health insurance information, and medical information may have been exposed.

"...we determined that the data acquired by the unauthorized actor contained some personal information belonging to individuals whose information was contained within certain files within our network."

PSEA is offering credit monitoring and identity restoration services to individuals whose Social Security numbers were compromised.

_{The Register | "Attackers swipe data of 500k+ people from Pennsylvania teachers union"}

California Cryobank Data Leak

California Cryobank, one of the world's largest sperm banks, disclosed a data breach that occurred between April 20 and April 22, 2024. The breach resulted in the likely theft of sensitive information, including names, Social Security numbers, driver's license numbers, financial account details, and health insurance information.

The company detected unauthorized activity on April 21, 2024, and initiated an investigation. The number of affected individuals has not been disclosed. The breach poses a significant privacy risk due to the sensitive nature of the services provided by the sperm bank.

California Cryobank claims to have enhanced its security measures following the incident and is offering 12 months of free identity protection services to affected customers.

_{The Register | "Names, bank info, and more spills from top sperm bank"}

DHS Working to Improve Continuous Diagnostics and Mitigation (CDM) Program

The Department of Homeland Security (DHS) is evolving the Cybersecurity and Infrastructure Security Agency’s (CISA) Continuous Diagnostics and Mitigation (CDM) program from a compliance-focused initiative to a real-time threat detection and response platform. The program now tracks approximately 6.5 million devices, including operational technology, internet-connected devices, and mobile devices.

Matt House, DHS deputy associate director and CDM program manager, emphasized the importance of interoperability to meet agency needs. The program's shift is in response to critical cybersecurity challenges, particularly after the 2021 SolarWinds breach. New statutory authorities have enabled CISA to conduct cross-agency threat hunting and incident response.

Shelly Hartsook, the acting associate director for CISA’s Cybersecurity Division, noted that a federated model, complementing existing agency capabilities, has proven more effective than a one-size-fits-all solution. Emerging technologies, particularly artificial intelligence, are being explored to manage massive volumes of network data and improve threat detection.

_{CyberScoop | "How DHS is working to continually improve the Continuous Diagnostics and Mitigation program"}

CISA Reinstates Fired Security Crew on Paid Leave

CISA has reinstated staffers who were recently fired, specifically those in their probationary period, following a federal judge's order. These staffers have been placed on paid administrative leave pending the outcome of ongoing legal proceedings.

The decision follows a lawsuit challenging the legality of the layoffs, which were reportedly influenced by cost-cutting measures. CISA confirmed the reinstatement on its website. One person familiar with the situation stated that 130 staffers have been given their jobs back, though they are on paid leave.

The situation has resulted in CISA paying staff who are not allowed to work, highlighting the challenges federal agencies face in competing with private sector salaries for skilled security professionals.

_{The Register | "CISA fires, now rehires and immediately benches security crew on full pay"}

Appeals Court Rules Paige Thompson's Sentence Too Lenient

A federal appeals court has overruled the district court's sentence for Paige Thompson, the hacker responsible for the Capital One data breach, deeming the sentence of five years' probation plus time served as "substantially unreasonable." The court described the hack as the "second largest data breach in the United States at the time," affecting 106 million Capital One customers.

The original sentence was influenced by Thompson's transgender status, autism, and past trauma. However, the appeals court found that the district court overemphasized Thompson's personal story and disputed the characterization of the hack as non-malicious.

The case has been sent back to the district court for resentencing.

_{CyberScoop | "Capital One hacker Paige Thompson got too light a sentence, appeals court rules"}

Congress Should Reauthorize 2015 Information-Sharing Law

Congress is urged to reauthorize the 2015 Cybersecurity and Infrastructure Security Act, which provides legal protections to companies for sharing cyber threat information with the federal government and each other. The law is set to expire at the end of September.

David Weinberg, staff director for Democrats on the Senate Homeland Security and Governmental Affairs Committee, emphasized the importance of the liability shield created by the law to facilitate real-time information sharing. He also advocated for legislation to address conflicting cybersecurity regulations by creating a committee of executive branch officials to examine the issue.

The Senate Homeland Security and Governmental Affairs Committee approved the bill by a vote of 10-1 last year, but it did not advance further.

_{CyberScoop | "Congress should re-up 2015 information-sharing law, top Hill staffer says"}