Svoboda Cybersecurity Brief May 08, 2025

May 08, 2025

PowerSchool Hackers Extort School Districts Despite Ransom Payment

PowerSchool paid a ransom in December 2024 after a breach, but attackers (likely ShinyHunters) are now extorting individual school districts with stolen data. North Carolina terminated its contract with PowerSchool, switching to InfiniteCampus.
Source: DataBreaches

Play Ransomware Exploits Windows Zero-Day (CVE-2025-29824)

Play ransomware exploited CVE-2025-29824, a CLFS driver flaw, as a zero-day to breach a US organization. Attackers used Grixba malware and created a fake admin user (“LocalSvc”) for persistence.
Impact: Privilege escalation, data exfiltration, and potential ransomware deployment.
Mitigation: Apply Microsoft’s April 2025 patch for CVE-2025-29824.
Source: The Hacker News

UNC3944 (Scattered Spider) Shifts Focus to Retail Sector

UNC3944, a financially motivated group, now targets retail organizations for PII and financial data theft. Linked to DragonForce ransomware, they exploit RansomHub infrastructure. Retail victims on leak sites rose to 11% in 2025.
Source: DataBreaches

OttoKit WordPress Plugin Exploited for Admin Account Creation

Attackers exploit CVE-2025-27007 (9.8 CVSS) in OttoKit to escalate privileges and create admin accounts. Over 100,000 installations are at risk. Exploits observed since May 2, 2025.
Impact: Full site compromise via unauthenticated RCE.
Mitigation: Update to OttoKit v1.0.83.
Source: The Hacker News

Europol Takedown of DDoS-for-Hire Services

Share this brief: https://svo.bz/AGnG

If you want to support us, you can donate here: Donate