In today’s cybersecurity news…
PowerSchool hacked
The EdTech giant PowerSchool provides cloud-based education software, tracking everything from grades and attendance to emergency contacts and lunch money to over 50 million students in the US. The company began informing impacted school districts this week that threat actors breached a customer support portal on December 28th using compromised credentials. PowerSchool confirmed that stolen data included names and addresses but could also include Social Security numbers and other personally identifiable information, depending on the school district. In the FAQ about the incident, PowerSchool said it did not suffer a ransomware attack but did pay an extorsion demand to prevent the data from being leaked. The company will offer credit monitoring services for impacted adults and identity protection services for minors.
(TechCrunch, Bleeping Computer)
Lawmakers expected to revive attempts for new Cyber Force study
House lawmakers continue researching whether a Cyber Force should be added to the U.S. military. Rep. Morgan Luttrell (R-TX) says “An independent assessment is still very warranted.” As reported in The Record, “Last year Luttrell sponsored an amendment to the House version of the annual defense policy bill to require the Pentagon to commission a third-party study on creating a Cyber Force as a potential seventh military branch that would be dedicated to digital warfare.” The final bill was signed into law by President Joe Biden last month, but it gave no deadline for the assessment to be submitted to Congress. Luttrell called the lack of a deadline a colossal headache, but if the initiative is defeated for the third consecutive year, he hinted he will start speaking to future VP Vance.
European Commission receives first GDPR fine
In “Physician Heal Thyself” news, the European General Court ruled that the European Commission violated the General Data Privacy Regulation, or GDPR, by transmitting a German citizen’s data to the US. The citizen brought the case after the European Commission used a Facebook sign-in option on an event site. This sign-up sent device, browser, and IP address information to Amazon and Meta. GDPR considers that data to be personal information. Although GDPR allows for hefty fines for violations, the court ruled the EC must pay the person bringing the suit €400.
Microsoft 365 features abused in PayPal fraud scheme
Fortinet CISO Carl Windsor detailed this phishing campaign after being targeted by it. This saw threat actors register a free Microsoft 365 test domain to send emails to targets. They generally bypass email security checks because they come from an onmicrosoft.com email domain. In this campaign, the threat actor sends spoofed PayPal money requests to victims using addresses mentioning a “billing department.” Clicking on the link and logging into PayPal to view the request links an account to the sender, opening the door to an account takeover. Windsor recommended that users still use common sense when looking at fishy-looking email addresses, even if they get past basic spam filters.
Huge thanks to our sponsor, Nudge Security
Akamai to end CDN service in China
The company informed customers of its content delivery network service in China and would end service there as of June 30, 2026. Akamai will offer migration services to the domestically based Tencent Cloud or Wangsu Science & Technology and support switching to a CDN outside of China. Often, these market withdrawals come from concerns about partnering with local Chinese companies to stay in the good graces of regulators. But an Akamai spokesperson cited a statement from CEO Tom Leighton from its Q3 earnings call, saying that compute and security services now generate the majority of Akamai’s revenue and that the company may be focusing on higher growth areas rather than traditional CDN services in the market.
Hackers have their own shadow IT problem
Research from watchTowr Labs reveals that the problem of Shadow IT affects hackers in much the same way as CISOs. Writing in a post that was released last Wednesday, “watchTowr Labs CEO Benjamin Harris and researcher Aliz Hammond said they have successfully identified entry points into thousands of live backdoors being used by hackers through the interconnected infrastructure they leave behind. “This hijacking allowed us to track compromised hosts as they ‘reported in’, and theoretically gave us the power to commandeer and control these compromised hosts,” they wrote. In many cases, attackers leave behind old web shells containing snippets of code that could be used to identify and compromise newer, active web shells and domains being used in ongoing hacking campaigns.
Ivanti issues warning of new Connect Secure flaw
According to Ivanti, hackers have exploited a Connect Secure remote code execution vulnerability that installs malware on its appliances. This is after the Ivanti Integrity Checker Tool (ICT) detected malicious activity on customers’ Ivanti appliances, and a subsequent investigation confirmed that “threat actors were actively exploiting a CVE numbered vulnerability as a zero-day.” While the flaw impacts all three products, Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways, Ivanti says they have only exploited it on Ivanti Connect Secure appliances. Ivanti has rushed out security patches for Ivanti Connect Secure, which were resolved in firmware version 22.7R2.5. A link to the Ivanti report with CVE numbers and version numbers of the affected and non-affected versions is available in the show notes to this episode.
(BleepingComputer and Ivanti)
ICAO and Green Bay follow-ups
Two quick follow-ups from yesterday. The U.N.’s International Civil Aviation Organization, or ICAO, confirmed it suffered a data breach, with a threat actor stealing 42,000 records from its recruitment database. The data stolen includes names, email addresses, dates of birth, and employment history, but did not impact any financial information or passwords. No other systems were affected.
This is a follow-up on the payment skimmer installed on the Green Pay Packers’ online store. The team informed Maine’s attorney general that 8,514 people were impacted by the skimmer, including 16 people in Maine. Victims were notified on January 6th and offered 3 years of credit monitoring.