Security technology company Cellebrite has announced plans to acquire Florida-based mobile testing startup Corellium for $170 million in cash, with an additional $20 million converted to equity at closing and the potential for $30 million more based on performance milestones.

The Israel-headquartered Cellebrite, known for its forensic equipment that unlocks smartphones, said the acquisition would enhance its capabilities for the accelerated identification of mobile vulnerabilities and exploits. The company’s technology often leverages unknown vulnerabilities, including zero-day exploits, to access encrypted data stored on mobile devices.

Corellium provides virtual, cloud-based Android and iOS devices for application and security testing. This technology allows researchers and developers to test software without physical devices, creating virtual environments that simulate actual mobile operating systems.

A Cellebrite spokesperson indicated that the deal is expected to close later this year, pending review from the Committee on Foreign Investment in the United States (CFIUS), which evaluates corporate transactions that could affect national security.

The combined companies aim to offer enhanced solutions for customers across public safety, intelligence, defense, and private sectors. These solutions would include advanced tools for identifying mobile vulnerabilities, virtual device interaction, improved DevSecOps solutions, and mobile penetration testing capabilities.

Both companies have faced controversy in recent years. Cellebrite has drawn attention for its mobile forensic tools being used in spyware campaigns that exploit zero-day vulnerabilities. Meanwhile, Corellium was sued by Apple in 2019 for copyright infringement related to its product that replicates the company’s iOS operating system.

That legal battle concluded after a U.S. appeals court ruled in Corellium’s favor in May 2023, with the companies reaching a confidential settlement later that year. Documents revealed during the lawsuit showed that Corellium had engaged with controversial entities, including spyware developer NSO Group.

The acquisition represents a significant consolidation in the mobile security and forensics sector, bringing together two companies with complementary technologies that are used by government agencies and private organizations worldwide for data extraction, security research, and vulnerability testing.

Security experts note that such tools exist in a complex space between legitimate security research and potential surveillance capabilities, raising ongoing questions about the balance between security, privacy, and law enforcement’s access to encrypted data.

The post Cellebrite to acquire mobile testing firm Corellium in $200 million deal appeared first on CyberScoop.

from CyberScoop https://ift.tt/2GRbqys
via IFTTT

A financially motivated threat group posing as IT support has intruded the systems of about 20 organizations by duping employees into installing a malicious, illegitimate version of Salesforce’s Data Loader and granting broader access to cloud-based environments, Google Threat Intelligence Group said in a threat report released Wednesday.

The attacks, which Google attributes to UNC6040, have hit organizations in hospitality, retail and education across the Americas and Europe, resulting in data theft and extortion. 

“Our current assessment indicates that a limited number of organizations were affected as part of this campaign, approximately 20,” Austin Larsen, principal threat analyst at Google Threat Intelligence Group, told CyberScoop in an email. “We are tracking at least several extortion attempts, but we cannot comment on how many were successful.”

Organizations’ adoption of widespread integrations and privileged access to multiple cloud-based services in corporate environments — paired with support for single sign-on services such as Okta and authentication protocols like OAuth — amplifies the risk posed by identity-based attacks. 

Attackers have gained access to victim networks by calling targeted employees on the phone and convincing them to install and approve the malicious Salesforce application, exposing sensitive credentials and multi-factor authentication codes, according to Google.

UNC6040 used this access to steal data from the victim organization’s Salesforce environment, and then initiate lateral movement to steal data from other connected platforms, including Okta, Microsoft 365 and Workplace, researchers said.

“Salesforce has enterprise-grade security built into every part of our platform, and there’s no indication the issue described stems from any vulnerability inherent to our services,” a spokesperson for Salesforce said in a statement. “Attacks like voice phishing are targeted social-engineering scams designed to exploit gaps in individual users’ cybersecurity awareness and best practices.”

