Daily Brief

PowerSchool, a major provider of K-12 educational software, faced a severe data breach in December 2024, resulting in the theft of sensitive data. The compromised data involved personal details from over 6,505 school districts, potentially affecting millions of students and teachers across the U.S. and Canada. The stolen information includes names, addresses, contact info, Social Security numbers, medical data, and grades. Despite the attack, detailed particulars about the breach provided by CrowdStrike remain pending. PowerSchool has initiated notifications to individuals potentially impacted, including students, teachers, and parents, and is engaging with U.S. and Canadian regulators. The company offers two years of free identity theft protection and credit monitoring services to the victims. The exact number of affected individuals is still undisclosed, but estimates suggest tens of millions could be impacted.

The article emphasizes the importance of securing AWS workloads due to the increasing shift of organizations towards cloud deployments. Explains the AWS shared responsibility model: AWS secures the infrastructure, while customers must protect their cloud workloads. Highlights the role of third-party security tools like Wazuh in complementing AWS's built-in security features. Describes Wazuh’s capabilities in real-time monitoring, threat detection, and integration with AWS services like CloudTrail and Security Hub. Wazuh aids in threat detection and incident response by monitoring logs, network activity, and integrating with various AWS tools to detect abnormal behavior. Provides solutions for vulnerability management, continuous scanning for threats, and assists in patch management. Ensures compliance with industry-specific regulations like PCI DSS, HIPAA, and GDPR using predefined policies and continuous security assessments. Overall, Wazuh enhances visibility, control, and response strategies to secure AWS environments effectively.

In 2023, cryptojacking incidents increased by 659%, emphasizing a significant rise in this threat. Cryptojacking leverages unauthorized use of corporate computing resources to mine cryptocurrencies, costing companies extensively in cloud resources. For every dollar of cryptocurrency mined, businesses incur about $53 in cloud expenses. Unlike ransomware, cryptojacking attacks are stealthy, often going undetected until significant financial damage occurs. Attack vectors include exploiting vulnerabilities in cloud environments, container infrastructures like Docker, and enterprise applications like Atlassian Confluence. Major industries, including technology and healthcare, have reported severe operational disruptions and unexpected costs due to cryptojacking. To combat cryptojacking, businesses must implement multi-layered defenses, regular security validation, and stay vigilant against emerging threats. Continuous security validation and proactive defensive strategies are crucial to protecting against the subtle yet costly impact of cryptojacking.

Nearly 90% of IT and security professionals have faced ransomware attacks in the past year, though confidence in handling these attacks is rising. Recent data indicates a decline in concerns about being a target for ransomware, with the percentage dropping from 68% in 2021 to 64% currently. Professionals also report decreased anxiety over supply chain risks and data leaks compared to previous years. The highest cost of ransomware attacks is now seen in the damage they do to an organization’s reputation, surpassing even lost revenue and legal costs. About 45% of ransomware attacks begin via phishing, highlighting ongoing challenges with email security and user awareness. Ponemon Institute's research in 2024 highlighted a new focus on AI-generated ransomware threats, with professionals concerned about AI's role in enhancing phishing attacks and automating malware. The average time to resolve major ransomware incidents has decreased from 190 hours to 132 hours since 2021, though the cost remains substantial. Only 42% of security professionals have adopted AI-enhanced cybersecurity defenses, despite the increasing discussion and marketing surrounding AI solutions in cybersecurity.

Apple has fixed a critical use-after-free vulnerability, identified as CVE-2025-24085, affecting multiple devices including iPhones, iPads, and macOS devices. The flaw was present in the CoreMedia component of iOS and macOS, which handles audio and video processing. The vulnerability allowed a malicious app to potentially elevate privileges on a device, and it was actively exploited as a zero-day. Users of affected Apple devices are urged to update their systems immediately, with patches released for iOS, macOS, watchOS, and tvOS. The security updates not only address CVE-2025-24085 but also fix additional vulnerabilities that could enable code execution and privileged information access. Apple has not disclosed the origin of the exploit nor credited any individual or group for the discovery of the flaw. Apple has included these fixes in iOS 18.3 and iPadOS 18.3, macOS Sequoia version 15.3, watchOS 11.3, and other system updates.

