Co-operating together, the FBI, CISA, and MS-ISAC have identified malicious cyber actors targeting kindergarten through twelfth grade (K-12) educational institutions and seeking to create ransomware attacks, the theft of data, and the disruption of distance learning services. Cyber actors likely view schools as targets of opportunity, and these types of attacks are expected to continue through the 2020/2021 academic year.
According to MS-ISAC data, the percentage of reported ransomware incidents against K-12 schools increased at the beginning of the 2020 school year. In August and September, 57% of ransomware incidents reported to the MS-ISAC involved K-12 schools, compared to 28% of all reported ransomware incidents from January through July.
The full article identifies many specific details and methods of attack being used on schools. Here is a summary:
Ransomware – most popular variants
The five most common ransomware variants identified in incidents targeting K-12 schools are Ryuk, Maze, Nefilim, AKO, and Sodinokibi/REvil.
Malware – top 10 strains
The top 10 malware strains that have affected educational institutions over the past year (up to and including September 2020) are shown above. These malware variants are purely opportunistic as they not only affect educational institutions but other organizations as well.
ZeuS and Shlayer are among the most prevalent malware affecting K-12 schools.
* ZeuS is a Trojan with several variants that targets Microsoft Windows operating systems. Cyber actors use ZeuS to infect target machines and send stolen information to command-and-control servers.
* Shlayer is a Trojan downloader and dropper for MacOS malware. It is primarily distributed through malicious websites, hijacked domains, and malicious advertising posing as a fake Adobe Flash updater. Note: Shlayer is the only malware of the top 10 that targets MacOS; the other 9 affect Microsoft Windows operating systems.
Distributed Denial-of-Service Attacks
Cyber actors are causing disruptions to K-12 educational institutions—including third-party services supporting distance learning—with distributed denial-of-service (DDoS) attacks. These attacks temporarily limit or prevent users from conducting daily operations.
Video Conference Disruptions
Numerous reports received by the FBI, CISA, and MS-ISAC since March 2020 indicate uninvited users have disrupted live video-conferenced classroom sessions. These disruptions have included verbally harassing students and teachers, displaying pornography and/or violent images, and doxing meeting attendees (Note: doxing is the act of compiling or publishing personal information about an individual on the internet, typically with malicious intent).
Additional Risks and Vulnerabilities
In addition to the recent reporting of distance learning disruptions received by the FBI, CISA, and MS-ISAC, malicious cyber actors are expected to continue seeking opportunities to exploit the evolving remote learning environment.
Cyber actors could apply social engineering methods against students, parents, faculty, IT personnel, or other individuals involved in distance learning. Tactics, such as phishing, trick victims into revealing personal information (e.g., password or bank account information) or performing a task (e.g., clicking on a link). In such scenarios, a victim could receive what appears to be legitimate email that:
* Directs the user to confirm a password or personal identification number (PIN),
* Instructs the recipient to visit a website that is compromised by the cyber actor, or
* Contains an attachment with malware.
Technology Vulnerabilities and Student Data
Whether as collateral for ransomware attacks or to sell on the dark web, cyber actors may seek to exploit the data-rich environment of student information in schools and education technology (edtech) services. The need for schools to rapidly transition to distance learning likely contributed to cybersecurity gaps, leaving schools vulnerable to attack.
The FBI, CISA, and MS-ISAC frequently see malicious cyber actors exploiting exposed Remote Desktop Protocol (RDP) services to gain initial access to a network and, often, to manually deploy ransomware. For example, cyber actors will attack ports 445 (Server Message Block [SMB]) and 3389 (RDP) to gain network access.
End-of-Life (EOL) software is regularly exploited by cyber actors. Unpatched and vulnerable servers are likely to be exploited by cyber actors, hindering an organization’s operational capacity.
Mitigations Plans and Policies
The full article can accessed by clicking here. It includes a range of useful best practices including:
Network Best Practices
User Awareness Best Practices
Ransomware Best Practices (don’t pay the ransom)
Denial-of-Service Best Practices
Video-Conferencing Best Practices
Edtech Implementation Considerations
Acknowledgment: This blog article draws directly from Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued on December 10th.