Daily Brief

PowerSchool, an education tech provider, was compromised, resulting in the theft of data from 62.4 million students and 9.5 million teachers. The breach occurred after an unauthorized access using stolen credentials to PowerSource, the customer support portal. Sensitive information such as Social Security Numbers, medical information, and grades were confirmed stolen for some affected students. PowerSchool confirmed payment of a ransom to the hackers to prevent public leakage of the stolen data. The company has pledged to offer two years of free identity protection and credit monitoring to all impacted parties. Notifications regarding the breach will be handled by PowerSchool, which aims to ease the notification load on affected customers and institutions. While the breach's detailed incident report by CrowdStrike was expected on January 17th, it has been delayed with no new release date provided.

Over 53% of organizations have transitioned to being mostly or completely digital native, increasing the need for robust data security. IDC advocates for crypto-agility, automation, and quantum-safe encryption as key solutions to digital data security challenges. A webinar hosted by IDC's Jennifer Glenn and DigiCert's Dean Coclin discusses strategies for managing security across diverse digital connections. Digital trust is defined as the secured sharing of data in compliance with security regulations, instilling confidence in organizational digital infrastructures. Despite the benefits, only 11% of enterprises currently implement quantum-safe encryption, and many face challenges such as cost and a lack of standardized methods. Crypto-agility offers a promising route, allowing organizations to adapt cryptographic methods without overhauling existing infrastructures, leading to potential cost and time savings. The discussed strategies are illustrated with real-world examples, highlighting the benefits of integrating advanced digital security practices for future-proofing businesses. The webinar is accessible on demand, providing insights into leveraging crypto-agility and automation for enhanced digital trust and security.

Conduent, a major provider of services to government and business entities, confirmed a cybersecurity incident led to a recent service outage. The outage affected multiple U.S. states and critical services, including electronic transfers and EBT cards for organizations like the Wisconsin Department of Children and Families. The disruption was restored after system repairs, with Conduent expressing regret over the inconvenience caused to clients and users. Details regarding the exact nature of the cyberattack, potential data theft, or any ransom demands have not been disclosed by Conduent. Despite restoring systems, Conduent has not made a public statement or filed necessary disclosures with the SEC about the breach. This incident follows a prior cybersecurity issue four years ago when Conduent was targeted by Maze ransomware, affecting its European operations.

Microsoft issued an out-of-band patch for Windows Server 2022 to address boot failures in systems with two or more NUMA nodes. The specific update, KB5052819, targets issues caused by a recent security update, potentially KB5049983 though this has not yet been confirmed. NUMA, an essential memory architecture in high-performance computing systems, segregates memory for each processor to enhance access speed. The glitch affected multi-node systems, preventing them from starting up properly which is critical for enterprise operations. Microsoft advises that the patch will only install new updates if previous updates are already in place. The recent problems add to a string of challenges for Windows Server administrators, including an unexpected upgrade to Windows Server 2025 and issues with systems having 256 or more logical processors. Microsoft emphasizes the importance of thorough testing of updates to prevent operational disruptions in production environments.

President Donald Trump has terminated all memberships of advisory committees under the Department of Homeland Security (DHS), as announced by Acting Secretary Benjamine C. Huffman in a memo dated January 20, 2025. This action impacts the Cybersecurity and Infrastructure Security Agency's (CISA) Cyber Safety Review Board (CSRB), which has been crucial in analyzing significant cybersecurity threats and incidents. The CSRB has notably criticized Microsoft for errors that allowed Chinese nation-state group Storm-0558 to exploit their systems and conducted a review of the Apache Log4j vulnerabilities and LAPSUS$ cybercrime group activities. The termination of these committees is reportedly seen as undermining efforts to secure U.S. cybersecurity, especially regarding threats from nation-state actors like China. Disbanding the advisory boards includes those focused on artificial intelligence safety, critical infrastructure partnerships, and cybersecurity investigations. The move also aligns with President Trump revoking the Biden administration's executive order on artificial intelligence safety, shifting the focus away from secure and trustworthy AI development. Critics, including U.S. Senator Ron Wyden, have expressed concerns that this decision seems retaliatory towards Microsoft and undermines national cybersecurity, potentially empowering foreign espionage efforts.

