At a glance.
- Buffalo Public Schools hit with ransomware.
- Update on the Verkada security video incident.
- An easy hack of SMS texts.
New York school district a victim of ransomware attack.
The Buffalo News reports that Buffalo Public Schools (BPS) in the US state of New York has experienced a ransomware attack, and the disruption to its networks led the district to cancel remote classes last Friday. The timing couldn’t have been more inconvenient, as five thousand students were expected to return to school buildings on Monday for the first time since the pandemic forced so many learning institutions to close their doors. By working through the weekend, the district administrators were able to restore enough system functionality to announce that they could resume some instruction today, with the anticipation that Wednesday will be fully operational. They did not disclose whether a ransom was requested or paid, and an investigation is being conducted in collaboration with GreyCastle Security and the Federal Bureau of Investigation (FBI). Though the district’s official statement described the attack as an “unanticipated interruption,” the Buffalo News points out that, perhaps, it should have been anticipated. The FBI, the Cybersecurity and Infrastructure Security Agency, and the Multi-State Information Sharing and Analysis Center have warned since last fall that schools have a heightened risk of attack. In a joint advisory, they stated that the percentage of reported ransomware incidents involving K-12 schools last year rose from 28% from January through July to a staggering 57% in August and September. Their increased reliance on technology during the pandemic, combined with the fact that most schools do not have access to robust cybersecurity tools make them prime targets.
Reflecting on the Verkada security video hacktivist breach.
As the CyberWire noted last week, hacktivist group APT-69420 successfully breached video surveillance firm Verkada, tapping into the live feeds of approximately 150,000 cameras used by the company’s clients in an effort to demonstrate the ubiquity of surveillance technology and the ease with which it can fall into the wrong hands. ComputerWeekly examines the ramifications of the attack and what it says about surveillance tech. The hackers executed the operation after finding Verkada admin credentials exposed on the web, and if they’d had malicious intent, they could have utilized root access to Verkada’s systems to set up future attacks. CEO and co-founder of Keeper Security Darren Guccione stated that the breach’s simplicity is what makes it so alarming: “These account credentials were found online [so] a cyber criminal with the right resources and access to the dark web could have eventually accessed them.” The incident highlights the need for organizations to be more vigilant about the security controls protecting their surveillance devices.
Overlooked SMS vulnerability allows for easy hacking.
Vice explains how, in the interest of research, they allowed a hacker who calls himself Lucky225 to prove he could take over a Vice employee’s SMS account for as little as $16. Not only did the attacker quickly and imperceptibly hack into the target’s text messages, he also used the info found there to infiltrate his What’sApp account and dating apps, all without disrupting the target’s phone service or functionality. Sakari, a company that supports marketing and mass messaging endeavors for other companies, provides a service that will reroute messages for their clients.
By tricking the company into thinking he had the user’s consent, the hacker took advantage of this unnoticed attack vector. "I used a prepaid card to buy their $16 per month plan and then after that was done it let me steal numbers just by filling out LOA [Letter of Authorization] info with fake info," Lucky225 explained. As Sakari apparently didn’t verify the authorization before giving the hacker access, an attack like this takes very little effort or technical know-how, and the fact that it doesn’t require hijacking the victim’s SIM card means it can easily go undetected. When contacted for response, co-founder of Sakari Adam Horsman told Vice that the company has "a robust process for verification...including validating each client’s business email address, manual review by a team member whenever an account requests an upgrade to a paid plan, and confirming a genuine payment method." He also stated that Sakari will be reviewing all text-enabled numbers in their system to ensure this doesn’t happen again.
But Sakari is just one of many companies that offer such services, and because SMS is not as heavily regulated by the Federal Communications Commission (FCC) as voice communications, the repercussions are distressing. FCC Acting Chairwoman Jessica Rosenworcel responded, “We need to better understand this potential vulnerability and make sure we are taking the right steps to protect and educate consumers."