Google said the threat group’s social-engineering tactics and initial focus on English-speaking users at multinational companies shares similarities with activities linked to members of “The Com,” suggesting some potential overlap and association with the global collective of loosely affiliated cybercriminals. Yet, researchers noted UNC6040 is unique in focusing on exfiltrating data from Salesforce environments.

Attackers set their phishing lures by calling targeted individuals, posing as IT administrators offering support for alleged general IT issues. UNC6040 claims the issue stems from a nonexistent open IT support ticket that the victim can’t access due to system differences, according to Google.

The victim is then directed to visit a phishing site or a fake “Salesforce Setup Connect” page, which requires an eight-digit code, to close the ticket, researchers said.

Upon entering and confirming the code on their mobile device or computer, victims unwittingly authenticate access to UNC6040 via OAuth and add the malicious application to their Salesforce instance.

Salesforce, which maintains that security is a shared responsibility, warned customers of threats posed by social-engineering attacks in guidance it released in a blog post earlier this year.

The post Salesforce customers duped by series of social-engineering attacks appeared first on CyberScoop.

from CyberScoop https://ift.tt/jOJve1q
via IFTTT

Google said Wednesday that it caught suspected People’s Republic of China-backed hackers leveraging its Calendar service to help stealthily stage attacks on government agencies.

In late October of last year, Google Threat Intelligence Group said it “discovered an exploited government website hosting malware being used to target multiple other government entities,” the company’s Patrick Whitsell wrote in a blog post. The exploited website delivered malware the company dubbed TOUGHPROGRESS that took advantage of Google Calendar for command and control (C2) to help it blend in with authentic activity.

Google determined “with high confidence” that the group behind the attacks was APT41, the Chinese Ministry of State Security-linked outfit alternatively known by a host of other names such as Wicked Panda, Winnti and Double Dragon.

“To disrupt APT41 and TOUGHPROGRESS malware, we have developed custom fingerprints to identify and take down attacker-controlled Calendars,” Whitsell wrote. “We have also terminated attacker-controlled Workspace projects, effectively dismantling the infrastructure that APT41 relied on for this campaign. Additionally, we updated file detections and added malicious domains and URLs to the Google Safe Browsing blocklist.”

There are signs that hacker exploitation of Google Calendar has been on the uptick. And APT41 has been increasingly on the radar since 2019 for going after a wide range of industries and sectors, from government to entertainment to technology to automotive targets. In 2020, the Justice Department charged seven individuals in a hacking campaign that it linked to APT41 and that it said hit hundreds of targets in the United States and elsewhere. 

In the latest case, as Google explained in the blog post, APT41 delivered the malware payload through spearphishing emails hosted on the exploited government site, along with phony files and decoy PDFs. TOUGHPROGRESS has the ability to read and write events via an attacker-controlled Google Calendar, Google said. It involves placing encrypted commands on specific past dates, polling the Calendar for those events and decrypting events, then again encrypting command execution to write back to another Calendar event.

“Misuse of cloud services for C2 is a technique that many threat actors leverage in order to blend in with legitimate activity,” Whitsell wrote.

The Chinese government denies all claims of connections to any hacking groups.

The post Chinese hackers used Google Calendar to aid attacks on government entities appeared first on CyberScoop.

from CyberScoop https://ift.tt/fh504eJ
via IFTTT

Zscaler announced Tuesday its intention to acquire Red Canary, a company known for Managed Detection and Response (MDR) services, to boost its ability to integrate artificial intelligence, automation and human expertise into its security offerings. 

The acquisition is positioned around the convergence of Zscaler’s data-driven, AI-centric cloud security and Red Canary’s decade of operational expertise in MDR. Zscaler’s executive leadership emphasizes the blending of large-scale data intelligence and automated, agentic Security Operations Centers (SOCs) with the capabilities of ThreatLabz, its security research division.

“The proposed acquisition of Red Canary is a natural expansion of our capabilities into managed detection and response and threat intelligence to accelerate our vision of AI-powered SOC of the future,” Jay Chaudhry, CEO and founder of Zscaler, said in a press release. “By integrating Red Canary with Zscaler, we will deliver to our customers the power of a fully integrated Zero Trust platform and AI-powered security operations.”