Ross Ulbricht, founder of the dark web marketplace Silk Road, was pardoned by US President Donald Trump, fulfilling a prior commitment made at the Libertarian National Convention. Ulbricht, previously serving two life sentences plus 40 years without parole, was convicted in 2015 for charges including drug trafficking, money laundering, and computer hacking. President Trump’s decision was influenced by Ulbricht’s mother’s campaign for his release, acknowledging her and the Libertarian movement's support. Libertarian politicians and cryptocurrency advocates, including Senator Rand Paul, had long advocated for Ulbricht's release, emphasizing the disproportion of his non-violent crime sentence. Despite previous attempts at an appeal being unsuccessful due to the magnitude of Ulbricht’s role in Silk Road’s operations, his sentence was criticized for its severity compared to other non-violent offenders. Following his release, Ulbricht’s family is seeking donations to aid his reintegration into society, accepting contributions through PayPal and cryptocurrencies like Bitcoin. The news of Ulbricht’s pardon was met with mixed reactions, reflecting ongoing debates over the justice system's treatment of non-violent offenders involved in technology-driven crimes.

Chinese-aligned group "PlushDaemon" executed a supply chain attack on South Korean VPN provider IPany, inserting malware into its VPN installer. The compromised installer deployed 'SlowStepper' malware, affecting customers including a South Korean semiconductor company and a software development firm. The malware was embedded within a legitimate IPany VPN installation file downloaded from the company's official website. Once installed, the malware maintained persistence in the system through registry modifications and monitored by the svcghost.exe process. The malware payload, not fully featured but stealthy, was capable of spying by recording audio and video, indicating a significant breach of privacy and security. ESET researchers, after detecting the breach, notified IPany, leading to the removal of the malicious installer from the website. Victims of the malware span from November 2023, with all users who downloaded the compromised installer until May 2024 at risk, necessitating system cleansing and security checks.

Organizations are vulnerable to cyber-attacks when employees use easily guessed passwords. Dictionary attacks use automated tools to test password variations against known weak passwords. A custom password dictionary can prevent the use of common and predictable passwords. AI tools like ChatGPT can accelerate the creation of these dictionaries by suggesting likely weak passwords based on company-specific data. Regular updates and management of the password dictionary are crucial for maintaining security. Integrating password security tools with custom dictionaries and breach monitoring further enhances protection. Specops Password Policy is an example of a tool that creates, imports, and continuously checks banned passwords against a comprehensive breach database.

On the first day of Pwn2Own Automotive 2025, security experts exploited 16 unique zero-days, receiving a total of $382,750 in rewards. Fuzzware.io led the competition by hacking EV chargers from Autel and Phoenix Contact, leveraging software vulnerabilities for a $50,000 prize. Sina Kheirkhah from Summoning Team exploited vulnerabilities in Ubiquiti and Phoenix Contact chargers gaining $91,750 and significant competition points. Synacktiv Team captured third place, earning $57,500 by demonstrating a protocol flaw in a ChargePoint Home Flex charger. Teams utilized complex technical methods such as stack-based buffer overflows, heap-based buffer overflows, and OS command injections to breach device security. Hacked devices included electric vehicle chargers and in-vehicle infotainment systems from various manufacturers. Post-competition, vendors have a 90-day period to address and patch disclosed vulnerabilities before public release by TrendMicro's Zero Day Initiative. The event, part of the Automotive World auto conference in Tokyo, highlights potential cybersecurity risks in automotive technologies and encourages timely remediations.

Hackers are exploiting a zero-day vulnerability in Cambium Networks cnPilot routers to deploy the AIRASHI botnet, causing powerful DDoS attacks. The AIRASHI botnet, a variant of the AISURU botnet, has historically maintained attack capacities between 1-3 Tbps. Primary targets of these attacks are devices in countries like Brazil, Russia, Vietnam, and Indonesia, with attacks focusing on China, the United States, Poland, and Russia. AIRASHI utilizes updated network protocols involving HMAC-SHA256 and CHACHA20 algorithms and supports diverse functionalities like SOCKS5 proxy communication. In addition to DDoS capabilities, variants of AIRASHI have integrated proxyware functionalities, potentially indicating a strategic expansion of services by threat actors. The ongoing exploitation of IoT vulnerabilities highlights significant security challenges for network infrastructure globally. Concurrently, QiAnXin has identified other significant threats, such as the alphatronBot backdoor and DarkCracks payload delivery framework, emphasizing the extensive threat landscape.

