Columbia University Enhances Security Through Activity Logging
Summary
Hide β²
Show βΌ
Columbia University has improved its security posture by implementing comprehensive activity logging. This has helped the institution detect and mitigate cyberattacks, including recent hacktivist incidents and earlier state-sponsored breaches. The logging solutions have enabled the university to track attacker movements, identify exploited ports, and enhance incident response. In June 2025, hacktivists breached Columbia University's systems, stealing data and disrupting services. The attackers targeted the university to protest its diversity policies. This incident followed a similar hack in 2024, where hacktivists protested campus policies. The university's logging infrastructure has been crucial in minimizing the impact of these attacks and gathering intelligence on attacker tactics.
Timeline
-
21.08.2025 16:38 π° 1 articles Β· β± 26d ago
Columbia University Enhances Security with Activity Logging
Columbia University has improved its security posture by implementing comprehensive activity logging. This has enabled the institution to detect and mitigate cyberattacks, including recent hacktivist incidents and earlier state-sponsored breaches. The logging solutions have provided valuable insights into attacker tactics, allowing the university to track movements, identify exploited ports, and enhance incident response. In June 2025, hacktivists breached Columbia University's systems, stealing data and disrupting services. The attackers targeted the university to protest its diversity policies. This incident followed a similar hack in 2024, where hacktivists protested campus policies. The university's logging infrastructure has been crucial in minimizing the impact of these attacks and gathering intelligence on attacker tactics.
Show sources
- Tailing Hackers, Columbia University Uses Logging to Improve Security β www.darkreading.com β 21.08.2025 16:38
Information Snippets
-
Columbia University has faced multiple cyberattacks, including hacktivist incidents in 2024 and 2025, and a state-sponsored breach in the early 2020s.
First reported: 21.08.2025 16:38π° 1 source, 1 articleShow sources
- Tailing Hackers, Columbia University Uses Logging to Improve Security β www.darkreading.com β 21.08.2025 16:38
-
The university uses activity logging to detect and mitigate cyber threats, tracking attacker movements and exploited ports.
First reported: 21.08.2025 16:38π° 1 source, 1 articleShow sources
- Tailing Hackers, Columbia University Uses Logging to Improve Security β www.darkreading.com β 21.08.2025 16:38
-
Columbia University employs SumoLogic's Log Analytics Platform, Cloud SIEM, and compliance and audit products for logging and observability.
First reported: 21.08.2025 16:38π° 1 source, 1 articleShow sources
- Tailing Hackers, Columbia University Uses Logging to Improve Security β www.darkreading.com β 21.08.2025 16:38
-
The logging solutions have helped the university reduce incident reports from 2 million to around 500,000 events monthly.
First reported: 21.08.2025 16:38π° 1 source, 1 articleShow sources
- Tailing Hackers, Columbia University Uses Logging to Improve Security β www.darkreading.com β 21.08.2025 16:38
-
The university's security team, consisting of fewer than 10 people, manages nearly half of the institution's systems.
First reported: 21.08.2025 16:38π° 1 source, 1 articleShow sources
- Tailing Hackers, Columbia University Uses Logging to Improve Security β www.darkreading.com β 21.08.2025 16:38
-
Educational institutions are among the top three most-targeted sectors for data breaches, facing an average of 2,507 attacks per week.
First reported: 21.08.2025 16:38π° 1 source, 1 articleShow sources
- Tailing Hackers, Columbia University Uses Logging to Improve Security β www.darkreading.com β 21.08.2025 16:38
Similar Happenings
Malicious nx Packages Exfiltrate 2,349 GitHub, Cloud, and AI Credentials
A supply chain attack on the nx build system allowed attackers to publish malicious versions of the popular npm package and auxiliary plugins. These versions contained data-gathering capabilities that exfiltrated 2,349 credentials from GitHub, cloud, and AI services. The attack occurred on August 26, 2025, affecting multiple versions of the nx package and related plugins. The compromised packages were removed from the npm registry, and users were advised to rotate credentials and check for malicious modifications in their systems. The malicious packages scanned file systems, collected credentials, and posted them to GitHub repositories under the users' accounts. The attack exploited a vulnerable workflow introduced on August 21, 2025, which allowed for arbitrary command execution and elevated permissions. The attack took approximately four hours from start to finish, resulting in the exfiltration of around 20,000 sensitive files. The attackers used AI-powered CLI tools to dynamically scan for high-value secrets and modified shell startup files to crash the system upon terminal session opening. A second attack wave was identified on August 28, 2025, affecting over 190 users/organizations and over 3000 repositories. The second wave involved making private repositories public and creating forks to preserve data. The attack unfolded in three distinct phases affecting 2,180 accounts and 7,200 repositories. The first phase impacted 1,700 users and leaked over 2,000 unique secrets. The second phase compromised 480 accounts and exposed 6,700 private repositories. The third phase targeted a single organization, publishing an additional 500 private repositories.
