EDUCATIONAL PLATFORMS: Why is it a favorite target among Attackers?

Educational Institutes are an easy prey for hackers to compromise and covertly launch Cyber Attacks/Malicious Campaigns under the hood, without divulging their real identity. This is majorly caused due to the reckless attitude of IT Administrators towards their Network Assets as the software programs (which are being used in the production) needs to undergo several patches/updates to mitigate any exposed risk.

School of Villains by Naolito | Source: DeviantArt

Here, we are going to discuss each Threat Vectors where Educational Institutes are being targeted and being used for possible malicious campaigns or exploitation.

DATABASE TRADING

It is notable that there is a significant rise of “Database Trading” detected on various underground hacking forums or DarkNet Marketplaces during this pandemic (COVID-19). The compromised databases (University/Schools) are being sold on different underground forums and are bagging huge amounts (in the form of Cryptocurrency) into their Hot or Cold wallets.

Student Record of Brazil advertised in Raid Forum
Compromised FTP Servers of Academic Sites

The above listed screenshots are just an example to back the statement for Database Trading at large (if you note the Timestamps) and sometimes, it is distributed for free on such communities.

It is also important to note that the Online Educational Platforms are also being targeted on a continual basis. One of the largest breaches was the compromise of Online learning Platform “Unacademy” that got hacked and put for sale on Dark Web Marketplace for $2,000 consisting of 22M Userbase in May, 2020.

Advertised in Empire Market

Note: The Empire Market (Dark Web Marketplace) had gone exit scammed in August 2020, after a long standing for 3 years.

Another Indian Tutor website “Vedantu” observed a data breach in 2019, exposing ~700K Student/Tutor Records.

EDUCATIONAL INFRASTRUCTURE FOR SALE

It is common to find the vulnerable/open systems (Academic Infra) among the listing with other compromised servers in the Cyber Criminal Black Markets, but uncommon for the general public. Adversaries gain access to such systems using various methods like Spear Phishing Emails, Open RDP Access, Unprotected Elastic Servers etc. It is a common practice among criminals to conceal their presence (in the victim environment) after compromising the targeted systems, prevailing a backdoor access for extended network access(commonly called Lateral Movement) in order to sell the same on various Marketplaces.

Some of the smooth offerings made in this arena are:-

Webmail CPAnel Access
Microsoft Webmail O365 Access

Cpanel Access of various Educational Institutes across the globe
Microsoft O365 Domain Accounts for Sale

While offering the offensive services, it is remarkable that the hackers/adversaries are redefining their rules of etiquette by providing the legitimacy of the sources like whether the listed assets are in working condition, hence showcasing a professional line. The timestamps proves that the listed hacked accounts are recent, which again amplifies the trust factor for the Exploit Seekers.

Outcome: Once the actor gains access to the University Infrastructure (such as Email), the same can be used to launch a Spear Phishing Email Campaigns against any entity, as Educational Domains are (generally) not included in any of the Blacklist, hence clearing the initial level of defense (traffic from blacklisted IPs are usually blocked). This can also be used for Impersonation Attacks, hence leveraging access to any restricted system (which is being defined via admin policies).

DOMAIN LIST OFFERING[.EDU]

Another kind of novice threat to the Academic Domain is the selling of a large number of Educational Domain lists, hence narrowing down the effort of hackers to find vulnerable systems.

Domain Sale

Once identified, the actor can scan for the targeted network — look for the unsecured Ports/Services, mirroring the website, Exploiting the Weaknesses (in case of unpatched), Gaining Unauthorized Access, Stealthy Integration to a Bot Army (Botnet), Launch DDoS and any imaginable Cyber Destruction.

Note: This threat is not only pertaining to the Educational domain, but also affects other TLDs and Country-Specific TLDs.

CREDENTIAL LEAK FROM EDU-PLATFORMS

There are ample of Credential leaks for Online Educational Platforms (or MOOCs) surfaced on Deep Web, which are being captured by various methods such as Keylogging, Spyware Activity, Running Malicious Stealthy Programs etc and are shared on various Deep Web channels.

Below is a list of Email-Password combination of Udemy Accounts appeared on a Turkish forum:-

Udemy Accounts listed for free

Here is another listing of Username-Password Combo for Code Academy Accounts found on an individual blog:-

CodeAcademy Account Credentials

It is notable that the passwords are in plain-text which would facilitate adversaries to launch a Password-Spraying Attack on various digital platforms of the targeted individual.

There are various dedicated checker programs available for each Educational Platform such as Udemy, CodeAcademy, Coursera etc.

