CISA’s new focus on public entities: How the dark web can light the way

Your school, hospital, or other public facility needs to be on the dark web, and you need to be there now. To see why let’s look at a recent school system breach.

A large U.S. school district got hit with ransomware over the Labor Day weekend, making headlines. It may have spurred Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), to announce a new focus on securing “target-rich, resource-poor” entities, namely “water, hospitals, and K-12 schools.”

She touted the breached school district’s response as a study in what to do right: administrators reported the incident immediately to CISA and the FBI, which enabled them to begin investigating early. Perhaps as a result, the district refused to pay the enormous ransom. Although the bad actors did release data from the hack on the dark web, officials said none of it was damaging.

Officially, no one knows how the attackers got in. But we have pieced together a plausible scenario using threat intelligence. And we have some interesting advice for how “target-rich, resource-poor” entities, as well as others, can better avoid breaches now and in the future.

What we know

School are always in session for ransomware attackers, who target educational and other institutions for public money and sensitive data. School system breaches are increasingly common, according to news reports.

Vice Society, a Russian-speaking ransomware gang, claimed responsibility for this attack. After the district refused to pay the ransom it demanded, the group released large amounts of student data on the dark web. Vice Society “disproportionately targets the educational system with ransomware,” CISA has stated.

Vice Society reportedly breached at least eight other U.S. school districts, colleges, and universities so far in 2022.

Shutterstock Images

What we found

In a quick retroactive search of the dark web, we found district login credentials for sale back on Aug. 10, offered by an initial access broker. The site listed is linked to an educators’ platform.

If we’d seen these credentials for sale at the time, we’d have paid the $10 to buy them, found out to whom they belonged, and notified the school district that it needed to reset passwords on this site as well as wipe the machine associated with the compromised account.

A “Redline stealer” was the culprit in this instance, we believe. Redline stealers are a form of malware that harvest login credentials stored on machines and in browsers. Possibly the educator opened a phishing email or clicked on a harmful link when browsing the internet and unwittingly downloaded the malware.

Once harvested, these credentials go on sale in an underground marketplace. The person who buys them can use them to gain access to target platforms.

One marketplace we found offered educator-level access – with access to student data – to a module that runs a popular business application designed for school systems. The attacker may have infiltrated the module’s application to gain access to other applications within the district as well as its IT systems. Once it had downloaded the data, it installed the ransomware and held the data hostage.

How to reduce your chances of a ransomware attack

We spotted school district credentials for sale nearly a month before the ransomware attack occurred. Anyone with good threat intelligence can do the same and take the necessary steps to identify early indications of a potential breach.

What’s more, you can and should block password storage features on your employee devices. Tell your people that these storage methods are not safe. Even those with multi-factor authentication aren’t secure;  criminal organizations can evade the controls with persistence. We recommend using independent encrypted password managers.

Phishing emails and phony websites have become so sophisticated that it’s easy for almost anyone to fall for them. If someone on your team makes this mistake, all their usernames and passwords stored in their browsers and on their devices will be vulnerable.

Tell your employees to use a safe password storage application instead, and delete all saved passwords from their browsers and devices. Routinely wipe device history, as well.

Using a secure password storage application might mean employees must take an added step to login to sites or applications, but the seconds it takes to use them is time well spent if it protects your enterprise and their data from mischief.