Red Canary, with over a decade of experience in MDR and security operations, is known for accelerating threat investigation and automating remediation at scale. Its core value proposition focuses on swift, accurate threat detection, claiming up to a tenfold reduction in investigation time and an accuracy rate of 99.6% across extensive customer deployments.

Zscaler brings scale and data depth to the equation, protecting nearly 45% of Fortune 500 enterprises. Its cloud security platform handles more than 500 billion transactions per day, forming a substantial data lake used to fuel AI-based security products and digital experience tools.

By joining Zscaler, Red Canary anticipates access to a broader array of security data, including that processed on Zscaler’s Zero Trust Exchange and exposure management systems. The integration aims to enhance the speed and accuracy of threat detection, further leveraging cross-domain insights from endpoints, networks, cloud workloads, and identity systems.

“We’re about to gain access to 500 billion daily transactions of data and threat intelligence processed on Zscaler’s Zero Trust Exchange and exposure management data,” Brian Beyer, Red Canary CEO and co-founder, said in a release. “This will significantly enhance our ability to detect threats faster and more accurately. The innovation this will bring is going to be incredible.”

The deal reflects a growing trend in cybersecurity toward consolidation and integration, as enterprises are seeking to centralize their data, automate detection and response, and use AI to offset talent shortages.

Earlier this month, Proofpoint acquired Germany-based Hornetsecurity for $1 billion. In March, Google announced plans to acquire Israeli-founded cloud security startup Wiz for $32 billion, while Palo Alto Networks revealed its intention in April to purchase AI-focused startup Protect AI.

Terms of the deal were not disclosed. The agreement, subject to regulatory approvals, is expected to close in August 2025. 

The post ZScaler acquires Red Canary for boost in AI-driven security operations appeared first on CyberScoop.

from CyberScoop https://ift.tt/rCbP5RY
via IFTTT

As the internet fills up with clips from AI-video generators, hacking groups are seeding the online landscape with malware-laced programs and fake websites hoping to cash in on the trend.

Tracked by researchers at Mandiant and Google Cloud, the campaign is being carried out by a group identified as “UNC6032.” Since mid-2024, they have spread thousands of advertisements, fake websites and social media posts promising victims access to popular prompt-to-video AI generation tools like Luma AI, Canva Dream Lab and Kling AI.

Those promises lead to phishing pages and malware, with the group deploying infostealers and backdoors on victim devices. Compromised parties saw their login credentials, cookies, credit card data and in some cases Facebook information stolen, and the scheme appears to be impacting a wide range of industries and geographic areas.

“Mandiant Threat Defense has identified thousands of UNC6032-linked ads that have collectively reached millions of users across various social media platforms like Facebook and LinkedIn,” wrote researchers Diana Ion, Rommel Joven and Yash Gupta. “We suspect similar campaigns are active on other platforms as well, as cybercriminals consistently evolve tactics to evade detection and target multiple platforms to increase their chances of success.”

The emergence of highly realistic AI prompt-to-video generation tools over the past several months has generated curiosity, concerns and a significant amount of interest from the public. According to Google Trends, internet searches for AI video generation tools have surged over the past year, and especially since April.

The technology today is capable of creating startlingly lifelike people and scenes with virtually none of the glitching or visual cues that made previous AI-generated videos easier to spot.

Cybersecurity company Morphisec, which published similar research earlier this month, noted how the proliferation of AI video generators over the past year has lowered the barrier for new entrants, giving even low-technical users the ability to create realistic fake media. The rush to jump on this latest trend, from users who may not be highly technical or familiar with AI tools, represents a new opportunity for cybercriminals and hackers.

“What makes this campaign unique is its exploitation of AI as a social engineering lure — turning an emerging legitimate trend into an infection vector,” wrote Morphisec researcher Shmuel Uzan. “Unlike older malware campaigns disguised as pirated software or game cheats, this operation targets a newer, more trusting audience: creators and small businesses exploring AI for productivity.”