UNC6395 Exploits Salesloft OAuth Tokens to Exfiltrate Salesforce Data
UNC6395 exploited Salesloft OAuth tokens to exfiltrate data from Salesforce instances. The campaign, active from August 8 to 18, 2025, targeted over 700 organizations, exporting credentials and sensitive information. Zscaler, Palo Alto Networks, Cloudflare, Google, PagerDuty, Proofpoint, SpyCloud, Tanium, and Workiva were impacted by the breach, exposing customer information. Salesloft and Salesforce have taken remediation steps, and the threat actor demonstrated operational security awareness. The breach involved exporting large volumes of data from Salesforce instances, including AWS access keys, passwords, and Snowflake tokens. The actor deleted query jobs to cover tracks. Salesloft has revoked connections and advised customers to re-authenticate Salesforce integrations. The campaign may indicate a broader supply chain attack strategy. Salesloft has engaged Mandiant and Coalition for investigation and remediation. Drift customers are urged to update API keys for connected integrations. Salesforce removed the Drift application from the Salesforce AppExchange until further notice. Google has revealed that the campaign impacts all integrations, including Google Workspace email accounts, and has taken steps to mitigate the risk. Salesloft is temporarily taking Drift offline to review the application and build additional security measures. Okta successfully prevented a breach of its Salesforce instance by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric unified across applications.
Coordinated scans target Microsoft RDP authentication servers
A significant surge in coordinated scanning activity has been detected, targeting Microsoft Remote Desktop Web Access and RDP Web Client authentication portals. Nearly 1,971 IP addresses were involved in the initial wave, probing for timing flaws that could facilitate future credential-based attacks. A second, more massive wave occurred on August 24, featuring more than 30,000 IP addresses. The scans originated predominantly from Brazil and targeted IP addresses in the United States. The activity coincides with the US back-to-school season, suggesting potential exploitation of predictable username formats and increased exposure due to new accounts being onboarded. The scans may indicate the discovery of a new vulnerability, as such spikes in malicious traffic often precede vulnerability disclosures. The scans were likely performed by a single threat actor or group, indicated by a centrally controlled botnet or a large residential proxy fleet.
Threat Actors Exploit VPS Infrastructure for SaaS Account Compromises
Threat actors, including the China-linked APT41 group, are exploiting commercial virtual private server (VPS) infrastructure to quickly and stealthily set up attack infrastructure. This tactic has been observed in coordinated SaaS account compromises across multiple customer environments and in targeted cyber espionage campaigns against U.S. trade officials. The abuse of VPS services allows attackers to bypass geolocation-based defenses, evade IP reputation checks, and blend into legitimate behavior. The attacks involved brute-force attempts, anomalous logins, phishing campaign-related inbox rule creation, and impersonation tactics. In notable incidents, attackers successfully compromised accounts by exploiting VPS services from providers such as Hyonix, Host Universal, Mevspace, and Hivelocity. The attackers deleted phishing emails and created obfuscated email rules to conceal their activities. The use of VPS infrastructure enables attackers to rapidly deploy infrastructure, making it difficult for defenders to track and respond to threats. The impersonation of U.S. Rep. John Moolenaar was part of a larger espionage campaign targeting U.S. trade officials. The campaign involved spear-phishing attacks impersonating a U.S. Congressman to gain unauthorized access to systems and sensitive information. The attacks exploited developer tools to create hidden pathways and siphon data to attacker-controlled servers.
Apple patches Image I/O zero-day exploited in targeted attacks
Apple has released emergency updates to fix a zero-day vulnerability (CVE-2025-43300) in the Image I/O framework. The flaw, an out-of-bounds write issue, was exploited in "extremely sophisticated" targeted attacks against specific individuals. The vulnerability affects multiple iOS, iPadOS, and macOS versions and devices. Apple has not attributed the discovery to a specific researcher or provided details about the attacks. The flaw allows attackers to exploit the vulnerability by supplying malicious input, potentially leading to remote code execution. Affected devices include various iPhone, iPad, and Mac models running specific versions of iOS, iPadOS, and macOS. The flaw was discovered internally by Apple and addressed with improved bounds checking. The vulnerability has been exploited as part of highly targeted attacks. Users are advised to install the updates promptly to mitigate potential ongoing attacks. CERT-FR has reported at least four instances of Apple threat notifications alerting users about mercenary spyware attacks since the beginning of the year. The attacks target individuals based on their status or function, including journalists, lawyers, activists, politicians, and senior officials. Apple has sent threat notifications to users in over 150 countries since 2021. Apple has backported fixes for the vulnerability to older versions of iOS, iPadOS, and macOS, including iOS 16.7.12, iPadOS 16.7.12, iOS 15.8.5, and iPadOS 15.8.5. The updates also address multiple other security flaws in various Apple products. The flaw was chained with a WhatsApp zero-click vulnerability (CVE-2025-55177) in targeted attacks. The attacks were described as "extremely sophisticated" by Apple and WhatsApp. Samsung also patched a remote code execution vulnerability chained with the CVE-2025-55177 WhatsApp flaw in zero-day attacks targeting its Android devices.