During recent years, the InfoSec community has seen an onslaught of cyber threats and attacks within the education sector, particularly higher education. These attacks happen for several reasons, but the primary reason is lack of resources and lack of budget for legitimate security insurance.
Even though education institutions have had to face major challenges such as the ramifications of the pandemic, lack of funding, and lack of staff, cyber threats and attacks won’t exclude them. Recently, ransomware in particular has become an issue in the education sector and some schools have had to shut down and rebuild systems due to ransomware attacks – attacks that compromise student safety.
This year, Avertium’s technology partner, Black Kite conducted research on the top 100 universities in the U.S., using a technical rating system from A to F. None of the schools had an A rating and all of the schools were extremely vulnerable to cyber attacks. Let’s take a look at the top five cyber threats within higher education, how ransomware is taking center stage, and what the education sector can do to prevent devastating cyber attacks from happening.
Ransomware is the number one threat and attack vector for colleges and universities. Once ransomware is deployed on a network or system, it prevents victims from accessing the network or files, causing disruption. Attackers will also keep the files in exchange for a ransom payment, leaking the files on a data leak site if the ransom is not paid.
During the first few months of the COVID-19 pandemic in 2020, the creation of new ransomware samples increased by 72% - coming in the form of infected file downloads and malicious emails. Although unprepared, colleges were not excluded from the surge in ransomware attacks, especially as most colleges and universities put a stop to in-person learning at the beginning of the pandemic.
With universities and colleges having to rely on virtual learning, technical resources were burdened. In 2020, the National Cyber Security Centre in the United Kingdom warned that the education sector was being targeted with ransomware attacks. Colleges, universities, as well as K-12 school districts were being bombarded with ransomware attacks.
In September 2020, the Clark County school district in Las Vegas, Nevada, fell victim to a ransomware attack that locked up their files. The school serves 320,000 students and the attack involved current and former employee information. The district had to hire third-party forensic investigators to look into the attack and figure out how to restore their systems. Once the attackers realized that the school officials were not going to pay the demanded ransom, they published documents containing student grades, Social Security numbers, and other private information.
BLACK KITE RESEARCH - TOP 100 COLLEGES AND UNIVERSITIES
Colleges and Universities have suffered their fair share of ransomware attacks. On May 13, 2022, Lincoln College in Illinois, had to close their doors after serving students for 157 years, partly due to a ransomware attack. The attack took place in December 2021 after the college was already battling financial issues due to the COVID-19 pandemic.
According to Lincoln College, the ransomware attack hindered the school’s access to institutional data and prevented admissions activities, making it impossible to see a clear picture of Fall 2022’s enrollment projections. Although no personal identifiable information was exposed, the systems required for retention, fundraising, and recruitment were inoperable. Once the systems were restored in March 2022, it was too late. The projections for Fall 2022 showed significant enrollment shortfalls. If the college wanted to remain open, it would require an enormous donation or a transformational partnership.
“Lincoln College has been serving students from across the globe for more than 157 years. The loss of history, careers, and a community of students and alumni is immense.” - David Gerlach, president of Lincoln College.
Quacquarelli Symonds’ research for Black Kite showed that since January 4, 2022, 15 colleges and universities fell victim to ransomware attacks. Those colleges include:
LockBit ransomware group was mentioned more than once on Black Kite’s list (some schools were not mentioned intentionally). Their attack on the University of Detroit Mercy affected the school’s servers and the group stole sensitive information (the kind of information was not disclosed). LockBit’s ransomware note stated that if the university didn’t comply with their ransom demands by February 1, 2022, the school’s information would be leaked on the dark web. There were no details released regarding how much LockBit was asking for or if the University of Detroit Mercy was in negotiations with the group.
AlphaVM, aka BlackCat, is another ransomware gang that was mentioned more than once on Black Kite’s list. The gang took responsibility for a ransomware attack on Florida International University in April 2022. The attacker stole personal information from students, staff, and teachers (about 1.2 TB of data). The data stolen included accounting documents, Social Security numbers, and email databases.