Checker Program found for Code Academy

Note: Checker Programs are used by attackers to launch Brute Force logins on multiple platforms to check whether the acquired credentials are in working state or not.

Similarly, there are various cracked Academic Programs which are being offered for cheaper prices on the Underground Dark Web Marketplaces.

Premium Courses offered at cheaper prices

As the education is provided for cheaper or free, it can be considered as a Robinhood Act, but cracking into the personal accounts are not justifiable.

ATTACKS— RISE OF RANSOMWARE INFECTION & HACKTIVISM

It is an undeniable fact that there are many prestigious Academic Institutes hit by numerous ransomware programs at different timelines. By closely inspecting the same fact, it is evident that Ransomware Attacks seen a sudden uptick since 2016; as the victims became ready for the negotiation offered by the hackers in order to recover the files, by paying the ransom. This ignited the interest of attackers and began to invest more resources for the Ransomware Programs.

Outcome: Now, you may know several RaaS (Ransomware as a Service) programs like Smaug, GandCrab, Project Root along with major Ransomware Gangs like Maze, Clop, Netwalker, Nefilim, REvil, Snake and their experimental business strategies like Live Data Auction, Storage as a Service, Affiliate Programs, Feedback Collection etc.

Here is a list of few Universities who had paid Ransomware Operators to gain back the compromised data:-

UNIVERSITY OF CALGARY — 2016 — Paid $20,000
HORRY COUNTY SCHOOL DIST. — 2017 — Paid $8,500
LOS ANGELES VALLEY COLLEGE — 2017 — Paid $30,000
UNIVERSITY OF MAASTRICHT — 2020 — Paid $220,000
UNIVERSITY OF UTAH — 2020 — Paid $457,059 to Netwalker (Suspected)
UNIVERSITY OF CALIFORNIA — 2020 — Paid $1.14M to Netwalker
MAYNOOTH UNIVERSITY — 2020 — Paid Undisclosed Amount
UNIVERSITY HOSPITAL NEW JERSEY — 2020 — Paid $670,000 to SunCrypt

It is also interesting to note that the BlackBaud Hack took place recently (May 2020) that compromised more than 10 Universities from the UK, US and Canada.

Note: BlackBaud is a Cloud Hosting Provider majorly used by Educational Institutes and various Non-Profit Organizations.

Here is a list of Educational Institutes who were hit by various Ransomwares in 2020.

The Hacking Campaigns orchestrated by APT Groups such as Silent Librarian(Iran) against Global Universities is the newest evidence that the attacks against Educational Institutes are on a rife.

Nowadays, though many institutes are aided by Cyber Extortion Insurances (Cyber Extortion Coverage from IRMI is one such), it would be a healthy practice to patch up the old legacy tools in order to keep the cyber attacks at a bay.

KEY-TAKEAWAYS

> Quick fix to the Open/Unsecured ports, especially RDP and Elastic/Mongo
> Never to fall for any phishing email attachments/links
> Not to blindly trust request coming from EDU Domains
> Disown the used passwords in Educational Moocs Platform
> Regular Data Backup
> Isolate the Mirror/Backup Archives from Mainframe Systems
> Never pay demanded ransom, in case of Ransomware Attack

The largest IoT Botnet “Mirai” brought down various online services such as OVH, Netflix, Spotify, PayPal etc was created in a University Dorm Room.

Dear Sys-Admins! Never under-estimate the power of Educational Platforms!!!

Follow me on Twitter for interesting DarkWeb/InfoSec Short findings! ;-)

Note:- The Article is purely an Individual Research and is not subjected to be used/published anywhere without the Author’s consent.

--

--

--

Independent Security Researcher and Threat Analyst. Often sheds light on Dark Web. Regular contributor to Infosec Community.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Sentinel Portal — Platform Access Update

{UPDATE} Pay The King Hack Free Resources Generator

{UPDATE} XVIP Danh Bai Online Hack Free Resources Generator

Building your Security Program from the ground up

How I Dealt With My Stalker

Learn How Easily Cybersecurity Threats Can Hurt Your Business

🔥[ProBit Exclusive] OGN at 50% Discount

{UPDATE} Driving Academy Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rakesh Krishnan

Rakesh Krishnan

Independent Security Researcher and Threat Analyst. Often sheds light on Dark Web. Regular contributor to Infosec Community.

More from Medium

Way To Go Captain Not-So-Obvious

How Breach Assessment can help to reduce Ransomware Attacks

Cybersecurity And Much More Newsletter — Week 13 (2022)

How to Stop Getting Hacked

A cat browsing other cat pictures on the Internet.