Top 5 cyber threats to education (2023)

Summary

In recent years, the InfoSec community has seen a number of cyber threats and attacks on the education sector, particularly higher education. These attacks happen for many reasons, but chief among them is the lack of resources and budget for legitimate security insurance.

Although educational institutions have faced major challenges such as the impact of the pandemic, lack of funds and staff, threats and cyber attacks will not leave them out. Recently, ransomware in particular has become an issue in the education sector, with some schools having to close and rebuild systems due to ransomware attacks, attacks that compromise student safety.

This year, Avertium technology partner Black Kite conducted a survey of the top 100 universities in the US using an A to F technical ranking system. None of the schools had an A rating and all of the schools were extremely vulnerable to attack cyber. Let's take a look at the top five cyberthreats in higher education, how ransomware is taking center stage, and what the education sector can do to prevent devastating cyberattacks.

data hijacking

Ransomware is the number one threat and attack vector for colleges and universities. Once ransomware is deployed on a network or system, it prevents victims from accessing the network or files, causing disruptions. Attackers will also keep the files in exchange for a ransom payment and leak the files on a data breach website if the ransom is not paid.

In the first few months of the 2020 COVID-19 pandemic, creation of new ransomware samples increased by 72% in the form of infected file downloads and malicious emails. Although unprepared, universities were not immune to the onslaught of ransomware attacks, especially as most universities stopped face-to-face learning at the start of the pandemic.

As universities and colleges relied on virtual learning, technical resources were affected. In 2020, the UK's National Cyber ​​Security Center warned that the education sector was being targeted by ransomware attacks. Colleges, universities, and K-12 school districts have been bombarded with ransomware attacks.

In September 2020, the Clark County School District in Las Vegas, Nevada fell victim to a ransomware attack that locked its files. The school serves 320,000 students and the attack involved current and former staff records. The district had to hire outside forensic investigators to investigate the attack and figure out how to restore its systems. Realizing that school officials would not pay the demanded ransom, the attackers released documents containing student grades, social security numbers, and other private information.

BLACK KITE SEARCH- 100 BEST SCHOOLS AND UNIVERSITIES

Colleges and universities have suffered their fair share of ransomware attacks. On May 13, 2022, Lincoln College in Illinois was forced to close its doors after 157 years of serving students, in part due to a ransomware attack. The attack took place in December 2021, after the university was already facing financial problems due to the COVID-19 pandemic.

According to Lincoln College, the ransomware attack made it difficult for the school to access institutional data and impeded admissions activity, making it impossible to get a clear view of enrollment projections in the fall 2022. systems needed for retention, fundraising and recruitment were not operational. By the time systems were restored in March 2022, it was too late. Forecasts for the fall of 2022 showed significant enrollment deficits. If the university were to remain open, it would require either a large endowment or a transformative partnership.

“Lincoln College has served students from around the world for over 157 years. The loss of history, careers and a community of students and alumni is immense.” - David Gerlach, President oflincoln high school.

Research conducted by Quacquarelli Symonds for Black Kite showed that 15 colleges and universities have been victims of ransomware attacks since January 4, 2022.These universities include:

• Butler Community College
• Summit College alleged ransomware attack on 4/1/2022
• Lewis-Clark State College
• University of Detroit Mercy suspected ransomware attack by LockBit on 4/2/2022
• Centralia College alleged ransomware attack on 2/15/2022
• North Carolina A&T suspects AlphaVM ransomware attack on 4/6/2022
• Austin Peay State University alleges ransomware attack on 4/27/2022
• Georgia Coast College

The LockBit ransomware group was mentioned more than once on Black Kite's list (some schools were intentionally not mentioned). Their attack on the University of Detroit Mercy affected the school's servers and the group stole confidential information (the nature of the information was not disclosed). The LockBit ransomware note states that if the university fails to meet the ransom demands by February 1, 2022, the school's information will be leaked onto the dark web. No details were released about how much LockBit charged or whether the University of Detroit Mercy was in talks with the group.

AlphaVM, aliasblack cat, is another ransomware gang that has been mentioned more than once on Black Kite's list. The gang claimed responsibility for a ransomware attack at Florida International University in April 2022. The attacker stole personal information from students, staff, and faculty (about 1.2TB of data). The stolen data included accounting records, social security numbers and email databases.

Picture 1:Black Kite Ransomware Vulnerability Index - Higher Education

Source: Parrot black

Just like ransomware, security attacks in the IoT (Internet of Things) space are a serious problem. The more network devices you have, the more they need to protect your endpoints. An IoT attack occurs when an IoT system is compromised. This type of attack affects networks, data, devices and users. Threat actors launch this type of attack to steal information and take control of an automated or IoT system and disable it.