Image 1: Black Kite's Ransomware Susceptibility Index - Higher Education
Source: Black Kite
Like ransomware, security attacks are a serious concern in the IoT (Internet of Things) space. The more network devices you have, the more your endpoints need to be secured. An IoT attack takes place when an IoT system is compromised. This kind of attack involves networks, data, devices, and users. Threat actors launch this kind of attack to steal information and take over an automated or IoT system, thus shutting it down.
In February 2017, an unnamed university was attacked by its own vending machines, lightbulbs, and lamp posts. Over 5,000 connected IoT devices were compromised by threat actors. The devices made hundreds of Domain Name Service (DNS) lookups every 15 minutes and caused the university’s network connectivity to become painfully slow. Almost all systems were living on the segment of the network dedicated to the university’s IoT structure. Students reported the issues they were having with slow network connectivity, but the complaints were allegedly brushed off by the school’s help desk.
According to Verizon’s Data Breach Digest 2017, the IoT systems were supposed to be isolated from the rest of the network, but instead, they were all configured to use DNS servers in a different subnet. Lightbulbs and vending machines were connected to the network for easier management and for efficiency. The attackers behind the ordeal instructed the IoT devices to make DNS lookups regarding seafood (red flag #1) every 15 minutes. However, according to the firewall and DNS logs, out of the thousands of domains requested, only 15 IP addresses were returned (red flag #2). Four of those addresses and about 100 domains appeared in an indicator list for an emergent IoT botnet.
The above is great example of poorly secured IoT devices. While every soda machine and lamp post didn’t have to be replaced because of the attack, the botnet did spread from device to device by using brute force on default and weak passwords.
Phishing via social engineering is a tried-and-true cyber attack that often gets the best of schools and universities. According to Avertium’s blog on phishing, phishing attacks are often a vessel to deliver malware that masquerades as a communication from a trusted or reputable source. Phishing attacks can come in the form of an email, a phone call (fishing), or a text message (smishing) – with the most common vehicle being through email.
A phishing attack email typically looks or sounds like it’s from a company or someone within your organization. The threat actor behind the attack will ask for privileged information’s or provide a link to an attachment which results in you downloading something malicious.
Social engineering is included in phishing attacks and involves threat actors researching companies or individuals prior to the attack. The goal is to get the victim to trust the threat actor by providing a lot of convincing information about the victim. Threat actors take advantage of core human psychology to manipulate people into doing exactly what they want. Given the lack of consistent security training, schools and universities are especially susceptible to a phishing/social engineering attack.
In 2017, MacEwan University in Edmonton, Canada was defrauded of $11.8 million due to a staff member falling victim to a phishing attack. The attacker sent the victim an email, impersonating a vendor requesting a change in banking information. The first mistake the victim made was not verifying the email and the request. As a result, MacEwan University lost millions of dollars.
Data breaches can have a devastating impact on the education sector. The information that is stored by educational institutions is sensitive and if that data is leaked, students, teachers, and staff could be exposed to the masses. A data breach happens when an unauthorized person gets access to protected information such as dates of birth, Social Security numbers, banking information, and medical records.
According to Comparitech’s report on data breaches and the education sector, they found that from 2005 to the end of 2021, K-12 school districts, as well as colleges and universities around the world, experienced 1,850 data breaches. More than 28.6 million records were affected by the data breaches and over 200 hundred of those attacks were the result of Blackbaud ransomware.
Millions of individuals were impacted in early 2020 after Blackbaud Inc., a cloud computing company, was targeted by a ransomware gang. The attacker was able to remove a copy of a subset of data from Blackbaud’s private cloud environment, holding the data ransom in exchange for destruction of the stolen data. The data stolen included usernames and passwords, bank account information, and Social Security numbers. The breach impacted students at Boston University, Santa Clara University, the University of Illinois Foundation, George Washington University, and the University of Dallas. As a result of the attack, Blackbaud faced several lawsuits stating claims of violations of data breach statutes and breach of contract.
