Daily Brief

PowerSchool confirmed the hacker from their December 2024 breach is now extorting individual school districts, threatening to release stolen data unless paid. Although PowerSchool paid the ransom initially to protect its data from public exposure, the threat actor is contacting schools directly to extort them. The company has involved law enforcement in the U.S. and Canada and is assisting affected school districts. Stolen data includes sensitive information like SSNs, medical records, and personal contact details of students and teachers. PowerSchool is offering two years of free credit monitoring and identity protection for students and faculty to mitigate potential fraud and identity theft risks. Security experts criticize the decision to pay ransoms, as there's no assurance that threat actors will delete the stolen data as promised. This incident highlights the growing issue of threat actors reneging on ransom agreements, as seen in similar recent high-profile cases.

CoGUI phishing kit emerged as a major threat, sending over 580 million emails from January to April 2025 to steal credentials and payment data. Proofpoint researchers tracked the massive scale of operations, noting the unprecedented volume of phishing activities associated with CoGUI. The campaigns impersonated well-known brands and institutions such as Amazon, PayPal, and various banks, primarily targeting users in Japan. Attack methodology includes sending phishing emails with urgent prompts, directing users to fake websites only if they meet specific criteria like location and device type. Users meeting the criteria are presented with fake login forms designed to harvest sensitive personal and financial information. Although initially linked to China-based operatives similar to the Darcula phishing kit, CoGUI has been determined to function independently, possibly supporting multiple Chinese cybercriminal entities. Apart from Japan, smaller campaigns have been observed in the United States, Canada, Australia, and New Zealand, with shifting tactics including smishing attempts in the U.S. Effective prevention includes cautious handling of urgent and unsolicited digital communications and verifying authenticity through direct, secure channels rather than email-provided links.

Surfshark's study reveals Google Chrome as the top data-collecting mobile browser, capturing 20 different types of user data including financial and location information. Safari, Chrome's closest competitor in terms of market share, also ranks high in data collection but includes fewer types than Chrome. The research highlights Bing app as another major collector, pulling 12 data types, while Safari and Firefox each collect 8 types. Specific data collections such as precise location tracking were unique to certain browsers like Bing, which also shares data for third-party advertising. Less popular browsers like Brave and Tor show significantly lower data collection, promoting user privacy with minimal data retrieval. The findings underscore the privacy implications of using dominant browsers and how they might use the significant data they collect, potentially for targeted advertising or selling to data brokers. Surfshark analyzed the privacy policies of these browsers as listed on the Apple App Store to compile their report.

Hackers are exploiting a critical vulnerability in the OttoKit WordPress plugin to create rogue admin accounts on websites. The flaw allows attackers to bypass authentication and gain administrative privileges using the plugin's API. OttoKit, impacting over 100,000 sites, is a key tool for automation and connecting websites to third-party services. The vulnerability was reported on April 11, 2025, and patched by April 21, 2025, with most users updated by April 24, 2025. Attackers targeted REST API endpoints, mimicking integration attempts to exploit the system, and subsequently created new admin accounts. Patchstack has issued a strong recommendation for users to update the plugin and check logs and settings for signs of compromise. This incident marks the second critical severity flaw exploited in OttoKit since April 2025, underlining ongoing security challenges.

Play ransomware gang utilized a zero-day vulnerability in Windows Common Log File System, tracked as CVE-2025-29824, to escalate SYSTEM privileges. Microsoft detected and patched this vulnerability, revealing its exploitation in a limited set of attacks on sectors across multiple countries, including IT and real estate in the US, finance in Venezuela, software in Spain, and retail in Saudi Arabia. RansomEXX gang linked to initial attacks; they installed PipeMagic malware to facilitate ransomware deployment and encrypt files. No ransomware was deployed in the intrusion on a U.S. organization studied by Symantec; however, the Grixba infostealer, linked to the Play ransomware group, was used. Play ransomware, active since June 2022, is known for double-extortion tactics, threatening victims with data exposure if ransoms aren’t paid. The FBI, along with CISA and the ACSC, issued a warning about the Play ransomware gang after breaches affected approximately 300 organizations globally as of October 2023. High-profile victims of Play ransomware include Rackspace and Arnold Clark, indicating significant impacts on major corporations.