In February 2017, an unnamed university was attacked by its own vending machines, lamps and streetlights. Over 5,000 connected IoT devices have been compromised by threat actors. The devices performed hundreds of Domain Name Service (DNS) lookups every 15 minutes, causing the university's network connectivity to painfully slow down. Almost all of the systems resided on the segment of the network dedicated to the university's IoT fabric. Students have reported issues with slow network connections, but the complaints have been looked into by the school's help desk.

According to Verizon's 2017 Data Breach Digest, IoT systems were supposed to be isolated from the rest of the network, but instead they were all configured to use DNS servers on a different subnet. Lamps and vending machines were connected to the network for easy management and efficiency. The attackers behind the ordeal instructed IoT devices to perform DNS lookups for clams (#1 red flag) every 15 minutes. However, based on firewall and DNS logs, only 15 IP addresses (red flag #2) were returned from thousands of requested domains. Four of those addresses and about 100 domains appeared on a list of indicators for an emerging IoT botnet.

The example above is a great example of poorly secured IoT devices. While not all vending machines and utility poles were replaced as a result of the attack, the botnet spread from device to device through default brute force settings and weak passwords.

Phishing attacks and social engineering

Social engineering phishing is a proven cyber attack that often demands the best from schools and universities. According to the Avertium blog atIdentity theft, phishing attacks are often a means of distributing malware disguised as communications from a trusted or reputable source. Phishing attacks can take the form of an email, a phone call (fishing) or a text message (smishing); the most common is email.

A phishing attack email usually looks or sounds like it's coming from a company or someone in your organization. The threat actor behind the attack requests sensitive information or provides a link to an attachment that prompts them to download something malicious.

Social developmentIt falls under phishing attacks and involves threat actors that are investigated by companies or individuals prior to the attack. Its aim is to trick the victim into trusting the threat actor by providing a lot of convincing information about the victim. Threat actors use core human psychology to manipulate people into doing exactly what they want. In the absence of rigorous security training, schools and universities are particularly vulnerable to phishing/social engineering attacks.

In 2017, MacEwan University in Edmonton, Canada was robbed of $11.8 million because an employee fell victim to a phishing attack. The attacker sent the victim an email posing as a seller and requesting the change of bank details. The first mistake the victim made is not verifying the email and the app. As a result, MacEwan University lost millions of dollars.

data breach

Data breaches can have a devastating impact on the education sector. Information held by educational institutions is confidential and if this data is leaked, students, faculty and staff can be exposed to the masses. A data breach occurs when an unauthorized person gains access to protected information such as birth dates, social security numbers, banking information and medical records.

According to Comparitech's Education and Data Breach Report, they found that from 2005 through the end of 2021, K-12 school districts and colleges and universities around the world experienced 1,850 data breaches. More than 28.6 million records were affected by data breaches, and more than 200 of those attacks were the result of Blackbaud ransomware.

Millions of people were affected in early 2020 after Blackbaud Inc., a cloud computing company, was attacked by a ransomware gang. The attacker was able to remove a copy of a subset of the data from Blackbaud's private cloud environment and receive a ransom for the data in exchange for destroying the stolen data. The stolen data included usernames and passwords, bank account information and social security numbers. The breach affected students at Boston University, Santa Clara University, University of Illinois Foundation, George Washington University and the University of Dallas. As a result of the attack, Blackbaud faced numerous lawsuits alleging violations of privacy laws and breach of contract.

Additionally, Black Kite's research showed two confirmed data breaches on its Top 100 Colleges and Universities list. Syracuse University faced a data breach on March 28, 2022, when two employees' email addresses were compromised in a cyberattack involving personal information. An unauthorized person was able to access email accounts due to a phishing attack. The University of Washington School of Medicine was also the victim of a data breach in March 2022. An attacker managed to gain access to employees' email accounts containing patient health information.

unpatched and outdated software

According to Black Kite, patch management is a hot topic among college campuses, so it's no surprise that outdated, unpatched software made this list. Installing patched software and updating software in general is a good cybersecurity practice that the education industry is missing. Patching is critical if you want to prevent a breach; however, every year, threat actors successfully exploit devices and fail to apply patches.

In September 2021, the University of Colorado Boulder suffered a cyberattack when its software was compromised, exposing the personal information of 30,000 current and former students and employees. The attack was the result of a vulnerability in the Atlassian software the school used to share information and access files. Compromised information included student ID numbers, dates of birth and telephone numbers.

Atlassian released a patch for the vulnerability in August 2021, but the university did not patch its software in time. Had they patched the vulnerability sooner, they could have avoided the public embarrassment that comes with a data breach. Campus explained that they needed to make investments to improve the system's threat analysis and patching automation to reduce delays between releasing a software patch and deploying it.

