Hello there, Secret CISO readers! In today's issue, we're diving into a series of data breaches that have rocked the cybersecurity world. From Nova Scotia's education system to SogoTrade, LPL Financial, and even the Department of Justice, no sector seems to be immune. We'll be exploring the details of these breaches, the number of people affected, and the potential legal repercussions. We're also looking at the escalating cyber threat landscape, with a particular focus on the return of the PowerSchool cybercriminal. This threat actor is not only targeting schools but also resorting to extortion attempts. In other news, we'll be discussing the implications of budget cuts to the Cybersecurity and Infrastructure Security, and how these could potentially raise alarms in the cybersecurity community.

We'll also be examining how security measures have changed the hacker marketplace, and the recent hacking of the LockBit Ransomware Gang, which led to a significant data leak. Finally, we'll be sharing some quick tips to prepare for a data incident and discussing the role of security researchers in the current cybersecurity landscape. Stay tuned for all this and more in today's issue of Secret CISO. Stay safe out there!

Data Breaches

1. Nova Scotia School Cyberattack: A data breach in Nova Scotia's education system affected nearly 42,000 students, parents, and staff. The breach spanned several years and the province is now offering online protection to those impacted. Source: CBC
2. SogoTrade Data Breach: SogoTrade, an online discount brokerage firm, experienced a data breach after identifying suspicious activity on its computer network. A forensic investigation is underway to determine the extent of the breach. Source: GlobeNewswire
3. PowerSchool Data Breach: A threat actor contacted multiple school districts demanding payments related to student and staff data stolen in a December breach. The breach originated from PowerSchool, a leading provider of K-12 education application technology. Source: K-12 Dive
4. Ascension Data Breach: Ascension, one of the largest private healthcare systems in the United States, disclosed that a data breach last month affected over 430,000 patients. The extent of the data exposed is still under investigation. Source: Bleeping Computer
5. LockBit Ransomware Group Data Breach: LockBit, a notorious ransomware group, reportedly suffered a massive data breach. The group's Dark Web leak site was altered, revealing the extent of the breach. Source: Gadgets 360

Security Research

1. Cloud Identity Is the New Attack Surface: This research highlights the importance of cloud identity in the modern security landscape. It argues that traditional security tools are no longer sufficient, and that identity has become the new perimeter. Source: YouTube
2. The Elite Microsoft Unit Constantly Working to Thwart Hackers: This research provides an inside look at Microsoft's secretive MSTIC unit, which is constantly working to identify and thwart hacker activity. Source: Bloomberg
3. Cybersecurity Expert Warns of 'Widespread Epidemic' of Bad Passwords: This research from Cybernews highlights the widespread issue of weak passwords, offering recommendations for improving password security. Source: Yahoo! Tech
4. Google warns of Russian hackers ColdRiver wielding new malware tools: This research reveals new malware tools being used by the Russian hacker group ColdRiver, highlighting the ongoing threat posed by state-sponsored cybercrime. Source: SC Media
5. Mistral AI Models Fail Key Safety Tests, Report Finds: This research uncovers key safety vulnerabilities in Mistral AI models, emphasizing the need for a safety-first approach to multimodal AI. Source: BankInfoSecurity

Top CVEs

1. CVE-2025-0549: GitLab CE/EE versions from 17.3 prior to 17.9.8, 17.10 prior to 17.10.6, and 17.11 prior to 17.11.2 have a vulnerability that allows attackers to bypass Device OAuth flow protections, enabling authorization form submission through minimal user interaction. Source: CVE-2025-0549
2. CVE-2025-4377: Sparx Systems Pro Cloud Server has a Path Traversal vulnerability in logview.php, allowing reading of arbitrary files on the filesystem. This issue affects Pro Cloud Server versions earlier than the current one. Source: CVE-2025-4377
3. CVE-2025-1993: IBM App Connect Enterprise Certified Container stores its flows in a database that is protected by weaker than expected cryptographic algorithms that could be decrypted by a local attacker. This affects versions 8.1 through 12.10. Source: CVE-2025-1993
4. CVE-2025-4432: A flaw in Rust's Ring package may trigger a panic when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. Source: CVE-2025-4432
5. CVE-2025-4206: The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'process_export_delete' and 'process_import_delete' functions in all versions up to, and including, 4.1.1.2. Source: CVE-2025-4206

API Security

1. GitLab CE/EE Device OAuth Flow Vulnerability (CVE-2025-0549): A security vulnerability has been discovered in GitLab CE/EE affecting all versions starting from 17.3 prior to 17.9.8, from 17.10 prior to 17.10.6, and from 17.11 prior to 17.11.2. This vulnerability allows attackers to bypass Device OAuth flow protections, enabling unauthorized form submission with minimal user interaction. Source: CVE-2025-0549
2. Yifang CMS v2.0.2 Server-Side Request Forgery (CVE-2025-45887): Yifang CMS v2.0.2 is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability could allow an attacker to force the server to make requests to arbitrary URLs, potentially leading to data exposure or remote code execution. Source: CVE-2025-45887
3. Linux Kernel Net: DSA Vulnerability (CVE-2025-37864): A vulnerability has been resolved in the Linux kernel's net: dsa module. This vulnerability could have allowed an attacker to bypass certain security measures and potentially gain unauthorized access to the system. The issue was related to the clean-up of FDB, MDB, and VLAN entries on unbind. Source: CVE-2025-37864

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. We've covered a lot of ground, from the data breach affecting Cape Breton students and staff, to the escalating cyber threat faced by PowerSchool, and the changing landscape of the hacker marketplace. Remember, in the world of cybersecurity, knowledge is power. By staying informed, we can all play a part in creating a safer digital landscape.

If you found this newsletter helpful, please consider sharing it with your colleagues and friends. Let's work together to spread the word about the importance of cybersecurity. Stay safe and see you in the next edition of Secret CISO.