Universal 2nd Factor (U2F) introduces a physical device for two-factor authentication, improving login security beyond traditional passwords. Despite the strength of passwords, Verizon’s 2024 Data Breach Investigations Report indicates that stolen credentials are involved in approximately 31% of data breaches. The Specops Breached Password Report 2025 highlights that even complex passwords can be compromised, with many users still reusing passwords across multiple accounts. U2F devices work by creating a new cryptographic "key pair" that must correspond with the registered system to grant access, enhancing security significantly. Mainstream adoption faces challenges such as the cost of devices, though they are relatively inexpensive, and the need for user education on the new technology. Risks associated with losing the physical U2F device are comparable to misplacing common items like car keys, but losing the device doesn't compromise access due to the dual requirement of password and device. Passwords continue to provide foundational security benefits and remain essential alongside evolving technologies like U2F for effective cybersecurity strategies. Multi-factor authentication, including technologies like U2F, is becoming increasingly crucial for enhancing and complementing password-based online defenses.

Europol announced the takedown of six DDoS-for-hire platforms used in thousands of global cyber-attacks. Four individuals were arrested by Polish authorities, and the US seized nine related domains. The compromised DDoS services enabled attacks on schools, governments, and businesses for fees as low as EUR 10. These platforms lacked technical entry barriers, offering user-friendly interfaces for orchestrating attacks. Seized services operated under names such as cfxapi, cfxsecurity, and quickdown, offering various subscription plans. Operation PowerOFF, with Dutch and German collaboration, targets the dismantling of DDoS-for-hire infrastructure, resulting in previous arrests and service disruptions. Recent reports by cloud security firms identified a shift towards hybrid architectures in DDoS services, blending botnets with dedicated servers.

A second critical vulnerability in the OttoKit WordPress plugin is currently being exploited. The flaw, identified as CVE-2025-27007 with a CVSS score of 9.8, allows for unauthenticated privilege escalation. All plugin versions up to 1.0.82 are susceptible; users are urged to update to version 1.0.83 immediately. The exploit involves unverified initial connections enabling attackers to create administrative accounts. Attackers are also targeting a related vulnerability, CVE-2025-3102, suggesting a broader, coordinated attack. Exploitation attempts have been observed since May 2, 2025, with a significant increase on May 4, 2025. Due to over 100,000 installations, the impact potential of this exploit is extensive, affecting numerous WordPress sites globally.

Medical device manufacturer Masimo Corporation reported a significant cyberattack affecting its production capabilities and causing delays in customer order fulfillments. The incident, disclosed via an SEC Form 8-K filing, occurred on April 27, 2025, targeting the company's on-premise network systems. Despite the attack, Masimo’s cloud-based infrastructure remains unaffected; however, several on-premise systems have been isolated to prevent further damage. The breach has led to operational disruptions, with some manufacturing facilities operating below normal levels, impacting the company's ability to process and ship orders as scheduled. The specific type of cyberattack has not been detailed, but the company is currently working with external cybersecurity experts to investigate and restore normal operations. Law enforcement has been notified of the incident, and an ongoing investigation aims to determine the precise nature and scope of the breach. Masimo has not identified any claims from ransomware groups regarding responsibility for the attack as of this reporting.

CISA has alerted that basic cyber attack techniques are being used to target U.S. oil and natural gas infrastructure. Threats could cause operational disruptions, physical damage, and compromise of industrial control systems and operational technology. Despite the simplicity of the attack methods, the impact is potentially significant due to poor cybersecurity practices in critical infrastructure sectors. Joint advisory from CISA, FBI, EPA, and DOE provided guidelines for enhancing security, including the removal of public-facing OT devices and enforcing strong password policies. Advice was also given to use VPNs with multifactor authentication, demilitarize zones for IT and OT network segmentation, and maintain robust failover and recovery processes. Practicing manual control operations and routine testing of emergency protocols were emphasized to ensure resilience against disruptions. Regular collaboration with third-party service providers was recommended for additional security support and tailored defensive strategies.