Cyber ​​Threats and Higher Education -black dragon

Image 2:Black Kite Safety Rating for Top 100 Colleges and Universities

Source: Parrot black

As mentioned above, Black Kite conducted a survey of the top 100 US colleges and universities using an A-F technical ranking system. 93 colleges and universities earned a C grade, while two colleges and universities earned a D grade when it comes to overall cybersecurity security.

• patch management– 93 schools were rated F.
• security application– 97 schools were rated F.
• attack surface– All schools had grade D.
• permissions management– all schools were rated F and the top 100 list had at least one dark web entry in the last 90 days.
• The listaverage technical ratinghas a grade of 73, which is a C.

Image 3:The Black Kite university ecosystem

Source: Parrot black

Black Kite's research shows that colleges and universities do a poor job of protecting their cyber environments. Lack of resources and budget, lack of security policies and lack of security training are reasons why universities don't have the best cybersecurity. But despite these challenges, every institution must lay the groundwork for a secure IT network.

All of the above examples of cyber attacks on colleges and universities could have been prevented if the institution had put its security priorities in order. Avertium recommends the following to secure your installations:

• ransomware attacks– Ransomware threat actors are simply looking for a way to make money. Avoid becoming a ransomware statistic by doing role-play exercises with your employees. These types of exercises will help you test your people and systems. Encrypting your data can also prevent ransomware attacks: attackers cannot access encrypted data and therefore cannot blackmail you.
• IoT attacks- Change your passwords and default settings when setting up a new IoT device; make it harder for attackers to guess your passwords. Additionally, using multi-factor authentication when logging into IoT devices provides additional protection. However, when basic security measures are still not enough, managing network access for IoT devices helps to minimize the risk of unauthorized network access, even if your lamps and vending machines are compromised.
• Phishing and social engineering- Prevent phishing and social engineering attacks by providing security training to your employees. Again, simulation exercises that attempt to direct your employees towards these types of attacks will help your institution determine where they are in their security awareness. Suspicious email addresses, spelling and layout errors in documents, and fake hyperlinks are all ways that staff and students can fall victim to phishing.
• data breach– Raise awareness among school staff about data security and the importance of protecting information. The main reason for data breaches is human error. If you are the victim of a data breach, at least make sure you have secure backups that are regularly tested.
• Unpatched and outdated software– Preventing an attack through a vulnerability is as easy as patching (updating) your software. Instant remediation can save an educational institution a significant amount of time and money, as well as prevent a cyberattack.

How is AvertiumProtection of our CUSTOMERS

• we offerEDR endpoint protectionacrossSentinelOne, Sophos e Microsoft Defender.
  • SentinelOne prevents threats and extends protection from the edge and beyond. Find threats and eliminate blind spots with index-free, unattended, real-time threat analysis and ingestion that supports structured, unstructured, and semi-structured data.
• To minimize the impact of a successful ransomware attack, it must be detected as early in the attack as possible.Information security and event management.(SIEM) can help an organization achieve this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it is deployed. SIEM provides a holistic view of an organization's IT environment from a single perspective related to its specific security events, allowing teams to identify and analyze anomalous behavior.
• You offer an aversionZero trust network as a service(ZTNaaS) for any organization that wants to control their attack surface. The Zero Trust security model delivers exactly what its name promises: it is an IT security concept that stipulates that access is not allowed until authentication and authorization processes have been successfully completed.
• You offer an aversionUser Awareness TrainingacrossSaberBe4. The service also includes incident response desk exercises (IR TTX) and basic security document development, as well as a comprehensive, new-school approach that integrates benchmark testing with simulated attacks.
• You offer an aversionVMaaSto enable a deeper understanding and control over the organization's information security risks. If your organization is faced with the scale, resources or skills required to implement a vulnerability management program with your staff, third-party solutions can help you bridge the gap.

Advice on Avertium

To prevent ransomware attacks, data breaches, IoT attacks, phishing, social engineering, and unpatched software attacks,Avertium and the FBI recommend that you:

• Use strong credentials and multi-factor authentication.
• Fix and update your software.
• Educate your employees on cybersecurity best practices.
• Update your devices if the software is outdated.
• Use strong passwords and enforce them at your institution.
• Encrypt your data and always have backups (test your backups often).
• Disable unused RDP/Remote Access ports and monitor RDP/Remote Access logs.
• Administrator credentials are required to install the software.
• Monitor administrative or elevated user accounts and configure least-privilege access controls.
• Implement network segmentation.
• Monitor IoT devices anytime.
• Get an overview of how many IoT devices are connected to your network.
• If you don't already have one, develop a cybersecurity policy for employees to follow.
• Advise employees not to click on suspicious links or open email attachments from suspicious senders.

