PowerSchool hacked, Cyber Force study, EC gets GDPR fine - Cybersecurity Headlines

Summary

Cyber Security Headlines: PowerSchool Hacked, Cyber Force Study, EC Gets GDPR Fine

Hosted by CISO Series | Release Date: January 9, 2025

In this episode of Cyber Security Headlines, host Rich Stroffolino delves into the latest developments in the information security landscape. Covering significant breaches, legislative movements, regulatory fines, and emerging threats, this episode provides a comprehensive overview for cybersecurity professionals and enthusiasts alike.

1. PowerSchool Data Breach

Timestamp: [00:07]

Rich Stroffolino kicks off the episode by reporting a major breach involving PowerSchool, the leading edtech provider serving over 50 million students in the U.S. The company announced that on December 28th, threat actors successfully breached a customer support portal using compromised credentials.

Data Compromised: Initially, PowerSchool confirmed the theft of names and addresses. However, the breach could potentially include Social Security numbers and other Personally Identifiable Information (PII), varying by district.
Company Response: PowerSchool clarified in their FAQ that the incident was not a ransomware attack. Nevertheless, they conceded to an extortion demand to prevent data leakage.
Mitigation Efforts: The company is offering credit monitoring services for affected adults and identity protection services for minors to safeguard against potential misuse of the compromised data.

Quote:
"We did not suffer a ransomware attack, but we did pay an extortion demand to prevent the data from being leaked," stated Rich Stroffolino at [00:07].

2. House Lawmakers Explore Cyber Force Study

Timestamp: [02:30]

The episode highlights ongoing legislative efforts to establish a dedicated cyber force within the U.S. Military. Representative Morgan Luttrell emphasizes the necessity for an independent assessment to evaluate the feasibility of a cyber force as a potential seventh branch of the military.

Legislative Background: Last year, Luttrell sponsored an amendment to the Defense Policy Bill, mandating the Pentagon to commission a third-party study on creating a cyber force focused on digital warfare.
Current Status: Although the bill was signed into law by President Biden, it lacks a deadline for the assessment's submission, causing delays and frustrations among lawmakers.
Future Prospects: Luttrell indicated frustration with the recurring delays and hinted at escalating the issue to higher political figures, including future Vice President Van Advance, if the initiative is stalled for a third consecutive year.

Quote:
"The lack of a deadline is a huge headache," remarked Representative Luttrell at [02:45].

3. European Commission Fined for GDPR Violation

Timestamp: [04:15]

In a significant ruling, the European General Court found that the European Commission (EC) violated the General Data Privacy Regulation (GDPR) by transmitting a German citizen's personal data to the U.S.

Case Details: The individual initiated the lawsuit after noticing that using a Facebook sign-in option on an event site led to the transmission of device, browser, and IP address information to Amazon and Meta.
Legal Implications: GDPR classifies such data as personal information. While GDPR permits substantial fines for violations, the court mandated the EC to pay €400 to the plaintiff.

Quote:
"The European Commission violated GDPR by transmitting personal data without adequate protections," explained Rich Stroffolino at [04:15].

4. PayPal Fraud Scheme Exploits Microsoft 365 Features

Timestamp: [05:50]

Fortinet CISO Carl Windsor shed light on a sophisticated phishing campaign exploiting Microsoft 365's features to perpetrate fraud through PayPal.

Attack Vector: Threat actors register free Microsoft 365 test domains to dispatch emails, which typically bypass standard email security checks due to their legitimate Microsoft.com domains.
Methodology: Victims receive spoofed PayPal money requests that appear to come from a billing department. Clicking the embedded link and logging into PayPal inadvertently links the victim's account to the attacker, facilitating account takeovers.
Defense Recommendations: Windsor urges users to remain vigilant and employ common sense when encountering suspicious email addresses, even if they pass through basic spam filters.

Quote:
"Use common sense on fishy-looking email addresses, even if they get past basic spam filters," advised Carl Windsor at [05:50].

5. Akamai to Terminate CDN Services in China

Timestamp: [06:40]

Akamai Technologies announced it will cease its Content Delivery Network (CDN) services in China by June 30, 2026. This decision is influenced by regulatory challenges and strategic business realignment.

Migration Support: Akamai will assist customers in transitioning to Tencent Cloud or Wangsu Science and Technology, and support migrations to CDNs outside China.
Business Shift: CEO Tom Leighton noted in the Q3 earnings call that Akamai is pivoting towards higher-growth areas like compute and security services, which now constitute the majority of the company's revenue.