Cybersecurity researchers revealed multiple critical vulnerabilities in the on-premise version of SysAid IT support software. The flaws, identified as CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777, involve XML External Entity (XXE) injections allowing pre-authenticated remote code execution. Attackers could exploit these to perform Server-Side Request Forgery (SSRF) attacks and potentially execute remote code by injecting unsafe XML entities. An additional related vulnerability, CVE-2025-2778, involves OS command injection, which could further facilitate remote code execution. Successful exploitation could allow unauthorized access to sensitive data, including plaintext administrator passwords, enabling full administrative control. SysAid has released a software update version 24.4.60 to patch these vulnerabilities. A proof-of-concept (PoC) exploit showing the combined use of these vulnerabilities has been made public, raising the urgency for updates. This is not the first time SysAid has been targeted; previous exploitations were reported in CVE-2023-47246 incidents involving ransomware attacks by Cl0p.

Polish authorities, in collaboration with international law enforcement, arrested four individuals connected to six DDoS-for-hire platforms. These platforms facilitated thousands of cyberattacks globally, targeting sectors like education, government, commerce, and gaming. The services, marketed as legitimate stress-testing tools, were primarily used for disrupting online operations through excessive traffic, causing service outages. The crackdown involved coordinated efforts by Germany, the Netherlands, Poland, and the U.S., leading to the seizure of domains and data important for further investigations. Dutch police created decoy booter sites to educate potential users about the legality and surveillance of such services. International cooperation, under Operation PowerOFF, has been pivotal since December 2018 in combatting the proliferation of DDoS-for-hire platforms. This operation highlights ongoing efforts to dismantle cybercrime networks and the instrumental role of data sharing between countries in tackling such illegal activities.

Security Service Edge (SSE) platforms are essential for securing hybrid work environments and SaaS access, offering centralized policy enforcement and connectivity. SSEs, however, have a critical limitation: they lack visibility and control over activities within the browser, where significant user risks and sensitive activities occur. Current SSE implementations fail to monitor or control real-time actions inside browser tabs, making them vulnerable to attacks, insider threats, and data leaks. To address these vulnerabilities, organizations are adopting browser-native security solutions such as Enterprise Browsers and Enterprise Browser Extensions. These browser-native platforms enhance security by providing controls directly within the browser, suitable for unmanaged devices and remote users. Combining SSE with browser-native security offers comprehensive protection, extending from network-level to user-level interactions. The integration of both security approaches encourages a revaluation of conventional security frameworks, focusing more on user interaction points. The report advocates for a shift in security paradigms to encompass end-to-end protection in light of evolving threats and the increased use of browser-based applications.

Threat actors linked to the Play ransomware family exploited CVE-2025-29824, a recently patched Microsoft Windows zero-day vulnerability, targeting an unnamed U.S. organization. The attackers utilized a privilege escalation flaw in the Common Log File System (CLFS) driver and potentially accessed the network through a Cisco Adaptive Security Appliance. Symantec's findings indicate the exploit was implemented using bespoke tools, including a customized information stealer named Grixba and disguised executable files in the Music folder. During the attack, commands were executed to collect details on all machines in the target's Active Directory, storing outcomes in a CSV file, although no ransomware payload was deployed during the intrusion. Artifact files created during the attack were discovered in the C:\ProgramData\SkyPDF path, indicative of the sophisticated nature of this specific exploitation attempt. Notably, the attack involves advanced tactics like creating and adding a new administrator user, and ensuring cleanup of exploit traces. This incident reflects the broader trend of ransomware attackers leveraging zero-day vulnerabilities to infiltrate targets, a tactic previously noted in other ransomware campaigns.

Curl project founder Daniel Stenberg is implementing stricter report screening due to a surge in AI-generated bug reports which waste maintainers' time. Stenberg likens the excessive number of invalid AI-assisted reports to a DDoS attack, draining resources and contributing to maintainer burnout. A new policy on HackerOne now requires reporters to disclose the use of AI in their submissions, with immediate bans for those submitting low-quality reports. The increase in AI-generated reports has significantly impacted the workflow, with none of the AI-generated submissions in the past six years identifying a valid bug. Peers in the industry, like Python's Seth Larson, also express concerns about the costs associated with addressing these deceptive but initially plausible reports. Low-quality reports, treated as almost malicious, heighten stress and the risk of burnout among key contributors to open-source projects. Despite offering substantial bounties for valid bug discovery, the curl project has not paid out for any AI-generated reports, highlighting their ineffectiveness. The incident that prompted Stenberg's decisive action involved a report that initially seemed credible but turned out to be based on nonexistent functions.