MITRE-KARTE

BlocoBit

black cat

Indicators of Compromise (IoC)

BlocoBit

• Sha256 -0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049
• hxxp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd[.]Onion
• hxxp://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did[.]onion
• hxxp://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid[.]cebola
• hxxp://209.14.0[.]234:46613/VcEtrKighyIFS5foGNXH

black cat

• id7seexjn4bojn5rvo4lwcjgufjz7gkisaidckaux3uvjc7l7xrsiqad[.onion]
• sty5r4hhb5oihbq2mwevrofdiqbgesi66rvxr5sr573xgvtuvr4cs5yd[.onion]
• htnpafzbvddr2llstwbjouupddflqm7y7cr7tcchbeo6rmxpqoxcbqqd[.onion]
• aoczppoxmfqqthtwlwi4fmzlrv6aor3isn6ffaiic55wrfumxslx3vyd[.onion]
• alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad[.cebolla]
• 2cuqgeerjdba2rhdiviezodpu3lc4qz2sjf4qin6f7std2evleqlzjid[.onion]
• zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd[.onion]
• mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd[.onion]
• f815f5d6c85bcbc1ec071dd39532a20f5ce910989552d980d1d4346f57b75f89
• c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40
• 74464797c5d2df81db2e06f86497b2127fda6766956f1b67b0dcea9570d8b683
• 4e18f9293a6a72d5d42Vater179b532407f45663098f959ea552ae43dbb9725cbf
• 1af1ca666e48afc933e2eda0ae1d6e88ebd23d27c54fd1d882161fd8c70b678e
• 15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed
• 13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31
• c8b3b67ea4d7625f8b37ba59eed5c9406b3ef04b7a19b97e5dd5dab1bd59f283
• bd337d4e83ab1c2cacb43e4569f977d188f1bb7c7a077026304bf186d49d4117
• 7b2449bb8be1b37a9d580c2592a67a759a3116fe640041d0f36dc93ca3db4487
• 38834b796ed025563774167716a477e9217d45e47def20facb027325f2a790d1
• 2cf54942e8cf0ef6296deaa7975618dadff0c32535295d3f0d5f577552229ffc
• 28d7e6fe31dc00f82cb032ba29aad6429837ba5efb83c2ce4d31d565896e1169
• 0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479
• f8c08d00ff6e8c6adb1a93cd133b19302d0b651afd73ccb54e3b6ac6c60d99c6
• 731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161
• 59868f4b346bd401e067380cac69080709c86e06fae219bfb5bc17605a71ab3f
• 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83
• 7e363b5f1ba373782261713fa99e8bbc35ddda97e48799c4eb28f17989da8d8e
• cefea76dfdbb48cfe1a3db2c8df34e898e29bec9b2c13e79ef40655c637833ae

supporting documentation

Rising Ransomware Attacks in Education During the COVID-19 Pandemic (isaca.org)

2 emails in the SU department fell victim to a personal data breach - The Daily Orange

How to secure enterprise IoT devices - Palo Alto Networks

What are the best ways to protect IoT devices from attacks? - Revolutionized

University of Washington School of Medicine notifies patients of data breach (beckershospitalreview.com)

Protection of confidential and personal information from data breaches caused by ransomware (cisa.gov)

Color University hacked for lack of up-to-date software (govtech.com)

The state of cybersecurity in education - Security Boulevard

Avoid Social Engineering and Phishing Attacks | CISA

Ransomware Risk: 6 Steps Universities Can Take to Avoid Cyber ​​Attacks | (negociouuniversitario.com)

What is a data breach and how to avoid it (kaspersky.com)

Confidential Information Released After School District Refuses to Pay Hacker's Ransom Demand, Report Says | CNN

A university was attacked for its floodlights, vending machines and street lights | malleable

Social Engineering Attacks on the Rise of Higher Education - UW–⁠Madison Information Technology (wisc.edu)

Blackbaud Ransomware Attack May Have Affected Millions | BenefitsPRO

Ransomware group hack UofD mercy threatens to release information (audacy.com)

BlackCat ransomware group claims attack on Florida International University - The Record by Recorded Future

Hacking Humans: Die Social-Engineering-Bedrohung (avertium.com)

Prevent Security Attacks in the Education IoT Space | Kajeet Educational Solutions

Ransomware vs. Phishing vs. Malware (What's the Difference) (avertium.com)

Related feature: [Threats Report] Top 5 Cyber ​​Threats in the Manufacturing Industry

ANNEX II: Disclaimer

COPYRIGHT ©:Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.