Lessons to be Learned: Attacks on Higher Education Proliferate

Trustwave SpiderLabs is wrapping up a multi-month investigation into the threats facing the education sector, across higher education, primary and secondary schools. Trustwave will post the 2024 Education Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies report on February 22, but here are a couple of early findings along with a round-up of some of the higher-profile attacks on education targets that have taken place in the last year.

• Trustwave researchers conducted a review of Shodan, a search engine that scans all public IP addresses on the Internet and found more than 1.8 million devices related to the education sector, indicating the threat surface is vast. This number far exceeds other industries.
• The team found proof that threat actors are selling alleged root and VPN access to the AWS infrastructure and other services of well-known US universities.

• Trustwave SpiderLabs uncovered more than 2,500 public file shares containing potentially sensitive data found in educational institutions and the exploitation of vulnerable third-party printer management software by state-sponsored hackers and ransomware gangs. 

• Those operating LockBit 3.0 Ransomware make the most claims among all ransomware groups, targeting multiple and diverse public schools and universities globally.
• Publicly accessible self-hosted password managers were found exposed in various educational organizations, highlighting security risks. 

Threat Actors Test the Education Sector 

Threat actors have a knack for understanding what targets contain, and the type of information that can be quickly monetized and culled all in one fell swoop. After all, why conduct multiple attacks to track down financial information, Social Security Numbers, driver's license information, and even health data when all that data is housed in one spot?

The last 12 months saw dozens of attacks on universities worldwide, but here is a short list of the more notable incidents.

The hacker group Vice Society claimed it extracted and published more than 850GB of sensitive data, including passwords, photos of passports, Social Security numbers, and credit card numbers, to the Dark Web. Okanagan confirmed the claim in a statement: "Data that appears to belong to Okanagan College and its stakeholders has been posted on a dark website belonging to a criminal organization." This attack potentially impacted 16,000 students and 1,200 staff. 

May 2023 - Bluefield University: In Virginia, hackers hijacked the school's emergency alerts system and used it to issue threats directly to students and faculty. The attackers said the stolen files would be leaked online if the university did not pay their demand. The attacker posted: "We have admissions data from thousands of students. Your personal information is at risk to be leaked on the darkweb blog. If we don't receive payment, full data leak will be published!!!!!!!!"

June 2023 - The University of Manchester: With over 10,000 staff and 45,000 students, the university confirmed it had been successfully attacked, and data belonging to alumni and current students was accessed and removed. In a statement, The University of Manchester stated, "It has been confirmed that some of our systems have been accessed by an unauthorized party and data have likely been copied."

August 2023 - Carnegie Mellon University: After the Information Security Office at CMU detected suspicious activity on its computer system, the school launched an investigation and recovery operation, revealing that an unauthorized external actor had accessed the CMU computer system. After months of investigation, assistance from law enforcement, and a comprehensive review of the event, CMU deduced that the threat actor "may" have copied files that contained personal information. The institution released a notice in January that the incident had occurred.

August 2023 – University of Michigan: U-M took the extreme step of partially disconnecting its network from the Internet after suffering what it described as a "significant security concern." The school believed the unauthorized third party could access personal information relating to certain students, applicants, alumni, donors, employees, contractors, University Health Service and School of Dentistry patients, and research study participants. The impacted information included Social Security numbers, driver's license or other government-issued ID numbers, financial accounts or payment card numbers, and health information.

Trustwave Threat Intelligence

The upcoming Trustwave SpiderLabs report is the latest in a year-long series that has addressed security concerns and is part of an ongoing research project studying how cybercriminals attack various vertical markets. The reports offer insights into the threat groups, tactics, and mitigation processes organizations can put in place to protect themselves.

To gain a more comprehensive understanding of the overall situation, please also read:

• 2023 Manufacturing Threat Intelligence Briefing and Mitigation Strategies
• 2023 Retail Sector Threat Briefing and Mitigation Strategies
• 2023 Financial Services Sector Threat Briefing and Mitigation Strategies
• 2023 Hospitality Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies
• Cybersecurity in the Healthcare Industry: Actionable Intelligence for an Active Threat Landscape

Trustwave will host a webinar breaking down the 2024 Education Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies on Thursday, February 22, 2024 at 9:00am CST | 3:00pm GMT. Please click here or the image below to register.