The Threat Landscape of the Education Sector
SecurityHQ are anticipating an increase in attacks from 2022/2023 targeting the education sector. According to Gov.uk ‘85% of Higher education institutions’ in the UK have identified breaches or attacks in the last 12 months.
SecurityHQ have identified that the plethora of Internet of Things (IoT) devices being used across school infrastructures provides the perfect initial access vector to internal networks. Targeting vulnerable IOT devices is effective due to the fact these devices are internet connected, and rarely built with security in mind, leading to inherit vulnerabilities which malicious actors can exploit. This has led to the prevalence of the Threat Actor known as Vice Society.
What is Vice Society and Why Should You Care?
Part of what sets Vice Society aside from other ransomware actors/groups is their approach. They often exploit known vulnerabilities, and often will target a sector known for having a limited IT budget, and which also holds a large amount of sensitive data.
Schools hold vast amounts of PII data on those under the age of 18 yet are repeatedly found to be lacking in the most basic cybersecurity controls. Many school IT departments take the form of an IT teacher, not a department. This strikes a contrast to industries like finance, who follow rigid regulations in relation to sensitive information. This has led to a scenario where scores of poorly protected information is almost readily available to malicious actors.
How Does Vice Society Operate?
Vice Society are an opportunistic threat actor, primarily targeting the USA, UK, Spain, and Australia. They are known for using versions of Hello Kitty/Five Hands and Zeppelin ransomware, and obtain initial access through compromised credentials, which is considered typical for threat actors, but have been observed exploiting internet-facing devices.
From here, Persistence is achieved through scheduled tasks, creating registry keys, and utilizing malicious dynamic link libraries (DLLs).
Cybersecurity for too long has been an afterthought of institutions who, in many cases, either do not see the benefit of assigning financial resources to a dedicated cybersecurity program or are prepared to pay a ransom at the expense of their students.
Ransom Demands
Regulatory fines are rampant in the education sector, especially considering that schools and universities have troves of personal data regarding underage students. But these regulations are often not made a priority until it is too late.
In a case of double extortion, the breach of South Carolina based company Blackbaud, led to the details of students from the University of Birmingham being leaked, after the ransom has been paid to malicious attackers. It was reported in 2020 that Blackbaud faced at least 10 lawsuits in the United States over this single breach.
Looking back at Vice Society, when the ransom demands have been analyzed the following can be seen.
- Initial demands by this actor could exceed $1 million.
- Final demands after negotiations were as high as $460,000.
- Vice Society have gone on to assert that they publish all available data in the event of failure to pay a ransom.
These Ransom demands are often published by the threat actor themselves, which allows our SecurityHQ researchers to understand the threat more clearly. Vice Society’s use of diverse ransomware families, which operate across both Windows and Linux systems, shows that they’re continually evolving, and must be considered a dynamic and prevalent threat.
Next Steps with SecurityHQ
A MSSP can help alleviate cyber security issues within education by providing the necessary expertise to bridge any knowledge gap, assist with regulatory compliance, and streamline vulnerability management across the organization.
- SecurityHQ’s Vulnerability Management as a Service (VMaaS) offering can ensure your digital estate is less exposed to malicious actors and is protected and always hardened. This will of course target inter-facing devices, denying malicious actors their initial ingress route.
- Managed Endpoint Protection (EPP) allows any threats targeting a large environment to be prevented and contained, mitigating any potential damage.
- Threat and Risk Intelligence (TRI), means artifacts and intelligence from the Dark Web can be used to give early warning signs, take preventative actions, and even track down the advanced threat actors targeting before they have a chance to launch an attack.