A recent cyberattack on PowerSchool has resulted in the compromise of all historical student and teacher data. The breach has affected multiple US school districts, exposing highly sensitive personal information. The impacted data includes all student and teacher records stored within PowerSchool’s systems. This breach represents a significant risk to the privacy and security of student and teacher information.
The US Department of Justice, with the FBI, conducted a multi-month operation to remove the PlugX malware from over 4,200 infected computers in the United States. PlugX is a remote access trojan (RAT) widely used by threat actors associated with the People’s Republic of China. This action targeted the command and control infrastructure used by these actors to compromise systems, disrupting their ability to maintain persistent access and conduct further malicious activities on affected networks. The operation underscores the US government’s proactive efforts in combating state-sponsored cyber espionage activities, aiming to neutralize threats before they can be further leveraged for malicious purposes.
The US Treasury Department sanctioned a Chinese cybersecurity firm, Sichuan Juxinhe, and a Shanghai-based hacker, Yin Kecheng, for their involvement in the Salt Typhoon cyberattacks. These attacks targeted major US telecom companies, compromising sensitive data and the US Treasury’s network, including systems used for sanctions and foreign investment reviews, and even impacted the computer of the outgoing Treasury Secretary Janet Yellen. This highlights the ongoing sophisticated cyber espionage campaigns from China targeting critical infrastructure and government entities within the US and globally. The sanctioned entities are directly linked to the Chinese Ministry of State Security (MSS), and used a combination of zero-day exploits and other techniques for infiltrating networks and exfiltrating data. The compromise of the Department of the Treasury’s network is considered a major breach, potentially impacting national security due to access to sensitive information.
A critical zero-day vulnerability, tracked as CVE-2025-0282, has been discovered in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. This stack-based buffer overflow allows unauthenticated remote attackers to achieve remote code execution. This is in addition to CVE-2025-0283 which is another stack-based buffer overflow, which requires a local authenticated attacker. This vulnerability is currently being actively exploited in the wild. Organizations are advised to apply the available patches immediately and perform factory resets to ensure complete removal of any potential malware. Ivanti has a long history of being targeted.
Eindhoven University of Technology (TU/e) suffered a cyber attack, forcing the university to take its network offline. This resulted in a suspension of classes. The university is located near ASML, a key chip manufacturer, raising concerns about the wider impact. The university shut down its computer network as a precautionary measure to mitigate the attack. The network systems were made inaccessible. There is no confirmation yet on data theft.
The Chinese state-sponsored hacking group ‘Silk Typhoon’ has been linked to a significant breach of a US Treasury agency in December 2024, with further reports indicating they also compromised the Committee on Foreign Investment in the United States (CFIUS), which assesses national security risks associated with foreign investments. The attackers are suspected to have stolen sensitive information from both the Treasury and the CFIUS, which has raised significant concerns in the US government. This coordinated attack demonstrates a pattern of sophisticated cyber espionage activities by the Silk Typhoon group.
The MirrorFace APT, linked to China, has been conducting extensive cyber espionage campaigns against Japan since 2019. The group uses malware delivered via email attachments, and exploits VPN vulnerabilities to steal sensitive information. Targets include the Japanese government, defense, aerospace, semiconductor, communications and research organizations. The group uses tools like ANEL and NOOPDOOR for its attacks. The campaign shows a deep focus on infiltrating Japanese national security and advanced technology sectors.
The International Civil Aviation Organization (ICAO), a United Nations agency, has confirmed a cyberattack resulting in the theft of 42,000 records from its recruitment database. The breach has raised concerns about the security of personal information held by international organizations, and a probe is underway to understand the extent of the damage. This incident highlights the need for enhanced security measures to protect sensitive data within international organizations.
Chinese state-sponsored threat actors compromised the US Treasury Department by exploiting a vulnerability in a third-party software provider, BeyondTrust. The attackers accessed employee workstations and exfiltrated unclassified documents. This incident highlights the risk associated with third-party dependencies and supply chain attacks. The attackers gained remote access, raising concerns about the security posture of government agencies. The affected systems were not immediately identified but were confirmed to be workstations.
French tech giant Atos, a major contractor for the French government and military, is denying claims by the Space Bears ransomware gang that they have breached their systems. The Space Bears group claims to have stolen data and has threatened to leak it, while Atos insists that no breach occurred. This incident highlights the ongoing threat of ransomware attacks, even against major organizations, and the potential for conflicting claims following such attacks. The truth will likely come out if Space Bears publishes the stolen data next week.
Rhode Island’s health benefits system was breached, leading to a data leak on the dark web, compromising residents’ personal data. The compromised data included sensitive information from the state’s health benefits system. This incident demonstrates the ongoing threats to government infrastructure and highlights the importance of robust security measures. The breach underscores the necessity for continuous monitoring and improvements in state-level cybersecurity protocols.