Quote:
"We are focusing on higher growth areas rather than traditional CDN services in the market," stated Akamai CEO Tom Leighton, as referenced by Rich Stroffolino at [06:40].

6. Shadow IT Challenges for Hackers

Timestamp: [07:30]

A study by Watchtower Labs reveals that shadow IT is a significant issue not only for Chief Information Security Officers (CISOs) but also for hackers. Benjamin Harris and Elise Hammond detail how interconnected infrastructures used by hackers introduce vulnerabilities.

Research Findings: The team identified entry points into thousands of live backdoors created by hackers, enabling the tracking of compromised hosts and potential control over them.
Implications: Attackers often leave behind outdated web shells containing code snippets that can compromise newer systems and domains, perpetuating ongoing hacking campaigns.

Quote:
"We successfully identified entry points into thousands of live backdoors being used by hackers," explained Benjamin Harris at [07:30].

7. Ivanti Alerts on Connect Secure Vulnerability

Timestamp: [07:55]

Ivanti has issued a warning regarding the exploitation of a Connect Secure remote code execution vulnerability (CVE-XXXXX) by threat actors aiming to install malware on affected appliances.

Affected Products: The vulnerability impacts Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways. However, current exploits are confined to Ivanti Secure Connect appliances.
Response Measures: Ivanti released security patches in firmware version 22.7R2.5 to address the flaw. Customers are urged to update immediately to mitigate potential threats.

Quote:
"We have only exploited it on Ivanti Secure Connect appliances," confirmed Ivanti at [07:55].

8. Follow-Up: ICAO and Green Bay Data Breaches

Timestamp: [07:40]

International Civil Aviation Organization (ICAO): Recently confirmed a data breach where 42,000 records from its recruitment database were stolen. The compromised data includes names, email addresses, dates of birth, and employment history. Importantly, no financial information or passwords were affected.
Green Bay Packers Online Store: A payment skimmer compromised 8,514 user accounts, including 16 in Maine. Victims were notified on January 6th and offered three years of credit monitoring as a remedial measure.

Quote:
"Threat actors stole 42,000 records from ICAO's recruitment database," reported Rich Stroffolino at [07:40].

9. Upcoming Episode: AI's Role in Cybersecurity

Timestamp: [08:00]

Looking ahead, Rich Stroffolino teases the next episode titled "Is AI Benefiting Attackers or Defenders?" This episode will explore how adversaries and defenders are leveraging artificial intelligence in the ongoing cybersecurity battle, questioning whether AI provides one side with a significant advantage or simply continues the traditional cat-and-mouse dynamic.

Quote:
"We've been mired in endless discussions on how adversaries and defenders are, or could be taking advantage of AI," hinted Rich Stroffolino at [08:07].

Conclusion

Today's episode of Cyber Security Headlines encapsulates critical incidents and trends shaping the cybersecurity domain. From large-scale data breaches and legislative initiatives to sophisticated phishing schemes and vulnerabilities within major platforms, the episode underscores the dynamic and ever-evolving challenges faced by organizations and individuals alike. Stay tuned for more insights and detailed analyses in upcoming episodes.

For more in-depth stories and daily updates, visit CISOseries.com.

Transcript

CISO Series Host (0:00)

From the CISO series. It's Cybersecurity Headlines.

Rich Stroffolino (0:07)

