PowerSchool Data Extortion, Cellcom Cyberattack Confirmed, Hackers Exploit Gaps – Cybersecurity News [May 19, 2025]

This week in cybersecurity–a student admits to a massive school data hack, a major mobile network outage turns out to be a cyberattack, and hackers are actively spying on global aid operations. We also look into a DNS hijacking campaign affecting top organizations, and a trusted VMware tool gets caught in a malware-laced supply chain attack. Here’s a quick look at what’s been happening.

PowerSchool Data Breach: Hacker Admits to Extorting Student Information

A college student from Worcester, Massachusetts, has admitted to being involved in a major cyberattack that compromised the personal data of millions of students and teachers.

According to the U.S. Department of Justice, Matthew D. Lane has agreed to plead guilty to four federal charges (cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers, and aggravated identity theft), rising from cyberattacks where Lane and his associates breached a U.S.-based telecommunications organization. They stole confidential customer data and also obtained login credentials of a contractor linked to PowerSchool.

After an unsuccessful ransom attempt against the telecom enterprise, the group accessed PowerSchool’s systems, downloading sensitive data through a support tool called PowerSource. The breach affected 62.4 million students and 9.5 million teachers from over 6,500 school districts across the northern region. The stolen information included names, addresses, phone numbers, Social Security numbers, contact details, medical records, grades, and even passwords.

Some of these follow-up ransom demands were linked to a known hacking group, Shiny Hunters, which has been involved in previous high-profile data breaches like those affecting SnowFlake and AT&T. Lane has agreed to plead guilty and faces a mandatory minimum of two years in prison for identity theft, along with up to five years for each of the remaining charges.

Cellcom Confirms Cyberattack as Cause of Prolonged Network Outages

In recent times a cyberattack caused a major network outrage in Cellcom, which is a wireless provider in Wisconsin.

The disruption affected voice and SMS services in multiple regions, leaving many customers without basic mobile connectivity. It was initially labeled as a technical issue, but then turned out to be a cyber incident. Cellcom CEO Brighid Riordan confirmed the attack in a public letter, stating that while unfortunate, the organization had plans in place for such situations.

They say the attack hit a part of the network that doesn’t store sensitive user data, and there is no evidence that personal information like names, addresses, or financial details was compromised. During the outage, only data services, iMessage, RCS, and 911 remained available.

Frustrations grew as users couldn’t port numbers or restore service. On May 19, Cellcom began gradually restoring functions like calling and texting between Cellcom users, but full recovery is still in progress. Customers are advised to restart their phones or toggle airplane mode as a safety precaution!

Hackers Exploit Security Gaps in Email and VPN to Track Aid Operations

APT28 is back at it again, carrying out cyberattacks against organizations responsible for coordinating, transporting, and managing foreign aid to Ukraine.

The threat actors are targeting logistics, transportation, defense, air traffic management, maritime services, and IT providers across dozens of countries, using a combination of spear-phishing, brute-force attacks, and malware to access systems. They also exploit known software vulnerabilities in platforms like Outlook (CVE-2023-23397), Roundcube, Horde, MDaemon, and Zimbra and compromise VPNs and other internet-facing infrastructure using SQL injection and public exploits.

Once they get in, they don’t just steal information and leave. They snoop around, get into email accounts, and monitor the people involved in logistics work. They even change email settings to keep spying without being noticed. To take the stolen data, they use tools like PowerShell or email systems such as EWS and IMAP, depending on what setup the victim is using.

The hacking campaign is still going on, and the attacks have been growing more aggressive over time. Cybersecurity authorities from several countries, including the U.S. agency CISA, have issued a joint warning. They’re urging organizations in these sectors to strengthen their security and be alert.

Hazy Hawk Group Exploits DNS Flaws to Take Over Legitimate Domains

A hacker group known as “Hazy Hawk” has been quietly taking over forgotten DNS records linked to abandoned cloud services.

By hijacking these trusted subdomains, they’re tricking users with fake websites, scam ads, and harmful downloads, targeting even high-profile domains from governments, universities, and major global brands. According to Infoblox researchers, Hazy Hawk looks for CNAME records still pointing to old, unused cloud endpoints. When they find one, they create a new cloud resource with the same name. This makes the original subdomain automatically link to their new, malicious site.

They have used this method to hijack domains of multiple prominent organizations across various sectors. Once they control the subdomain, they generate hundreds of shady URLs under it. Clicking on them sends users through multiple redirects that analyze their device, IP, and VPN use. Depending on that data, users may land on phishing pages, fake antivirus alerts, scam streaming sites, or get bombarded with browser notifications.

The attack works because many organizations forget to delete DNS records after decommissioning cloud services. It’s best to regularly audit your DNS records and immediately remove unused entries to stay safe!

To protect against similar cyber threats, organizations should implement SPF, DKIM, and DMARC protocols to authenticate emails and prevent spoofing or phishing attacks.

RVTools Compromised in Supply Chain Attack to Distribute Bumblebee Malware

RVTools, a popular VMware utility now owned by Dell, was recently caught in a supply chain attack where threat actors used fake websites to spread malware.

Dell says its official download sites (Robware.net and RVTools.com) were not compromised, but both were taken offline after facing denial-of-service attacks. The malicious installers were instead distributed through typo-squatted domains posing as the real sites. Security researcher Aidan Leon provided evidence of a tampered file hosted on the authentic RVTools website as of May 12. He noted a suspicious file size, a hash mismatch, and the presence of a malicious version.dll tied to Bumblebee malware, which is known for delivering ransomware and other threats.

After his report and VirusTotal submissions, the infected file was reportedly replaced, but the website went down again shortly after. Arctic Wolf also found fake RVTools installers on websites using slightly altered domain names (e.g., .org instead of .com), likely boosted by SEO tricks and malvertising.

Dell maintains that its own platforms were not breached, but users are urged to stay cautious. If you recently downloaded RVTools, scan it on VirusTotal and only use the official domains once they’re back online.