CISA Warns of Increasing Cyberthreats to US K-12 SchoolsAgency Says Ransomware, Trojans, DDoS Attacks Are Most Concerning
The Cybersecurity and Infrastructure Security Agency is warning that local K-12 schools districts are increasingly under assault by cyberthreats targeting vulnerable networks that are disrupting physical and virtual education throughout the U.S.
See Also: Building the Modern SOC
A CISA advisory notes the most significant cyberthreats to schools include ransomware, Trojans and other malware, as well as distributed denial-of-service attacks, with threat actors likely to view local school districts as opportunistic targets. The agency also says that these types of attacks are expected to continue throughout the current academic year and could be especially disruptive to distance learning.
"These issues will be particularly challenging for K-12 schools that face resource limitations; therefore, educational leadership, information technology personnel, and security personnel will need to balance this risk when determining their cybersecurity investments," according to CISA.
Over the past several months, these cyberthreats have led to school disruptions throughout the U.S. Last month, Baltimore County Public Schools was forced to cancel online classes just before and after the Thanksgiving holiday when ransomware struck the district's networks (see: Ransomware Attack Targets Baltimore County Public Schools).
In September, Hartford Public Schools in Connecticut canceled classes as a result of a ransomware attack. At about the same time, online instruction at Miami-Dade County Public Schools in Florida was disrupted by DDoS attacks (see: Ransomware and DDoS Attacks Disrupt More Schools).
Since the start of the academic year, cybersecurity experts have been predicting a spike in ransomware and other attacks as new hybrid learning environments go online and unpatched equipment that has spent months in the homes of students and faculty is reconnected to school networks (see: As Classes Resume, Schools Face Ransomware Risk).
The CISA alert notes that five variants of crypto-locking ransomware have been the most prominent between January and September. These include: Ryuk, Maze, Nefilim, Ako, and Sodinokibi, aka REvil.
When Baltimore was hit with ransomware in November, security experts suspected that Ryuk had been used against the district (see: Audit Found Baltimore County Schools Lacked Data Security).
The number of ransomware attacks has intensified since students returned to class in September, CISA notes.
"According to MS-ISAC data, the percentage of reported ransomware incidents against K-12 schools increased at the beginning of the 2020 school year. In August and September, 57% of ransomware incidents reported to the MS-ISAC involved K-12 schools, compared to 28% of all reported ransomware incidents from January through July," the CISA advisory notes.
Brett Callow, a threat analyst with security company Emsisoft, notes that his firm has seen an uptick in the number of attacks targeting schools between the second and third quarter of this year. The company's own statistics show 80 schools and universities have been attacked by ransomware so far this year, compared to 89 recorded incidents in 2019.
"Interestingly, in both years there was a significant uptick in incidents between the second quarter and the third quarter, likely because the attackers delayed deploying ransomware on compromised networks until after the summer breaks when schools would be under more pressure to resolve incidents quickly," Callow tells Information Security Media Group. "This, of course, also means a window of opportunity exists in which compromises could potentially be detected and remediated prior to any data being encrypted."
The CISA advisory notes that the FBI discourages organizations, including school districts, from paying ransom demands.
Trojans and Malware
Besides ransomware, K-12 school districts are susceptible to malware and Trojans, CISA reports, and the agency is tracking 10 prominent variants.
"These malware variants are purely opportunistic as they not only affect educational institutions but other organizations as well," the CISA report notes.
Among the most prominent are two Trojans: ZeuS and Shlayer, CISA notes.
ZeuS is a Trojan with several variants available that target Microsoft Windows operating systems and is mainly used to infect machines and send stolen information to command-and-control servers. Shlayer is a Trojan downloader and dropper for macOS malware. It is primarily distributed through malicious websites, hijacked domains and malicious advertising posing as a fake Adobe Flash updater, according to CISA.
The CISA advisory also notes that DDoS attacks have also increased and have become disruptive to school districts as well as third-party suppliers that support virtual and online learning sessions.
"The availability of DDoS-for-hire services provides opportunities for any motivated malicious cyber actor to conduct disruptive attacks regardless of experience level," CISA notes.
And while DDoS attacks have not garnered much attention over the last several years, analysts say these types of attacks have surged over the last several months and have the potential to be just as damaging as ransomware and other types of cyberthreats (see: Analysts Warn: DDoS Attacks Likely to Surge).