The pandemic forced schools to make a quick transition to remote learning with little resources and weak security postures, and threat actors have increased their attacks.
While ransomware attacks against the education sector are common, experts say threat actors are actively targeting schools this year as classrooms switch to remote learning.
As educators prepare for all the changes brought on by COVID-19 — video conferencing, cyberbullying, new e-learning software and portals — with so many aspects now virtual, there are new threats facing this school year. On top of ransomware attacks, remote learning may attract Zoombombing, denial-of-service attacks (DoS), phishing campaigns, and more. Several school districts have already been affected in just the first week of school alone.
A citywide ransomware attack forced Hartford Public Schools to postpone its first day of school when the software system that delivers real-time information on bus routes was impacted. During a press conference Sept. 8, Hartford Mayor Luke Bronin called the incident “the most extensive and significant cyber attack to hit the city in the last five years. More than 200 of the city’s 300 computer servers were affected.”
Another ransomware attack last week struck the IT systems of Fairfax County Public Schools (FCPS) in Virginia. In a blog posted on September 12, Fairfax County Public Schools provided an investigation update.
“The ransomware issue did not disrupt the distance learning program during the first week of school. However, we are working diligently with the FBI and our cybersecurity consultants to investigate the nature, scope, and extent of any possible data compromise.”
Operators behind Maze ransomware claimed the hack, posting Fairfax County Public Schools to its data leak website, which the group uses to pressure victims into paying ransoms. “FCPS is the 206th public sector entity in the U.S. to be impacted by the ransomware so far this year and the 53rd school district. Operations at up to 1,1190 individual schools and colleges have potentially been affected,” Emsisoft analyst Brett Callow said in an email to SearchSecurity.
Check Point Software Technologies’ research, which looked at the U.S., Europe, and Asia, found that in the last three months, there was a surge in hacker interest in topics related to education, research, and going back to school. The data showed an “increase in attacks, with different methods and tactics being adopted in different regions, with the U.S. presenting the highest increase in academic and research related attacks.”
School cyber attacks increasing
Cyber attacks on local and statement government networks have become increasingly common in recent years. But schools nationwide are dealing with challenges that they have never dealt with before as they transition from in-person to online and vice versa, said SentinelOne vice president Jared Phipps. “This, combined with the rising tide of sophisticated attacks, puts them a no-win situation.”
According to Phipps, SentinelOne has a moderate-to-high level of confidence that there are at least one threat actor group targeting schools.
“Many groups that run ransomware campaigns are opportunistic in what they target,” he said. “What happens with universities and school systems, in particular, is they are typically the weakest in security, they have a ton of exposure, and they do a lot of research. It’s the perfect opportunist target.”
Check Point security engineer Maya Levine also expects an increase in hackers’ efforts to target schools. “The scope of the attack is much larger for them now with so many of the services moving to a virtual space.”
Patrick Thielen, senior vice president and cyber and technology product lead at insurance giant Chubb, said his company has also seen an increase in cyber attacks on schools recently. According to Chubb’s Cyber Index data, threat actors have increasingly targeted both K-12 school systems and higher education in recent years, culminating in a surge this year as many school systems have adopted remote learning. “This is a spike in what was already a long-term trend,” he said of recent attacks.
New research by endpoint security vendor Absolute Software examined the effects of distance learning on endpoint health, device usage, safety, and security as schools adapt to remote and hybrid learning models in the 2020-2021 school year. It revealed that education is still the most vulnerable sector, accounting for 60% of all malware attacks. Also, it showed that ransomware accounts for approximately 80% of malware infections in education, up from 48% in 2019.
Now, as schools reopen during the COVID-19 pandemic, it just gives cybercriminals additional built-in leverage, said Roger Grimes, data-driven defense evangelist for KnowBe4.
“Even without ransomware involved, schools are at their breaking points and beyond,” he said in an email to SearchSecurity. “The only way the schools are coming close to coping with COVID-19 and remote education is because of technology. And if ransomware can disrupt that technology, the easier it is to get victims to pay.”
The good news, according to Phipps, is the most remote learning applications and portals are relatively secure.
“Most of the e-learning is going to SaaS-driven, meaning it’s an application that’s in the cloud secured by someone else, so it’s not a direct network connection to the university environment,” he said. “It’s a web browser-only connection.”