The Trump administration lacks a detailed infosec policy but suggests significant cybersecurity changes are imminent. Critical U.S. infrastructure vulnerabilities have been exposed, notably by China's Typhoon operation, escalating the cybersecurity stakes. With cybersecurity being a low priority in Trump's policy agenda, major decisions, such as terminating DHS advisory committees and impacting CISA, reflect a shift in cybersecurity strategy. Ransomware attacks persist, and misinformation continues to challenge American public opinion, indicating a volatile cybersecurity environment. Debates around private sector security responsibility persist, with calls for either voluntary security guidelines or stricter mandatory standards. CISA's role is expected to be recalibrated, moving away from countering misinformation to focusing on protecting government networks and critical infrastructure. There is a potential shift towards more aggressive U.S. cyber offensive strategies, as indicated by Trump's advisors, which could change international cyber dynamics. Trump administration may continue enforcing robust cybersecurity measures such as zero-trust architectures initiated under previous policies.

President Donald Trump has granted a full pardon to Ross Ulbricht, the creator of the Silk Road dark web marketplace, after Ulbricht served 11 years in prison. Ulbricht was arrested in 2013 and later sentenced to life in prison without parole for charges including money laundering, narcotics trafficking, and computer hacking. The Silk Road, launched in 2011, was a notorious digital marketplace facilitating the sale of illegal drugs and other illicit goods and services, generating over $200 million before being shut down by authorities in 2013. Trump cited support from the Libertarian Movement and personal grievances against what he called the "weaponization of government" as reasons for the pardon. In November 2021, the U.S. Department of Justice announced the seizure of over 50,000 Bitcoin related to a 2012 hack of Silk Road, marking one of the largest cryptocurrency seizures. Ulbricht, also known by his pseudonym "Dread Pirate Roberts," has claimed that his intent with Silk Road was to provide individuals the freedom to make their own choices, asserting he did not start the platform for personal financial gain. Despite allegations of arranging for multiple murders through a drug vendor on Silk Road, the DoJ confirmed there is no evidence to support these claims actually took place.

Complimentary risk assessments are now available for organizations to identify vulnerabilities in their browsing environments, particularly focusing on GenAI tools and SaaS platforms. The assessment evaluates potential risks such as data exposure, identity vulnerabilities, insecure use of GenAI, and sensitive data leakage through browsers. Results from the assessment include a detailed report with metrics and mitigation recommendations for each identified risk. Security teams can use the insights gained to optimize decision-making, enhance security measures, and educate other departments within their organization. The article stresses the importance of recognizing and addressing browser-based threats and SaaS risks, underscoring the browser's role as a critical component of modern workforce productivity. By leveraging this resource, organizations of any size and industry can improve their security posture and plan effectively against potential threats.

Sophos identified two ransomware campaigns, STAC5143 and STAC5777, leveraging Microsoft Teams to compromise organizations and steal data. These campaigns were carried out by separate ransomware groups operating their own Microsoft Office 365 tenants, exploiting a default Teams configuration to initiate unauthorized meetings or chats. STAC5777 has ties with Storm-1811, previously known for deploying Black Basta ransomware via Microsoft's Quick Assist. STAC5143, possibly linked to Russia's FIN7 (Sangria Tempest/Carbon Spider), initially bombarded a customer with over 3,000 spam emails before inviting them to a fraudulent Teams call for remote access. The attackers employed sophisticated multi-step processes, involving executing malware through applications like Java and PowerShell, setting up encrypted command-and-control channels using tools like ProtonVPN, and downloading malicious DLLs. Sophos's endpoint protection detected unusual activities, such as unsigned DLL execution and suspicious OneDriveUpdater activities, which were part of the attackers' tactics to establish further access and move laterally within the network. The security measures in place helped prevent the full execution of the Black Basta ransomware by STAC5777, enhancing the importance of robust cybersecurity defense systems.

PlushDaemon, a previously unknown APT group linked to China, executed a targeted supply chain attack on a South Korean VPN provider, exploiting the provider's software installer. ESET discovered the attack involving the replacement of a legitimate VPN installer with a malicious version that deployed a backdoor named SlowStepper, a substantial toolkit featuring over 30 components. SlowStepper, programmed in C++, Python, and Go, enables extended surveillance capabilities, including data gathering and recording audio and video through various Python and Go modules. The malware infiltrated systems through compromised software downloaded from the VPN provider's website and achieved persistence, allowing continuous access to infected systems. Victims of the attack include networks associated with a semiconductor company and a software development company in South Korea, with telemetry data indicating earlier victims in Japan and China. The malware leverages a multistage C&C protocol utilizing DNS queries to manage communication with its command servers, enabling a range of commands for detailed system exploitation and self-deletion. The latest observations suggest the APT has been actively refining and deploying its tools since 2019, with recent versions indicating enhancements for reduced detection and increased functionality.