Mandiant researchers gave a shout-out to Meta, which was apparently aware of and investigating UNC6032’s campaign before being notified by Mandiant, and contributed to the research. Using Meta’s ad library, which has enhanced ad targeting information for European users due to regulations, Mandiant’s team found more than 30 different websites that were cited in thousands of fake ads, mostly on Facebook through attacker-created pages or hacked accounts.
Nearly all the websites advertised free or high-quality AI-video generation capabilities.

“Once the user provides a prompt to generate a video, regardless of the input, the website will serve one of the static payloads hosted on the same (or related) infrastructure,” the researchers wrote.

Google Cloud has said UNC6032 has a “nexus” to Vietnam. Mandiant and Google Cloud use the term “UNC” to denote unique clusters of hacking activity for which there is only limited available information and telemetry. 

That means UNC6032 may be an offshoot of a previously tracked threat group using different tactics, techniques and procedures or a completely new hacking group, and while the activity has a “nexus” to Vietnam, that does not necessarily imply a state-based connection. 

The post Mandiant flags fake AI video generators laced with malware appeared first on CyberScoop.

from CyberScoop https://ift.tt/lyISF9u
via IFTTT

A newly discovered Russian state-sponsored threat group has targeted a large swath of industries, especially in NATO member states and Ukraine, part of a global espionage campaign in support of Moscow’s interests, Microsoft Threat Intelligence said in a Tuesday blog post. 

Laundry Bear, a group Microsoft tracks as Void Blizzard, has attacked multiple governments and critical infrastructure providers since at least 2024. Dutch intelligence and security services agencies on Tuesday said the group infiltrated the Netherlands’ national police force’s systems in September 2024 and stole work-related contact details on police staff.

“We have seen this hacker group successfully gain access to sensitive information from a large number of government organizations and companies worldwide,” Peter Reesink, director of the Netherlands’ Ministry of Defense, said in a statement Tuesday, according to a translation. “Laundry Bear is looking for information about the purchase and production of military equipment by Western governments and Western deliveries of weapons to Ukraine.”

The group’s initial access methods lack sophistication, yet the group has gained access to and stolen data from multiple organizations in critical sectors. 

“While Void Blizzard’s tactics, techniques, and procedures are not unique among advanced persistent threat actors or even Russian nation state-sponsored groups, the widespread success of their operations underscores the enduring threat from even unsophisticated TTPs when leveraged by determined actors seeking to collect sensitive information,” Microsoft threat researchers said in the blog post.

Void Blizzard has engaged in espionage targeting government agencies, defense suppliers, and organizations in communications, IT, health care, education, media and transportation since mid-2024, according to Microsoft.

“The threat actor uses stolen credentials — which are likely procured from commodity infostealer ecosystems — and collects a high volume of email and files from compromised organizations,” Microsoft threat researchers said. The group likely obtains cookies and other credentials from criminal ecosystems for password spray attacks, Microsoft added.

Void Blizzard uses these credentials to gain initial access to Exchange and SharePoint Online for intelligence gathering. The group then abuses legitimate cloud APIs to sift through mailboxes and cloud-hosted files prior to automating bulk theft of cloud-hosted data, Microsoft said.

In some cases, the group has accessed Microsoft Teams conversations and messages, and cataloged Microsoft Entra ID configurations to gain information about users, roles, groups, applications and devices belonging to that account. 

Microsoft Threat Intelligence in April identified a Void Blizzard adversary-in-the-middle spear-phishing campaign that targeted more than 20 non-governmental agencies in Europe and the United States. In those attacks, the threat group used a typosquatted domain to spoof Microsoft Entra authentication. 

“This new tactic suggests that Void Blizzard is augmenting their opportunistic but focused access operations with a more targeted approach, increasing the risk for organizations in critical sectors,” Microsoft said.

