Ransomware Attacks Now Targeting School Systems

Ransomware Attacks Targeting Schools

Ransomware attacks are nothing new. Thousands of businesses have fallen prey to malicious attackers for decades, paying billions in ransom and disrupting operations from a few days to a few months. And that number is only growing.

According to FortiGuard Lab’s 2021 Ransomware Survey Report, ransomware attacks have increased by almost 1,100% year-over-year. While we most often associate attacks with banks and mega-corporations, the truth is ransomware attacks are no longer for the enterprise only. K-12 and higher education institutions appear to be the latest victims, seemingly fueled by the 2019 COVID pandemic.

The COVID Impact on Ransomware Attacks

The COVID pandemic of 2019 disrupted our lives, how we learn, and our approach to work. As the world was forced to go remote, many organizations weren’t prepared for the shift to remote working and virtual learning. And neither were their security systems and teams.

The Information Systems Audit and Control Association (ISACA) explains how the threat landscape expandedwhen unprepared businesses and schools had to go remote to adapt to the pandemic. Employees, teachers, students, and consumers did everything remotely—shopping, teaching, learning, and working.

School systems became more digitally connected than ever before, using platforms like Zoom and Google Classroom to teach students virtually. And attacks like “Zoom-bombing,” where uninvited guests gain control of screens and disrupt classes, became more commonplace. With such a vast threat landscape, the vulnerabilities were virtually limitless.

The 2022 Labor Day weekend ransomware attack on the Los Angeles Unified School District (LAUSD)—the second-largest U.S. school district—is yet another example. Whether they’re attacking one of the largest districts in the country or a small, budget-challenged school district, school ransomware attacks spread far and wide. But the attacks are especially tough on smaller, poorer schools that lacked the resources and didn’t prepare for the immediate shift and technical requirements for remote teaching.

“School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cybercriminals can still put school districts with robust cybersecurity programs at risk. K-12 institutions may be seen as particularly lucrative targets due to the amount of sensitive student data accessible through school systems or their managed service providers.” – FBI and CISA bulletin

But the LAUSD attack is far from the only educational institution impacted. The surge in ransomware attacks on schools has been so profound that President Joe Biden signed the K-12 Cybersecurity Act of 2021 into law to strengthen cybersecurity in schools. The act “directed CISA to work with teachers, school administrators, and private sector firms to develop recommendations and an online toolkit that can help schools improve their security, from securing student data to security challenges with remote learning.”

And after the LAUSD, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint bulletin warning of even further increases in attacks. That’s on top of the 1,000-plus educational institutions that have already suffered a ransomware attack since 2019.

Despite acts written into law and many warnings and bulletins, schools are still dealing with the ramifications of attacks by malicious actors.

The Implications of Ransomware on Schools

As the name implies, ransomware attacks use malware to “encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. [They] often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid.”

Cybersecurity Dive, an online newsletter for news on cybersecurity, breaches, and threats, shared that, on average, higher education organizations reported average remediation of $1.42 million per attack. K-12 reported an even higher $1.58 million. While these financial payouts are a huge hit to schools, they’re not the only implication of ransomware attacks:

  • Unauthorized access to personally identifiable information (PII). ISACA highlights unauthorized access to confidential information, such as names, addresses, social security numbers, and financial details as one of the most important factors to consider. If accessed by the wrong people (attackers), students (and teachers or staff) could become victims of identity theft. And schools may have lawsuits on their hands for not properly caring for the highly confidential and valuable information hackers accessed in the data breach.
  • Delays, disruptions, and restricted access. The CISA security alert discussed some of the less critical but still impactful ramifications of data breaches within schools. These include restricted access to networks and data, delays in exams, canceled classes for the day, and downtime.According to a 2022 Sophos study of 730 IT professionals in the education sector, it takes twice as long to recover after an attack than with organizations outside of the education industry. Forty percent reported it taking more than a month, 31% said between one and three months, and 9% recovered between three to six months later.
  • The new ransomware target. Education just might be the new prime target for ransomware attacks. The same Sophos study revealed that educational institutions were attacked even more in 2021 than the previous year, impacting nearly two-thirds of higher education organizations. And for K-12? Ransomware hit more than half of them. The attacks have many implications, but for higher ed, 97% of respondents said they impacted their ability to operate, which can have long-term effects, like permanently closing their doors.

How You Can Fight Back

While ransomware attacks aren’t going away anytime soon, whether you’re a 40,000-student college campus or a small rural school, there are ways to fight back. We also recommend working with a team of security professionals who can set up and continually monitor your network to help prevent and mitigate the effects of a data breach.

So, if you’re ready to combat malicious attacks, contact us today to see how Lightstream can protect your school’s data from breaches.

Mandatory 36-Hour Breach Reporting Window for U.S. Banks

Log4j vulnerability unpatched

In November of 2021, the Agencies, comprised of the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Federal Reserve Board (FRB), passed a regulation that requires banks to notify regulators no more than 36 hours after they identify that a security incident (that rises to the level of a “notification event”) has taken place. The regulation required full compliance by May 1, 2022. FDIC-supervised banks will report incidents to their case managers while banks that are regulated by the Board of Governors of the Federal Reserve System will need to inform the board. The Agencies explain though that not every data security incident is a notification event. According to the rule, a computer-security incident is “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores or transmits. An incident requiring subsequent notification is defined as a ‘computer-security incident’ that has disrupted or degraded a banking organization’s operations and its ability to deliver services to a material portion of its customer base and business lines”

 Read the full bulletin

VMWare Infrastructure Actively Exploited to Compromise Organizations

VMWare Infrastructure Actively Exploited to Compromise Organizations

VMWare Infrastructure Actively Exploited to Compromise Organizations. CISA, the Cybersecurity and Infrastructure Security Agency, has issued an emergency directive highlighting an escalation of successful attacks against commonly deployed enterprise components of VMWare virtual infrastructure. The directive points to an escalation of successful attack against a series of VMWare vulnerabilities that are exploited independently, or in combination, to fully compromise VMWare infrastructure in these organizations. While VMWare has issued patches for these vulnerabilities, attackers have quickly reverse engineered them to develop and weaponize exploits now appearing in the wild.

