Links
https://www.wral.com/news/education/threat-actor-claims-to-have-nc-student-data-may-2025
https://thehackernews.com/2025/05/breaking-7000-device-proxy-botnet-using.html
https://www.washingtonpost.com/technology/2025/05/06/signal-archive-cybersecurity-waltz-wyden
https://www.washingtonpost.com/politics/2025/05/01/waltz-signal-app-photo-cabinet
https://en.wikipedia.org/wiki/United_States_government_group_chat_leaks
PowerSchool Breach: When ‘Delete’ Doesn’t Mean Gone
- Executive Summary
- PowerSchool, who is a major educational data management provider, suffered a significant data breach, then assured victims that the situation was contained and the stolen data deleted after a ransom payment. Now, threatening emails demanding cryptocurrency payments are sent to North Carolina public school employees, indicating that the compromised data remains in the hands of malicious actors.
- Details
- The Initial Breach
- In December 2024, PowerSchool’s systems were breached, exposing personal data of students and teachers.
- The breach was reportedly due to compromised credentials lacking multifactor authentication, allowing unauthorized access to sensitive information.
- Ransom Payment and Assurances
- PowerSchool paid a ransom and claimed to have witnessed the deletion of the stolen data via video.
- They assured stakeholders that the situation was contained, and that the data would not be made public.
- Emergence of Threatening Emails
- In May 2025, North Carolina public school employees received emails from individuals claiming to possess the stolen data, demanding cryptocurrency payments to prevent its release.
- Response from Authorities
- The North Carolina Department of Public Instruction (DPI) and PowerSchool have notified law enforcement agencies in the U.S. and Canada.
- DPI advised recipients of the threatening emails not to engage and to report such incidents through official channels.
- Transition to a New System
- North Carolina public schools plan to transition from PowerSchool to Infinite Campus for data management starting July 1, 2025.
- This decision was made to enhance data security and restore trust in the system.
- The Initial Breach
- Defense
- Implement Robust Access Controls
- Ensure all accounts, especially those with administrative privileges, use multifactor authentication to prevent unauthorized access.
- Vet Third-Party Vendors Thoroughly
- Conduct comprehensive security assessments of third-party vendors handling sensitive data. Regular audits and compliance checks can help identify potential vulnerabilities.
- Develop a Comprehensive Incident Response Plan
- Prepare for potential breaches with a well-defined incident response plan, including communication strategies, data recovery procedures, and legal considerations.
- Educate and Train Staff
- Regularly train employees on cybersecurity best practices, recognizing phishing attempts, and proper data handling protocols.
- Limit Data Collection and Retention
- Collect only necessary data and establish clear retention policies to minimize the amount of sensitive information at risk.
- Monitor for Unusual Activity
- Implement monitoring tools to detect unusual activities or access patterns that could indicate a breach or attempted intrusion.
- Communicate Transparently
- In the event of a breach, maintain transparent communication with stakeholders, providing timely updates and guidance on protective measures.
- Implement Robust Access Controls
When Your Toaster Joins a Cybercrime Ring
- Executive Summary
- In a significant cybersecurity operation dubbed “Operation Moonlander,” Dutch and U.S. authorities dismantled a sprawling proxy botnet comprising over 7,000 infected Internet of Things (IoT) and end-of-life (EoL) devices. This network, powered by the “TheMoon” malware, had been operational since 2004, offering anonymized proxy services to cybercriminals. The illicit enterprise generated over $46 million in revenue by compromising devices such as routers, primarily in the U.S., Canada, and Ecuador.
- Story
- Infrastructure
- The botnet exploited vulnerabilities in IoT and EoL devices, particularly routers, to create a vast proxy network.
- Infected with “TheMoon” malware, enabling persistent remote access and control.
- The malicious network facilitated anonymous cyber activities, including credential stuffing and other illicit operations.
- Financial Operations
- Cybercriminals monetized the botnet by offering proxy services through websites
- Users paid subscription fees ranging from $9.95 to $110 per month
- amassing over $46 million in revenue.
- Provided anonymity for various malicious activities.
- Users paid subscription fees ranging from $9.95 to $110 per month
- Cybercriminals monetized the botnet by offering proxy services through websites
- Law Enforcement Intervention
- In May 2025, coordinated efforts by Dutch and U.S. law enforcement agencies led to the takedown of the botnet’s infrastructure.
- Four individuals (three Russian nationals and one Kazakhstani) were charged by the U.S. Department of Justice
- roles in operating and profiting from the proxy services
- Seized domains and disrupting command-and-control servers based in Turkey.
- Four individuals (three Russian nationals and one Kazakhstani) were charged by the U.S. Department of Justice
- In May 2025, coordinated efforts by Dutch and U.S. law enforcement agencies led to the takedown of the botnet’s infrastructure.
- Technical Insights
- The botnet’s command-and-control infrastructure
- five servers
- four communicating over port 80
- one using UDP on port 1443.
- Servers managed the infected devices, facilitating data exfiltration and control.
- five servers
- malware exploited known vulnerabilities in outdated devices
- The botnet’s command-and-control infrastructure
- Infrastructure
- Defense
- Regularly Update and Patch Devices
- Ensure all network-connected devices, especially IoT and routers, receive timely firmware and security updates. Outdated devices are prime targets for exploitation.