Additionally, Black Kite’s research showed two confirmed data breaches in their top 100 list of colleges and universities. Syracuse University faced a data breach on March 28, 2022, when two email addresses belonging to employees fell victim to a cyber attack involving personal information. An unauthorized party was able to access the email accounts due to a phishing attack. Washington University School of medicine was also the victim of a data breach in March 2022. An attacker was able to gain access to employee email accounts which contained patient health information.
According to Black Kite, patch management is an issue amongst higher education institutions, so it’s no surprise that unpatched and outdated software made it to this list. Installing patched software and updating software in general is a cyber security best practice that the education sector lets fall the wayside. Patching is paramount if you want to avoid a breach, yet every year threat actors successfully exploit devices due to lack of patching.
In September 2021, the University of Colorado Boulder suffered a cyber attack when their software was compromised – exposing the personal information of 30,000 current and former students and employees. The attack was the result of a vulnerability in Atlassian software the school used to share information and access files. The information compromised included student ID numbers, dates of birth, and phone numbers.
Atlassian released a patch for the vulnerability in August 2021, but the university did not patch their software in time. Had they patched the vulnerability sooner, they could have avoided the public shame that comes with a data breach. The campus stated they needed to make investments to improve their threat analysis, as well as automation for system patches to create less of a lag between a software patch releases and implementation.
Image 2: Black Kite's Security Rating for Top 100 College and Universities
Source: Black Kite
As previously stated, Black Kite conducted research on the top 100 colleges and universities within the U.S., using a technical rating system from A to F. Ninety-three colleges and universities had a rating of C, while two colleges and universities had a rating of D when it came to overall cyber security.
Image 3: Black Kite's Higher Education Ecosystem
Source: Black Kite
Black Kite’s research shows that colleges and universities are doing a poor job of securing their cyber environments. Lack of resources and budget, the absence of security policies, and lack of security training are all reasons why higher education institutions don’t have the best cyber security in place. However, despite these challenges, every institution should lay the foundation for a secure IT network.
All of the mentioned examples of cyber attacks on colleges and universities could have been avoided had the institution has their security priorities in order. Avertium recommends the following to help keep your institution safe:
To prevent ransomware attacks, data breaches, IoT attacks, phishing and social engineering attacks, and attacks via unpatched software, Avertium and the FBI recommend that you do the following:
Rise of Ransomware Attacks on the Education Sector During the COVID-19 Pandemic (isaca.org)
2 emails in SU department victim to data breach involving personal information - The Daily Orange
How to Secure IoT Devices in the Enterprise - Palo Alto Networks
What are the Best Ways to Protect IoT Devices from Attack? - Revolutionized
Washington University School of Medicine notifies patients of data breach (beckershospitalreview.com)
Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches (cisa.gov)
Colo. University Hacked Due to Lack of Updated Software (govtech.com)
The State of Cybersecurity in Education - Security Boulevard
Avoiding Social Engineering and Phishing Attacks | CISA
Ransomware risk: 6 steps colleges can take to help prevent cyberattacks | (universitybusiness.com)
What is a Data Breach & How to Prevent One (kaspersky.com)
Confidential information released after school district refused to pay hackers' ransom demand, report says | CNN
A university was attacked by its lightbulbs, vending machines and lamp posts | Mashable
Social engineering attacks on the rise in higher education - UW–Madison Information Technology (wisc.edu)
Blackbaud ransomware attack may have impacted millions of Individuals | BenefitsPRO
Ransomware group hacks UofD mercy threatens to release info (audacy.com)
BlackCat ransomware group claims attack on Florida International University - The Record by Recorded Future
Hacking Humans: The social engineering threat (avertium.com)
BlackCat Ransomware & Triple Extortion (Analysis & Tactics) (avertium.com)
Preventing Security Hacks in the Education IoT Space | Kajeet Education Solutions
Ransomware Vs. Phishing Vs. Malware (What's The Difference) (avertium.com)
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.