EDUCATIONAL PLATFORMS: Why is it a favorite target among Attackers?
Educational Institutes are an easy prey for hackers to compromise and covertly launch Cyber Attacks/Malicious Campaigns under the hood, without divulging their real identity. This is majorly caused due to the reckless attitude of IT Administrators towards their Network Assets as the software programs (which are being used in the production) needs to undergo several patches/updates to mitigate any exposed risk.
Here, we are going to discuss each Threat Vectors where Educational Institutes are being targeted and being used for possible malicious campaigns or exploitation.
It is notable that there is a significant rise of “Database Trading” detected on various underground hacking forums or DarkNet Marketplaces during this pandemic (COVID-19). The compromised databases (University/Schools) are being sold on different underground forums and are bagging huge amounts (in the form of Cryptocurrency) into their Hot or Cold wallets.
The above listed screenshots are just an example to back the statement for Database Trading at large (if you note the Timestamps) and sometimes, it is distributed for free on such communities.
It is also important to note that the Online Educational Platforms are also being targeted on a continual basis. One of the largest breaches was the compromise of Online learning Platform “Unacademy” that got hacked and put for sale on Dark Web Marketplace for $2,000 consisting of 22M Userbase in May, 2020.
Note: The Empire Market (Dark Web Marketplace) had gone exit scammed in August 2020, after a long standing for 3 years.
Another Indian Tutor website “Vedantu” observed a data breach in 2019, exposing ~700K Student/Tutor Records.
EDUCATIONAL INFRASTRUCTURE FOR SALE
It is common to find the vulnerable/open systems (Academic Infra) among the listing with other compromised servers in the Cyber Criminal Black Markets, but uncommon for the general public. Adversaries gain access to such systems using various methods like Spear Phishing Emails, Open RDP Access, Unprotected Elastic Servers etc. It is a common practice among criminals to conceal their presence (in the victim environment) after compromising the targeted systems, prevailing a backdoor access for extended network access(commonly called Lateral Movement) in order to sell the same on various Marketplaces.
Some of the smooth offerings made in this arena are:-
Webmail CPAnel Access
Microsoft Webmail O365 Access
While offering the offensive services, it is remarkable that the hackers/adversaries are redefining their rules of etiquette by providing the legitimacy of the sources like whether the listed assets are in working condition, hence showcasing a professional line. The timestamps proves that the listed hacked accounts are recent, which again amplifies the trust factor for the Exploit Seekers.
Outcome: Once the actor gains access to the University Infrastructure (such as Email), the same can be used to launch a Spear Phishing Email Campaigns against any entity, as Educational Domains are (generally) not included in any of the Blacklist, hence clearing the initial level of defense (traffic from blacklisted IPs are usually blocked). This can also be used for Impersonation Attacks, hence leveraging access to any restricted system (which is being defined via admin policies).
DOMAIN LIST OFFERING[.EDU]
Another kind of novice threat to the Academic Domain is the selling of a large number of Educational Domain lists, hence narrowing down the effort of hackers to find vulnerable systems.
Once identified, the actor can scan for the targeted network — look for the unsecured Ports/Services, mirroring the website, Exploiting the Weaknesses (in case of unpatched), Gaining Unauthorized Access, Stealthy Integration to a Bot Army (Botnet), Launch DDoS and any imaginable Cyber Destruction.
Note: This threat is not only pertaining to the Educational domain, but also affects other TLDs and Country-Specific TLDs.
CREDENTIAL LEAK FROM EDU-PLATFORMS
There are ample of Credential leaks for Online Educational Platforms (or MOOCs) surfaced on Deep Web, which are being captured by various methods such as Keylogging, Spyware Activity, Running Malicious Stealthy Programs etc and are shared on various Deep Web channels.
Below is a list of Email-Password combination of Udemy Accounts appeared on a Turkish forum:-
Here is another listing of Username-Password Combo for Code Academy Accounts found on an individual blog:-
It is notable that the passwords are in plain-text which would facilitate adversaries to launch a Password-Spraying Attack on various digital platforms of the targeted individual.
There are various dedicated checker programs available for each Educational Platform such as Udemy, CodeAcademy, Coursera etc.
Note: Checker Programs are used by attackers to launch Brute Force logins on multiple platforms to check whether the acquired credentials are in working state or not.
Similarly, there are various cracked Academic Programs which are being offered for cheaper prices on the Underground Dark Web Marketplaces.
As the education is provided for cheaper or free, it can be considered as a Robinhood Act, but cracking into the personal accounts are not justifiable.
ATTACKS— RISE OF RANSOMWARE INFECTION & HACKTIVISM
It is an undeniable fact that there are many prestigious Academic Institutes hit by numerous ransomware programs at different timelines. By closely inspecting the same fact, it is evident that Ransomware Attacks seen a sudden uptick since 2016; as the victims became ready for the negotiation offered by the hackers in order to recover the files, by paying the ransom. This ignited the interest of attackers and began to invest more resources for the Ransomware Programs.
Outcome: Now, you may know several RaaS (Ransomware as a Service) programs like Smaug, GandCrab, Project Root along with major Ransomware Gangs like Maze, Clop, Netwalker, Nefilim, REvil, Snake and their experimental business strategies like Live Data Auction, Storage as a Service, Affiliate Programs, Feedback Collection etc.
Here is a list of few Universities who had paid Ransomware Operators to gain back the compromised data:-
UNIVERSITY OF CALGARY — 2016 — Paid $20,000
HORRY COUNTY SCHOOL DIST. — 2017 — Paid $8,500
LOS ANGELES VALLEY COLLEGE — 2017 — Paid $30,000
UNIVERSITY OF MAASTRICHT — 2020 — Paid $220,000
UNIVERSITY OF UTAH — 2020 — Paid $457,059 to Netwalker (Suspected)
UNIVERSITY OF CALIFORNIA — 2020 — Paid $1.14M to Netwalker
MAYNOOTH UNIVERSITY — 2020 — Paid Undisclosed Amount
UNIVERSITY HOSPITAL NEW JERSEY — 2020 — Paid $670,000 to SunCrypt
It is also interesting to note that the BlackBaud Hack took place recently (May 2020) that compromised more than 10 Universities from the UK, US and Canada.
Note: BlackBaud is a Cloud Hosting Provider majorly used by Educational Institutes and various Non-Profit Organizations.
Here is a list of Educational Institutes who were hit by various Ransomwares in 2020.
The Hacking Campaigns orchestrated by APT Groups such as Silent Librarian(Iran) against Global Universities is the newest evidence that the attacks against Educational Institutes are on a rife.
Nowadays, though many institutes are aided by Cyber Extortion Insurances (Cyber Extortion Coverage from IRMI is one such), it would be a healthy practice to patch up the old legacy tools in order to keep the cyber attacks at a bay.
> Quick fix to the Open/Unsecured ports, especially RDP and Elastic/Mongo
> Never to fall for any phishing email attachments/links
> Not to blindly trust request coming from EDU Domains
> Disown the used passwords in Educational Moocs Platform
> Regular Data Backup
> Isolate the Mirror/Backup Archives from Mainframe Systems
> Never pay demanded ransom, in case of Ransomware Attack
The largest IoT Botnet “Mirai” brought down various online services such as OVH, Netflix, Spotify, PayPal etc was created in a University Dorm Room.
Dear Sys-Admins! Never under-estimate the power of Educational Platforms!!!
Follow me on Twitter for interesting DarkWeb/InfoSec Short findings! ;-)
Note:- The Article is purely an Individual Research and is not subjected to be used/published anywhere without the Author’s consent.