The attacks highlighted require network access, but successful attackers have utilized 3rd party network access and web exposed servers to compromise vulnerable VMWare components and gain full access.

Business Impact

Exploitation of this set of vulnerabilities gives attackers complete control over the VMWare virtual infrastructure. This means that critical business systems can be manipulated, destroyed, or silently monitored by attackers. If your organization depends on VMWare components highlighted below your business is likely at risk of compromise.

Security Impact

The CVE numbers for the critically impacted vulnerabilities are CVE-2022-22954, CVE-2022-22960, CVE-2022-22972, CVE-2022-22973; however, the primary point of attack has been CVE-2022-22954 which has a CVSS score of 9.8 (originally published 4/11/22) and results in a potential Remote Code Execution (RCE). It is recommended that any exposed components to the Internet should be assumed compromised and disconnected/investigated immediately. VMWare customers should also immediately deploy additional monitoring of their VMWare infrastructure and monitor for IOCs.

VMWare Infrastructure Actively Exploited to Compromise Organizations Urgent Actions Required

  1. Identify VMWare Workspace ONE Access and Identity Manager infrastructure, scan for vulnerabilities
  2. Disconnect/investigate infrastructure with missing patches exposed to the Internet, or 3rd party access
  3. Urgently apply missing patches described above in VMWare infrastructure, monitor for compromise

Recommendations

The vulnerabilities are present in the following VMWare components: VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. These should be placed under heightened security monitoring, patches urgently applied (if not already done) and threat hunt activity should be initiated using the available Indicators of Compromise (IOCs). This situation highlights the criticality of operating a vulnerability management program.

 Read the full bulletin

LIGHTSTREAM Joins MICROSOFT INTELLIGENT SECURITY ASSOCIATION as a Managed Security Service Provider

Lightstream is a member of MISA

Salt Lake City, UT (March 29, 2022) — Lightstream,   a managed security solutions provider, is pleased to announce their membership in the Microsoft Intelligent Security Association (MISA). MISA is an ecosystem of independent software vendors and managed security service providers that have integrated their security solutions with Microsoft to better defend against a world of increasingly sophisticated, fast-moving threats.

Lightstream was nominated to MISA as a managed security service  provider (MSSP) for their Managed Detection and Response solutions with Microsoft 365  and Microsoft’s cloud security offerings. This membership strengthens Lightstream’s relationship with Microsoft and broadens the range of high value solutions that drive increased customer value.

Jim Cassel, Co-CEO of Lightstream, shares

It is a privilege to be nominated to the Microsoft Intelligent Security Association and join the top security partners as we align in our commitment to cybersecurity. The timing is paramount as organizations globally will continue to face growing cybersecurity attacks and data breaches in today’s complex environments. Lightstream has the advantage of MISA support to extend, develop and improve cutting-edge security solutions to customers globally.

“Microsoft Intelligent Security Association members leverage Microsoft’s security products to better defend against cyber security threats with identity and access management, threat protection, information protection, and security management,” says Rob Lefferts, Corporate Vice President, Microsoft Defender.

Lightstream Managed Security Services elevates customer success by rapidly improving security outcomes while meeting complex compliance requirements and continually optimizing desired business outcomes. Lightstream’s security and threat protection solution suite offers include Defender for Microsoft 365, Defender for Cloud, Defender for Endpoint, Defender for Cloud Apps, Defender for Identity and XDR capabilities. Lightstream also offers a comprehensive portfolio of cloud, endpoint, and on-premises risk mitigation solutions  focused on operational, technical, and financials risk.

To learn more, visit Microsoft Intelligent Security Association.

For information on Lightstream services and solutions, visit Lightstream.tech

About Lightstream

Lightstream provides full-service cloud, connectivity, and security solutions to enterprises worldwide with a focus on managed services for all three, as well as cloud infrastructure implementation, security, and support.

Lightstream has been named multiple times as a Palo Alto Networks Public Cloud Partner of the Year, and is an AWS Security Competency Partner, an AWS Advanced Consulting Partner, and a Microsoft Cloud Platform Gold Partner with Security Competency. Visit us at http://www.lightstream.tech or LinkedIn.

Media Contact

Daniel Davenport / dan.davenport@lightstream.tech

 

 

 

Millions of Log4j vulnerable systems still unpatched

Log4j vulnerability unpatched

A recent survey by Qualys and published in SC Magazine suggests that after over 3 months, roughly 1 in 3 devices and installations that were affected by the Log4j vulnerability are still unpatched. This number amounts to roughly 22 million vulnerable application installations — and it should be noted that these are just the devices that are readily accessible from the Internet.

Log4j reached critical status towards the end of 2021 when it was discovered that a feature its platform could allow an unauthenticated attacker to take complete control over a remote system. The vulnerability was classified in CVE-2021-44228, and has been extensively discussed in cyber security as well as in a published flash with guidance from the government’s cyber security agency, CISA, who published guidance.

 Read the full bulletin