Feds: K-12 Cyberattacks Dramatically on the Rise

k-12 school cyberattacks

Attackers are targeting students and faculty alike with malware, phishing, DDoS, Zoom bombs and more, the FBI and CISA said.

The feds have warned that cyberattacks on the K-12 education sector are ramping up alarmingly.

In an alert from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), officials said that data from the Multi-State Information Sharing and Analysis Center (MS-ISAC) shows that in August and September, 57 percent of ransomware incidents reported to the MS-ISAC involved K-12 schools, compared to just 28 percent of all reported ransomware incidents from January through July.

Ransomware is not the only problem, though – CISA and the FBI said that trojan malwares, distributed denial-of-service (DDoS) attacks, phishing and credential theft, account hacking, network compromises and more have all been on the rise since the beginning of the school year.

Threatpost Webinar Promo Bug Bounty

Click to register.

“Whether as collateral for ransomware attacks or to sell on the dark web, cyber-actors may seek to exploit the data-rich environment of student information in schools and education technology (edtech) services,” according to the joint advisory [PDF], issued Thursday. “The need for schools to rapidly transition to distance learning likely contributed to cybersecurity gaps, leaving schools vulnerable to attack. In addition, educational institutions that have outsourced their distance learning tools may have lost visibility into data security measures. Cyber-actors could view the increased reliance on — and sharp usership growth in — these distance-learning services and student data as lucrative targets.”

On the ransomware front, malicious cyber-actors have been adopting tactics previously leveraged against business and industry, while also stealing and threatening to leak confidential student data to the public unless institutions pay a ransom.

The five most common ransomware variants identified in incidents targeting K-12 schools this year are Ryuk, Maze, Nefilim, AKO and Sodinokibi/REvil, the feds noted.

“Unfortunately, K-12 education institutions are continuously bombarded with ransomware attacks, as cybercriminals are aware they are easy targets because of limited funding and resources,” said James McQuiggan, security awareness advocate at KnowBe4, via email. “The U.S. government is aware of the growing need to protect the schools and has put forth efforts to provide the proper tools for education institutions. A bill has been introduced called the K-12 Cybersecurity Act of 2019, which unfortunately has not been passed yet. This type of action by the government will start the process of protecting school districts from ransomware attacks.”

Top K-12 malware, click to enlarge. Source: MS-ISAC.

Meanwhile, other malware types are being used in attacks on schools – with ZeuS and Shlayer the most prevalent. ZeuS is a banking trojan targeting Microsoft Windows that’s been around since 2007, while Shlayer is a trojan downloader and dropper for MacOS malware. These are primarily distributed through malicious websites, hijacked domains and malicious advertising posing as a fake Adobe Flash updater, the agencies warned.

Social engineering in general is on the rise in the edtech sector, they added, against students, parents, faculty, IT personnel or other individuals involved in distance learning. Efforts include phishing for personal or bank-account information, malicious links to download malware and domain-spoofing techniques, where attackers register web domains that are similar to legitimate websites. Here, they hope a user will mistakenly click and access a website without noticing subtle changes in website URLs.

“While schools and IT professionals may focus on acquiring the technology to prevent phishing emails from entering the teachers and staff mailboxes, it will be necessary to educate them properly,” McQuiggan said. “Implementing a robust security awareness program will be essential to help educate staff, teachers, and administration to effectively spot a phishing email and report to their IT departments to handle swiftly.”

Meanwhile, disruptive attacks like DDoS efforts and Zoom-bombing are also becoming more frequent, according to the alert.

“The availability of DDoS-for-hire services provides opportunities for any motivated malicious cyber-actor to conduct disruptive attacks regardless of experience level,” it read. “[And] numerous reports received by the FBI, CISA and MS-ISAC since March 2020 indicate uninvited users have disrupted live video-conferenced classroom sessions. These disruptions have included verbally harassing students and teachers, displaying pornography and/or violent images, and doxing meeting attendees.”

Attackers also are continuing to exploit the evolving remote learning environment, officials warned, often using exposed Remote Desktop Protocol (RDP) services to gain initial access for further attacks.

“For example, cyber-actors will attack ports 445 (Server Message Block [SMB]) and 3389 (RDP) to gain network access,” the alert noted. “They are then positioned to move laterally throughout a network (often using SMB), escalate privileges, access and exfiltrate sensitive information, harvest credentials or deploy a wide variety of malware.”

Other initial access efforts include exploiting known vulnerabilities in end-of-life (EOL) software, which no longer receives security updates, technical support or bug fixes. Unpatched and vulnerable servers are rife in the K-12 educational environment, where schools often face funding shortages.

“Cyber-actors likely view schools as targets of opportunity, and these types of attacks are expected to continue through the 2020/2021 academic year,” according to the joint alert. “These issues will be particularly challenging for K-12 schools that face resource limitations; therefore, educational leadership, information technology personnel, and security personnel will need to balance this risk when determining their cybersecurity investments.”

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows; Limor Kessem, Executive Security Advisor, IBM Security; and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.


Suggested articles