Microsoft declined to answer questions about how many attacks have been attributed to Void Blizzard to date and how much the group’s threat activity levels have increased in the past year.

Laundry Bear has targeted “virtually all countries” in the European Union and NATO, Dutch intelligence and security agencies said in a cybersecurity advisory, adding that the group has also attacked organizations in Eastern and Central Asia. 

Dutch officials said Laundry Bear operates at a high pace and described the group as “very successful,” compared to some other Russian state-sponsored threat groups.

The post New Russian state-sponsored APT quickly gains global reach, hitting expansive targets appeared first on CyberScoop.

from CyberScoop https://ift.tt/WjQnlMt
via IFTTT

Proofpoint has entered into an agreement to acquire Hornetsecurity Group, a Germany-based provider of Microsoft 365 security services, in a deal reportedly valued at more than $1 billion.

The acquisition, described as the largest in Proofpoint’s history, comes amid accelerating consolidation in the cybersecurity industry as companies seek to broaden their offerings to enterprise customers of all sizes. While Proofpoint did not disclose terms, CNBC reports the deal is “well over” $1 billion. 

Hornetsecurity, headquartered in Hannover, Germany, serves more than 12,000 managed service providers (MSPs) and 125,000 small and mid-sized businesses (SMBs) primarily across Europe. According to a press release announcing the deal, Hornetsecurity brings in $160 million in annual recurring revenue, with growth exceeding 20% year over year. 

For Proofpoint, the acquisition provides an entry point into the SMB market through Hornetsecurity’s established MSP network.

“As attackers grow more sophisticated and people remain the primary target, organizations need security that protects them wherever they work — across email, cloud applications, and every digital channel,” said Sumit Dhawan, CEO of Proofpoint. “With the addition of Hornetsecurity, we’re excited to extend our industry-leading, human-centric security platform to better serve the unique needs of MSPs and SMBs. We look forward to deepening our investment in the European markets as part of our global growth strategy.”

Both companies concentrate on offering products that work within Microsoft’s cloud platform. Hornetsecurity’s flagship product, 365 Total Protection, provides MSPs with a multi-tenant platform that includes email security, backup, security awareness training, access control, and domain fraud protection. Proofpoint, which also touts a security software suite aimed at protecting Microsoft 365 instances, also recently expanded its partnership with Microsoft.

The deal follows several major acquisitions in the cybersecurity sector. In March, Google announced plans to acquire Israeli-founded cloud security startup Wiz for $32 billion, while Palo Alto Networks revealed its intention in April to purchase AI-focused startup Protect AI.

The transaction comes as Proofpoint, which was taken private by Thoma Bravo in 2021 for $12.3 billion, is exploring an IPO, according to the CNBC report. 

The Hornetsecurity transaction is expected to close in the second half of 2025. 

The post Proofpoint to acquire Hornetsecurity for over $1 billion appeared first on CyberScoop.

from CyberScoop https://ift.tt/xWFVy6h
via IFTTT

Cybercriminals aren’t so different from the rest of us — they live in the real world, and their spending and investment habits, though funded through crime, can look surprisingly ordinary. Luxury cars and lavish vacations may still grab headlines, but those perks are reserved for the most elite cybercriminals.

In reality, everyday businesses — like pizza delivery, construction supplies, or tattoo parlors — are supported by the fruits of the labor that comes from a life of cybercrime.

An extensive investigation by Sophos X-Ops, pulled from thousands of posts on two Russian-language and three English-language cybercrime forums, uncovered the dark underbelly of illegal schemes cybercriminals use to reinvest their money. Yet, researchers also discovered a vast community of chatty cybercriminals seeking to help each other launder their money with more common business pursuits.

According to John Shier, field chief information security officer of threat intelligence at Sophos, alleged cybercriminals on these forums are pursuing an immense range of businesses, investment proposals and startup ideas.