These are the cybersecurity headlines for Thursday, January 9, 2025. I'm Rich Stofalino. PowerSchool hacked the edtech giant PowerSchool provides cloud based education software tracking everything from grades and attendance to emergency contacts and lunch money to over 50 million students in the U.S. the company began informing impacted school districts this week that threat actors breached a customer support portal on December 28th using compromised credentials. PowerSchool confirmed that stolen data includes names and addresses, but could also include Social Security numbers and other personally identifiable information, depending on the district. In the FAQ about the incident, PowerSchool said it did not suffer a ransomware attack, but did pay an extortion demand to prevent the data from being leaked. The company will offer credit monitoring services for impacted adults and identity protection services for minors. Lawmakers expected to revive attempts for a new cyber force study House lawmakers are continuing their research on whether a cyber force should be added to the US Military. Representative Morgan Luttrell says an independent assessment is still very warranted. As reported in the Record. Last year, Littrell sponsored an amendment to the House version of the annual Defense Policy Bill to require the Pentagon to commission a third party study on creating a cyber force as a potential seventh military branch that would be dedicated to digital warfare. The final bill was signed into law by President Biden last month, but it gave no deadline for the assessment to be submitted to Congress. Luttrell called the lack of a deadline a huge headache, but if the initiative is defeated for the third consecutive year, he hinted he will start speaking to future Vice President Van Advance. European Commission receives first GDPR fine In Physician Heal Thyself News, the European General Court ruled that the European Commission violated the General Data privacy regulation, or GDPR, by transmitting a German citizen's personal data to the U.S. the citizen brought the case after the European Commission used a Facebook sign in option on an event site. The signup sent device, browser and IP address information to Amazon and Meta. GDPR considers that data to be personal information. Although GDPR allows for hefty fines for violations, the court ruled the EC must pay the person bringing the suit €400. Microsoft 365 features abused in PayPal fraud scheme Fortinet CISO Carl Windsor detailed this phishing campaign after being targeted by it. This saw threat actors Register a free Microsoft 365 test domain to use for sending emails to targets. Because these come from an on Microsoft.com email domain, they generally bypass email security checks in this campaign. The threat actor sent spoofed PayPal money requests to victims using addresses mentioning a billing department. Clicking on the link and logging into PayPal to view the request actually links the account to the sender, opening the door to an account takeover. Windsor recommended users still use common sense on fishy looking email addresses, even if they get past basic spam filters. And now, thanks to today's episode sponsor Nudge Security trying to squeeze a few more line items into your 2025 budget? Nudge Security can help. It's the only solution for SaaS security and governance that can discover up to two years of historical SaaS spend along with usage insights so you can uncover wasted spend and redeploy those dollars elsewhere. Start a free trial@nudgesecurity.com Sasspend and find savings before you can say Happy New Year. That's N u d G e S e c u R-I-T-Y.com Sasspend Akamai to end CDN service in China the company informed customers of its Content Delivery Network service in China that it would end service there as of June 30, 2026. Akamai will offer migration services to the domestically based Tencent Cloud or Wangsu science and technology, as well as support switching to a CDN outside of China. Often these types of market withdrawals come from concerns about partnering with local Chinese companies to stay in the good graces of regulators. But but An Akamai spokesperson cited a statement from CEO Tom Leighton from its Q3 earnings call saying that compute and security services now generate the majority of Akamai's revenue, and that the company may be focusing on higher growth areas rather than traditional CDN services in the market. Hackers have their own shadow IT problems Research from Watchtower Labs reveals that the problem of shadow IT impacts hackers as as much as it does ciso's writing. In a post that was released last Wednesday, Watchtower Lab CISO Benjamin Harris and researchers Elise Hammond said they successfully identified entry points into thousands of live backdoors being used by hackers through the interconnected infrastructure they leave behind. This hijacking allowed them to track compromised hosts, as they reported in it, theoretically gave them the power to commandeer and control these compromised hosts. In many cases, attackers leave behind old web shells containing snippets of code that could be used to identify and compromise newer active web shells and domains being used in ongoing hacking campaigns. Ivanti issues warning of new Connect Secure flaw According to Ivanti, hackers have exploited a Connect Secure remote code execution vulnerability that installs malware on its appliances. This is after the Ivanti Integrity Checker tool detected malicious activity on customers. Ivanti Appliances and a subsequent investigation confirmed that threat actors were actively exploiting a CVE numbered vulnerability as a zero day. While the flaw impacts all three products, Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways, Ivanti says they have only exploited it on Ivanti Secure Connect appliances. Avanti has rushed out security patches for Connect Secure, which are resolved in firmware version 22.7R 2. 5. A link to the Ivanti report with CVE numbers and version numbers of the impacted and non impacted versions is available in the show Notes of this episode ICAO and Green bay follow ups two quick follow ups from yesterday the UN's International Civil Aviation Organization confirmed it suffered a data breach with threat actors stealing 42,000 records from its recruitment database. It said yesterday that it was investigating reports of a breach. The data stolen includes names, email addresses, dates of birth and employment history, but did not impact any financial information or passwords. No other systems were impacted. And to follow up on the payment skimmer installed on the Green Bay packers online store, the team informed Maine's Attorney General that 8,514 people were impacted by the skimmer and including 16 people in Maine. Victims were informed on January 6th and offered three years of credit monitoring. We've been mired in endless discussions on how adversaries and defenders are, or could be taking advantage of AI. Does one side have the upper hand, or is this just a continuation of the endless cat and mouse game adversaries and security professionals play all the time? That's the topic we'll be digging into on Defense in depth. Look for the episode Is AI Benefiting Attackers or Defenders? Wherever you get your podcasts or head on over to cisoseries.com reporting for the CISO series, I'm Rich Stroffolino, reminding you to have a super sparkly day.