By going virtual, it’s not necessarily the laptop on the students’ remote side that poses a risk, but everything it took to get them there, he said. “There are network boundaries, additional services, authentication services, all these different capabilities you need to enable the at-home learning,” Phipps said. “A lot of these schools set up very rapidly without a lot of control systems and security. That becomes a major factor.”
Additional disruptions to the school year
While ransomware is one of the more disruptive threats to security since it can effectively shut down a school or district, there are other school cyber attacks that can cause disruption and damage.
“Zoombombing is one type of attack we’ll likely see, but it can be avoided pretty easily if teachers take advantage of and utilize the security features offered by the platform,” Levine said. “However, denial of service attacks will be incredibly disruptive to schools like the one recently in the Rialto district.”
The cyber attack against the California school district shut down virtual classes. The district posted a statement to Twitter on Aug. 24.
“Rialto Unified School District has been affected by malware, which is software that is specifically designed to disrupt, damage, or gain unauthorized access to computer systems. This impacted the operation of our computer systems. The District shut down our network and internet immediately after discovering the issue.”
Check Point research found the average number of weekly attacks per organization in the academic sector between July and August increased by 30%. The security vendor determined that the main increase came from distributed denial-of-service (DDoS) attacks.
Phishing is another major threat that can be used to gain access to school systems, as well as students and their parents’ data. If hackers obtain this data, they can sell it, Levine said.
“The student records held in the main offices; those records will be exposed at some stage during the attack. Whether the attacker takes them and exfiltrates them, that’s a different story. But the loss of student data is definitely higher,” Phipps said.
In addition to phishing and business email compromise attacks, Thielen said Chubb has also observed a particularly alarming trend of cybercriminals stealing children’s personally identifiable information. “Increasingly what they’re looking for is information that they can use to socially coax identification data out of children,” Thielen said. “One of the reasons that bad actors view children’s identities as a gold mine is that they can exploit that information for more than a decade before it’s recognized when they go to apply for credit for the first time.”
Check Point education research found that over 35,149 new domains were registered around the back-to-school theme the past three months, 512 of them were found to be malicious, with another 3,401 suspicious. Malicious domains are set up to serve malware, phishing pages, and more. Levine often said victims are completely unaware that they have even clicked on a malicious link and downloaded malware.
“Teachers are communicating with new people and companies and getting a lot of unexpected but legitimate email,” Grimes said. “So, I can see how easy it would be for a malicious hacker to slip in a phishing email to teachers and administrators and for it to be opened and acted upon more often than usual. Phishers live for stressful events, and pandemics and schools are at the biggest intersection of stress you can imagine.”
Security recommendations for schools, students
There are no quick fixes to these challenges facing the virtual school year. With new threats and few resources, there’s only so many schools can do to protect themselves.
What they need more than anything, Phipps said, is some effort from the government to provide basic security.
“If attackers were shutting down U.S. shipping ports, or in the case of a school, showing up in person and damaging the complete infrastructure and demanding money, the government would be all over it,” he said. “Yet they are leaving our educators to fend for themselves with little to no assistance. This cannot be allowed to continue — our schools are outgunned, and they need help securing their endpoints and protecting themselves from motivated criminal groups who are only too willing to take advantage of the current climate.”
According to the report by Absolute, IT teams are doing more with less. “While federal stimulus packages may help in the short term, long term budgets are uncertain: $750B predicted decreased in state and local government budgets, $500 incremental per student distance-learning costs and $3.7B additional COVID-19 costs.”
“While it is reasonable to expect companies and schools to provide a good security posture, the level of attacks is increasing at a dramatic level,” Phipps said. “Governments are turning a blind eye, allowing cybercrime groups to operate with impunity, and until Western governments start to demand some accountability, the number of these attacks will only increase. I highly recommend organizations examine their security posture now.”
Thielen recommended some basic steps for schools to reduce their attack surfaces, such as security awareness training for officials to prevent phishing attacks and implementing better access control for remote learning tools and platforms. In addition, parents can freeze their children’s credit to prevent identity theft and explore new devices or apps for additional security controls like two-factor authentication that schools may not have enabled by default.
The key to a successful defense, according to Grimes, is also awareness, especially when it comes to ransomware and phishing threats.
“There is no technology that can stop all phishing attacks. There never has been and never will be. And because of that, every good computer defense needs a strong and frequent educational component, especially against phishing and ransomware,” he said. “Phishing and ransomware are responsible for 70 to 90% of all breaches, yet most organizations, including schools, spend less than 5% of their IT security budget on preventing. It’s a fundamental misalignment that hackers depend on.”