Malware Activity
Threat Actors are Exploiting Current Events
Threat actors are exploiting current events, such as Ross Ulbricht's pardon, to trick users into downloading malware through fake social media accounts and Telegram channels. Meanwhile, a China-aligned hacking group called "PlushDaemon" has conducted a supply chain attack on South Korean VPN provider IPany, compromising the company's VPN installer to deploy custom "SlowStepper" malware, which has infected companies including a semiconductor firm and a software development company. Additionally, cybersecurity researchers have discovered a new BackConnect (BC) malware module linked to the QakBot loader, which has been used to deliver ransomware and other payloads and is part of a larger cybercrime ecosystem with connections to threat groups such as Storm-1811 and FIN7. Furthermore, researchers have identified a series of cyber-attacks targeting Chinese-speaking regions using a known malware called ValleyRAT, which is delivered through a multi-stage loader called PNGPlug and provides attackers with unauthorized access and control over infected machines. These attacks highlight the evolving nature of cyber threats, with threat actors using sophisticated tactics and exploiting current events to trick victims into downloading malware and demonstrate the need for users to be cautious when executing unknown code and to analyze the contents of suspicious code before running it. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: Telegram Captcha Tricks You article
- BleepingComputer: IPany VPN Breached article
- HackerNews: Qakbot Linked BC Malware article
- HackerNews: PNGPlug Loader Delivers Valleyrat
Threat Actor Activity
62 Million Students and 9 Million Teachers Data Stolen in PowerSchool Cyberattack
Education technology company PowerSchool recently faced a significant cyberattack, with a hacker claiming to have stolen the personal data of 62.4 million students and 9.5 million teachers. PowerSchool, a cloud-based software provider for K-12 schools and districts, revealed that the breach occurred through unauthorized access using stolen credentials, allowing the attacker to exploit the company’s PowerSource customer support portal. This access enabled the download of sensitive data from PowerSIS databases, including Social Security Numbers, medical information, and grades for some students. In response to the breach, PowerSchool paid a ransom to prevent the stolen data from being leaked, as the hacker provided a video claiming the data's deletion. Despite this, PowerSchool has not disclosed specific figures regarding the breach's impact, leading to frustration among stakeholders. Sources indicate that the attack affected students and teachers across 6,505 school districts in the US, Canada, and other countries. Some of the largest impacted districts include Toronto District School Board, Peel District School Board, and Dallas Independent School District. PowerSchool highlighted that the scope of exposed data varies by district due to differing policy requirements. The company assured that less than a quarter of affected students had their Social Security Numbers exposed. PowerSchool is offering two (2) years of free identity protection and credit monitoring services for all impacted individuals, regardless of whether sensitive information like Social Security Numbers was compromised. The company is also coordinating with state attorneys general to notify affected parties. PowerSchool has updated its customer-only FAQ and established a public website for ongoing updates regarding the breach. The company remains committed to supporting the affected students, teachers, and families during this time.
Vulnerabilities
Critical Zero-Day Vulnerabilities in WordPress Real Estate Plugin Affect Over 32,000 Websites
The RealHomes WordPress theme and its accompanying Easy Real Estate plugin are plagued by two (2) critical vulnerabilities, CVE-2024-32444 and CVE-2024-32555, which impact over 23,000 websites and have a CVSS scores of 9.8/10. These unauthenticated privilege escalation flaws allow attackers to gain administrative control of affected websites. In the RealHomes theme, improper validation in the “inspiry_ajax_register” function lets attackers assign themselves administrator privileges during account registration by manipulating HTTP requests. Similarly, the Easy Real Estate plugin's “ere_social_register” function enables attackers to log in as administrators using an administrator’s email address due to insufficient email verification. Despite Patchstack's discovery of these vulnerabilities in September 2024 and multiple notifications to the vendor, InspiryThemes has not released security patches, leaving the vulnerabilities exploitable. These issues can result in full site takeovers, including content manipulation, malicious script injection, and sensitive data breaches. CTIX analysts strongly advise website administrators to disable the theme and plugin immediately, restrict user registrations, and monitor for updates while considering third-party security solutions for proactive protection. These vulnerabilities highlight the critical need for secure coding practices, including rigorous input validation, in WordPress themes and plugins.
- Bleeping Computer: WordPress Zero-Day Vulnerabilities Article
- Cybersecurity News: WordPress Zero-Day Vulnerabilities Article
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