The U.S. Secretary of State, Marco Rubio, has frozen nearly all foreign aid, including cybersecurity defense funds for allies. This freeze is part of a government-wide review to ensure foreign assistance is efficient and aligns with the America First policy. The halt impacts funding through the State Department and the U.S. Agency for International Development. The Bureau of Cyberspace and Digital Policy, focused on negotiating international cybersecurity policies, is directly affected. Previously, the U.S. supported nations like Costa Rica and Albania with significant funds for IT defense following cyberattacks. The review comes after President Trump's executive order which included widespread cuts to various Biden-era programs. Newly confirmed DHS head, Kristi Noem, signaled potential cuts to the top U.S. cybersecurity agency, CISA, shifting its focus away from combating misinformation. The State Department has yet to clarify how the cessation of funds will impact broader homeland security, particularly digital defenses globally.

Chinese AI platform DeepSeek has temporarily stopped new user registrations on its DeepSeek-V3 chat platform due to a significant cyberattack. The attack occurred as DeepSeek's AI Assistant app became the top downloaded app on the Apple App Store, surpassing ChatGPT. DeepSeek emphasized the move to limit registrations was to ensure the continuation of services for existing users, who can still log in as normal. The suspected attack is a distributed denial-of-service (DDoS) aimed at overwhelming DeepSeek’s API and Web Chat services with massive traffic. Alongside managing the DDoS attack, cybersecurity firm KELA reported vulnerabilities in DeepSeek’s AI model that allow it to generate malicious outputs like ransomware. The incident has spurred heightened scrutiny and analysis from cybersecurity communities due to the platform's swift rise in popularity and its competitive stance against US tech giants. DeepSeek has not yet provided detailed comments on the specifics or source of the cyberattack.

Bitwarden, an open-source password manager, is implementing a new measure to enhance security for users without two-factor authentication (2FA) by requiring email verification for access from unrecognized devices. Starting in February, users attempting to log in from a new device will need to enter a verification code sent to their email to proceed, effectively creating a form of mandatory two-factor authentication. This new security protocol is aimed at protecting user accounts from unauthorized access, particularly for those who have not enabled optional 2FA methods. Users utilizing 2FA methods such as authenticator apps, FIDO-compliant passkeys, API keys, or single sign-on (SSO) are automatically exempt from this new verification process. Self-hosted Bitwarden instances do not fall under the purview of this new security update. Bitwarden recommends that users not store email credentials within their password vault to prevent potential lockouts, as access to the vault will require independent email access. Despite the enhanced security measure, Bitwarden advises maintaining robust, unique master passwords to prevent brute force attacks and ensure optimum security.

Apple patched a zero-day vulnerability, identified as CVE-2025-24085, impacting iPhones among other devices, which was actively exploited. This zero-day involves a privilege escalation flaw within Apple's Core Media framework, affecting iOS, macOS, tvOS, and watchOS. The critical security update was rolled out in iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, and tvOS 18.3 to address the vulnerability. Apple reported the bug was exploited prior to the iOS 17.2 version and suggested installing the updates immediately due to ongoing attack risks. No attribution has been made to a security researcher for discovering the flaw, and specific details about the attacks remain undisclosed. The vulnerability affects a broad range of devices, from older to newer models, making the potential impact extensive. Apple's history shows a pattern of patching multiple zero-days annually, including six in the previous year and 20 in 2023.

The European Union imposed sanctions on three GRU hackers for cyberattacks against Estonia in 2020. Hackers from GRU’s Unit 29155, identified as Nikolay Korchagin, Vitaly Shevchenko, and Yuriy Denisov, accessed and stole sensitive data from Estonian government ministries. The stolen data included classified documents, business secrets, and health records, compromising security and confidentiality. Unit 29155 has been involved not only in cyberattacks targeting Estonia but also other EU member states and various global entities, including NATO members and North American, European, Latin American, and Central Asian countries. Tactics used by this unit encompass sabotage and destabilization activities such as assassinations, bombings, and extensive cyber operations. More recent operations include focusing on organizations aiding Ukraine, employing techniques such as backdoors, information stealers, and fake ransomware primarily through phishing. In response to these threats, the U.S. State Department has offered a reward of up to $10 million for information on key members of Unit 29155 linked to global attacks on critical infrastructure.