- Replace End-of-Life Equipment
- retire devices that no longer receive manufacturer support or security patches. Continuing to use EoL hardware exposes networks to unnecessary risks.
- Implement Network Segmentation
- Isolate IoT devices from critical network segments to contain potential breaches and limit lateral movement within the network.
- Regularly Update and Patch Devices
The Phantom Backdoor: Six Years of Silent Sabotage
- Executive Summary
- A coordinated supply chain attack has compromised between 500 and 1,000 Magento-based e-commerce stores through 21 backdoored. These extensions, some infected as far back as 2019, contained dormant PHP backdoors that were activated in April 2025, granting attackers full control over affected servers. The malicious code allowed for arbitrary code execution, data theft, and administrative access, posing significant risks to both merchants and customers.
- Story
- Sansec is a company that does ecommerece vulnerability and malware scanning.
- Sansec researchers identified 21 Magento extensions injected with a PHP backdoor, primarily from Tigren, Meetanshi, and MGS.
- backdoor resided in license verification files and remained dormant for years before activation.
- April 2025
- dormant backdoors were activated
- execute arbitrary PHP code
- upload web shells
- gain administrative access
- dormant backdoors were activated
- Vendors Varied Responses via SanSec
- Tigren
- Denied any breach and continues to distribute the affected extensions.
- Meetanshi
- Acknowledged a server breach but did not confirm extension compromise.
- MGS
- Did not respond to inquiries.
- Tigren
- Indicators of Compromise (IoCs)
- Check Extensions
- Tigren
- Ajaxsuite, Ajaxcart, Ajaxlogin, Ajaxcompare, Ajaxwishlist, MultiCOD
- Meetanshi
- ImageClean, CookieNotice, Flatshipping, FacebookChat, CurrencySwitcher, DeferJS
- MGS
- Lookbook, StoreLocator, Brand, GDPR, Portfolio, Popup, DeliveryTime, ProductTabs, Blog
- Tigren
- Check Extensions
- Defense
- Audit Installed Extensions
- Regularly review and audit all installed extensions for signs of tampering or unauthorized code.
- Source Extensions from Trusted Vendors
- Only install extensions from reputable vendors with a track record of security and prompt vulnerability disclosures.
- Implement File Integrity Monitoring
- Use tools to monitor critical files for unexpected changes, which can indicate a compromise.
- Regularly Update and Patch Systems
- Keep Magento and all extensions up to date with the latest security patches to mitigate known vulnerabilities.
- Conduct Security Scans
- Employ security scanning tools to detect malware and vulnerabilities within your Magento installation.
- Backup and Recovery Planning
- Maintain regular backups and have a recovery plan in place to restore systems in the event of a breach.
- Educate Development Teams
- Train developers and administrators on secure coding practices and the importance of supply chain security.
- Audit Installed Extensions
The TeleMessage Debacle in Government Communications
- Executive Summary
- To archive encrypted communications, the Trump administration adopted TeleMessage, a modified version of the Signal app. However, this solution introduced significant security vulnerabilities, leading to breaches by hackers who accessed data from U.S. agencies. Senator Ron Wyden has called for a Justice Department investigation into whether the use of TeleMessage has compromised national security and violated federal laws.
- Story
- The administration sought a solution to archive encrypted messages.
- TeleMessage, an Israeli-developed app, was adopted to fulfill this need
- Hackers successfully breached TeleMessage systems, accessing data from U.S. agencies such as Customs and Border Protection.
- The contents of messages were not disclosed
- breach highlighted the app’s vulnerabilities and the potential exposure of sensitive information.
- The Justice Department to investigate TeleMessage’s security practices
- questioning whether the company misrepresented its product’s security features
- potential violations of the False Claims Act and the involvement of foreign governments.
- Debate about the use of third-party applications for official government communications.
- need for rigorous security assessments
- adherence to federal records laws
- The administration sought a solution to archive encrypted messages.
- Defense
- Vet Third-Party Applications Thoroughly
- Before adopting any third-party communication tools, conduct comprehensive security assessments to ensure they meet the organization’s security and compliance requirements.
- Implement Robust Security Protocols
- Establish clear policies for secure communication, including the use of approved applications, regular security training for staff, and protocols for handling sensitive information.
- Monitor and Audit Communication Channels
- Regularly monitor and audit communication channels to detect unauthorized access or potential breaches. Implement intrusion detection systems and maintain logs for accountability.
- Ensure Compliance with Legal and Regulatory Standards
- Stay informed about legal and regulatory requirements related to data security and records retention. Ensure that all communication practices comply with applicable laws to avoid legal repercussions.
- Respond Promptly to Security Incidents
- Develop an incident response plan to address security breaches swiftly. This includes identifying the breach, containing it, notifying affected parties, and taking corrective actions to prevent future incidents.
- Vet Third-Party Applications Thoroughly
Thanks for tuning in to this week’s Cyber Security News Byte. You can catch all the links, details, and show notes over at CyberSecurityNewsByte.com. If you’re curious about who’s behind the mic, head to JimGuckin.com—or shoot me a message at me@jimguckin.com
Stay Safe Online and talk to you again next time.