“A lot of this cybercrime is fueled by crypto, and it’s kind of useless in the real world,” Shier told CyberScoop. “So, they need to be able to move that cryptocurrency into some sort of fiat, some sort of valuable something that they can actually spend in the real world.”

The discussion of legitimate businesses as a vehicle for laundering money is brazen, he said. Some guides and detailed instructions shared on these forums also reveal how extensively cybercriminals collaborate to diversify and develop specialized ways to funnel their money. 

Sticking to what they know

Businesses that cybercriminals prop up with their ill-gotten gains include everything from drive-thru coffee shops to real estate, education, pharmaceuticals, construction, software development and — wait for it — cybersecurity companies and services. 

Users on these forums proposed selling spyware to pentesters and corporations, developing exploits or finding vulnerabilities in local businesses’ networks to then turn that into an opportunity to sell protective services. “I accidentally found myself in this situation, raised a lot of money and got a regular client,” an unnamed user wrote, according to Sophos.

Researchers also observed proposals for security startups specializing in vulnerability research and a hash decryption service using a commercial cloud provider. One user recommended an investment in a prominent cybersecurity vendor.

“Irony aside, this raises the concerning possibility that threat actors could become shareholders of a company that tracks and disrupts threat actors,” Sophos X-Ops researchers said in the report. 

“It is concerning that you’d have people with motivations that are criminal, that are investing in businesses that are supposed to be helping organizations withstand cybercrime,” Shier said.

While it’s a positive when someone leaves a life of cybercrime behind, Shier said he doubts that’s the case for individuals communicating within the criminal underground. The potential for insider-type activity is real, where “the protectors are actually the ones that are in the ski masks and pointing a gun at you,” he said.

Crime begets more crime

Some of the guides Sophos found covered step-by-step methods for investing in gold or diamonds, establishing shell companies, money laundering, and importing and exporting.

Researchers described some business interests as “gray,” including pornography and gambling. 

Outright illegal activities were abundant on these forums as well. This includes bots, pyramid schemes, sex work, drugs, tax evasion, insider trading and reinvesting in cybercrime. 

“Invest it in the business that brought you this income. It’s obvious,” one user said in a forum, according to Sophos. 

Researchers observed multiple investment opportunities for malware and campaigns already in progress or development, including botnets, infostealers, phishing tools, SIM-swapping and a year-old DDoS-related project.

In one especially striking post, an alleged cybercriminal shared how they bought properties solely for the purpose of burying large sums of cash underground. 

A screenshot of the post Sophos shared with CyberScoop included detailed instructions for preparing the cash and selecting site locations. It was recommended that bank notes should be dry and free of any sign of mildew, arranged in piles, vacuum sealed into plastic bags, and then placed into large airtight bags with silica gel packets, before being sealed into a PVC drum and buried at least five feet deep, away from roots and on higher ground.

“Cover the hole when you’re done and write down the GPS coordinates so you or your descendants can easily find the location in the future,” the post explained. 

“If you’ve got so much money that you just need to start burying it like that, that, to me, is a pretty big red flag,” Shier said. “Are they building generational wealth here? Like, how much money are we talking about?”

Follow the money to what end?

Threat intelligence spans both physical and digital realms to help organizations detect and prevent malicious activity. While most of this research focuses on identifying  new attacks, and post-compromise activities, far less attention is placed on tracking the money once cybercriminals acquire it.

“We know that money enters the system very often through fraud or through things like ransomware, computer crime, but how it exits the system helps us maybe have a better idea of how we can monitor those different avenues,” Shier said.

“If we can just shine lights on absolutely everything, then it becomes a lot more difficult for them to hide,” he said. 

The legitimate businesses and gray-area pursuits that cybercriminals squeeze for additional profit ultimately implicate innocent people, creating more downstream victims, according to Shier.

“Cybercriminals are no different than the mafia, than other organized criminals. They’re going to use every avenue at their disposal,” he said. “We need to be able to shine as many lights on that as possible, so that then law enforcement and the judicial system can do what they need to do to prosecute these people.”