Phemex crypto exchange experienced a major security breach, resulting in the theft of over $85 million in cryptocurrency. The breach specifically affected the exchange's hot wallets, while cold wallets remained secure. Phemex immediately froze deposits and withdrawals, activated their emergency response, and shifted to addressing security vulnerabilities. Initial estimates of the stolen cryptocurrency rapidly escalated from $29 million to $85 million as investigated by crypto security experts. The exchange has started restoring withdrawals and advised against using old deposit addresses for future transactions. Investigations have involved third-party security firms and law enforcement, although the perpetrators have not yet been identified. Phemex has implemented a new, more secure system, closely monitored by its cybersecurity partner to prevent future incidents.

Microsoft is rolling out a new feature in Teams to protect against brand impersonation and phishing attacks. This security enhancement will be automatically available to all Microsoft 365 customers by mid-February 2025. The feature will alert users of potential impersonation when receiving messages from external domains, crucial for organizations that enable external Teams access. Users will encounter a high-risk Accept/Block screen which requires them to preview messages before proceeding, enhancing security measures. The system will be enabled by default and will not require any administrative action or configuration. Microsoft has observed phishing attempts by various threat actors, including state-sponsored groups and ransomware gangs, using similar impersonation tactics. Admins are advised to update relevant documentation and educate users about the new security feature to mitigate risks effectively. Until the feature is fully implemented, Microsoft recommends disabling external Teams access or using allow lists for necessary external communications to enhance security.

Chinese AI startup DeepSeek has paused new user registrations due to a significant cyberattack. The attack commenced around 21:33 CST on January 27 and was affecting services at the time of reporting. DeepSeek's AI application remains the top free download on the Apple US App Store, surpassing OpenAI's ChatGPT. The company recently released its DeepSeek-R1 model as open source, boasting competitive capabilities against major AI platforms. Financial markets reacted with a sell-off in AI-related stocks, spurred by DeepSeek's cost-effective model development. The incident has underscored ongoing concerns regarding the security and commercial viability of open source AI models. Existing DeepSeek users can continue to access services normally, while the company works to resolve security issues.

A sophisticated voice phishing scam targeted Hack Club founder Zach Latta, attempting to hijack his Google account. Scammers, posing as Google support, claimed they detected unusual login activity and urged Latta to reset his password. The scam involved a phone call that appeared to come from an official Google number and a convincing email sent from an authentic Google domain. Despite the scammers' efforts to appear legitimate, including providing a correct 2FA code, discrepancies in their story raised Latta's suspicions. The attackers exploited a loophole allowing them to create a fake Google Workspace account on a legitimate Google subdomain (g.co) to send deceptive password reset emails. Google has since suspended the scam account and is increasing security measures to prevent abuse of unverified Workspace accounts. The incident highlights broader vulnerabilities with phone-based phishing commonly exploited against both Google and Apple users, emphasizing the importance of user education on scam recognition.

RyotaK from GMO Flatt Security uncovered vulnerabilities in Git, leading to credential leaks in various Git-related tools. The 'Clone2Leak' attacks involve exploiting credential helper flaws, which trick Git into sending credentials to malicious servers. Affected tools include GitHub Desktop, Git LFS, GitHub CLI/Codespaces, and the Git Credential Manager. Malicious actors could execute these attacks during repository cloning or other Git operations. Security patches are available; users must update to GitHub Desktop 3.4.12+, Git Credential Manager 2.6.1+, Git LFS 3.6.1+, and gh cli 2.63.0+. It is advisable to enable Git's 'credential.protectProtocol' to add an extra security layer against these attacks. No active exploitations have yet been reported, though the public disclosure increases the likelihood of attack attempts.