The post Who needs VC funding? How cybercriminals spread their ill-gotten gains to everyday business ventures appeared first on CyberScoop.

from CyberScoop https://ift.tt/2UKJ7qY
via IFTTT

Five months after education software vendor PowerSchool paid an unnamed threat actor a ransom in exchange for the deletion of sensitive stolen data, some of the company’s customers are now receiving extortion demands. 

A threat actor, who may or not be the same criminal group behind the attack, has contacted four school district customers of PowerSchool in the past few days, CyberScoop has learned, threatening to leak data if they don’t pay. 

The downstream extortion attacks highlight the ongoing risk organizations confront when a vendor is hit by a cyberattack, exposing not just their data but also that of others in their supply chain. The follow-on extortion attempts also underscore that paying ransoms for data does not guarantee stolen data won’t be leaked.

“PowerSchool is aware that a threat actor has reached out to multiple school district customers in an attempt to extort them using data from the previously reported December 2024 incident,” a company spokesperson said Wednesday in a statement. “We do not believe this is a new incident, as samples of the data match the data previously stolen in December.”

The company did not say how much it paid in ransom. “We made the decision to pay a ransom because we believe it to be in the best interest of our customers and the students and communities we serve,” the spokesperson said. 

“We thought it was the best option for preventing the data from being made public, and we felt it was our duty to take that action,” the spokesperson added. “As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us.”

PowerSchool provides a suite of cloud-based software — including a student information system — to K-12 schools and districts, supporting more than 60 million students and 18,000 customers in over 90 countries. The company says its customers include more than 90 of the 100 largest school districts in the United States. 

The company identified suspicious activity in the PowerSchool Student Information System on Dec. 28 of last year. CrowdStrike, which already provided endpoint detection-and-response software and a threat-hunting service to PowerSchool, began an investigation into the circumstances behind the attack the following day.

The unnamed attacker gained access to PowerSchool’s system with a compromised credential for a support user in the company’s PowerSource support portal. The level of access granted to a support technician includes “sufficient permissions to gain access to customer SIS database instances for maintenance purposes,” CrowdStrike said in an investigation report it released in late February. 

The threat stole data from the “teachers” and “students” tables of the PowerSchool SIS instances for certain PowerSchool customers between Dec. 19 and Dec. 23, according to CrowdStrike’s report. The incident response firm said it found no evidence of system-layer access or malware, and nothing to indicate PowerSchool customer IT environments outside of PowerSource and PowerSchool SIS were compromised or at risk of intrusion due to the attack.

CrowdStrike found evidence of earlier unauthorized activity in the PowerSchool environment associated with the compromised support credentials between Aug. 16 and Sept. 17, but it couldn’t attribute this activity to the threat actor responsible for the malicious activity in December 2024.

The last evidence of threat actor activity occurred Dec. 28, when the attacker “used the compromised support credentials to log in to the maintenance interface of PowerSource to interact with PowerSchool SIS,” CrowdStrike said in the report.

PowerSchool customers have contacted the company to inform it of the recent extortion demands and threats. 

“We have reported this matter to law enforcement both in the United States and in Canada, and are working closely with our customers to support them,” the company spokesperson said. “We sincerely regret these developments — it pains us that our customers are being threatened and re-victimized by bad actors.”

The post PowerSchool customers hit by downstream extortion threats appeared first on CyberScoop.

from CyberScoop https://ift.tt/Y1S0HTP
via IFTTT

CrowdStrike is cutting 5% of its workforce, about 500 positions, telling its staff that it’s shifting resources and realigning its operating model for growth in new market segments, according to a Wednesday filing with the Securities and Exchange Commission.

The company is slashing headcount following a year of significant growth in a strong market. CrowdStrike’s revenue jumped 29% year-over-year to $3.95 billion in fiscal year 2025, which ended Jan. 31. Yet, the company also reported a net loss of $19.3 million in FY25 after reporting net income of $89.3 million the previous year.

CrowdStrike’s growing use of artificial intelligence for internal operations was a factor behind the decision to cut staff in certain roles, according to CEO George Kurtz. “AI flattens our hiring curve, and helps us innovate from idea to product faster,” he said in a letter to employees. “It streamlines go-to-market, improves customer outcomes, and drives efficiencies across both the front and back office. AI is a force multiplier throughout the business.”

The company plans to continue hiring customer-facing and product engineering roles, but layoffs in other areas of the business suggests AI’s ability to automate some tasks and boost productivity has made some roles redundant.

Industry analysts question the extent to which CrowdStrike needed to or chose to point to AI as a factor leading to layoffs.

“We have to be careful that AI isn’t being used as an excuse for some area of the business that is underperforming,” said Neil MacDonald, a vice president and analyst at Gartner. 

“AI tools are used to make a given employee more productive, therefore you don’t need as many people,” MacDonald said. “But if you’re growing, what it means is you don’t have to hire as many [people], but it doesn’t necessarily mean you have to lay people off.”

CrowdStrike is the second-largest provider of endpoint protection, a market segment that drives the bulk of its revenue. Its market share in that segment grew from 20.3% in 2023 to 21.3% in 2024, according to Gartner.

Jeff Pollard, VP and principal analyst at Forrester, said Kurtz’s mention of AI likely came from some AI-related efficiency gains, but noted there’s also an industrywide trend at play. 

“Some amount of AI-washing is now prevalent in every one of these announcements and this is no exception,” he said. “In much the same way that ‘we take privacy and security very seriously’ can be found in every breach disclosure, so too can ‘AI productivity’ in workforce reduction announcements.”

Unfortunately, Pollard said, CrowdStrike’s “obligatory mention of AI” will be widely emulated by other cybersecurity vendors. 

Business leaders across multiple industries say they are looking to use AI to cut their workforce by at least 10% and up to 30%, including customer service, creative and administrative roles, according to Zeus Kerravala, principal analyst at ZK Research. 

“The layoffs are part of a broader set of efficiencies and I’m fully expecting to see more. This was only 5% and I think it’s more indicative of the state of AI rather than the state of cyber,” Kerravala said. 

“The layoffs should be viewed more as the evolution of AI and the changing nature of cyber rather than issues at CrowdStrike,” he added.

Kurtz said the decision to cut staff was predicated and driven by other factors as well. This includes, he said, a push to consolidate more customers on CrowdStrike’s Falcon platform, and multibillion-dollar opportunities in new market segments, such as tools for next generation security information and event management, identity, cloud and exposure management.

The company’s goals beyond its core business in endpoint protection pose an important question in the face of these layoffs, according to MacDonald. 

CrowdStrike is growing, gaining market share in cloud protection and SIEM last year, he said, but the company is still a relatively small player in those areas, and perhaps it’s not growing as quickly as it hoped in newer market segments.

“The cyber industry is changing with platforms starting to take hold over point products,” Kerravala said. “CrowdStrike will likely have to cut heads as they bring in talent around how to build and monetize platforms.”

The layoffs also come nearly 10 months after a faulty CrowdStrike Falcon security software update caused millions of Microsoft Windows systems to malfunction. That mistake caused major issues for businesses worldwide, and company executives have repeatedly said they need to regain the trust of customers.

CrowdStrike expects to incur up to $53 million in charges related to the layoffs, including severance payments, benefits and stock-based compensation.

“I know this is difficult news and it affects all of us. These decisions were made with care and guided by a clear view of where we need to go,” Kurtz said.

“As we evolve, we are laser-focused on transforming cybersecurity,” he said. “We stop breaches. This mission defines our purpose, unites our team and keeps us focused on what matters most: protecting our customers.”

The post CrowdStrike cuts 5% of workforce after revenue jumped 29% last year appeared first on CyberScoop.

from CyberScoop https://ift.tt/ZqsJOF5
via IFTTT