At a glance.
- Los Angeles school district hit by ransomware.
- CISA and FBI issue a Joint Advisory on the Vice Society.
- Comment on the data incident at KeyBank.
Los Angeles Unified School District seeks to recover from a ransomware attack.
The Los Angeles Unified School District (LAUSD), the second largest school district in the US, has disclosed it suffered a ransomware attack over the weekend that caused a “significant disruption” to the district’s infrastructure, TechCrunch reports. Classes are resuming as usual, but LAUSD said that “business operations may be delayed or modified,” and email, computer systems, and applications like Google Drive and the Schoology learning management system might be inaccessible. Fortunately, the district said it doesn’t expect any negative impact on transportation, food, or after-school programs, and “employee healthcare and payroll are not impacted, nor has the cyber incident impacted safety and emergency mechanisms in place at schools.” It’s unclear whether any data were stolen, and Superintendent Alberto Carvalho told the Los Angeles Times that LAUSD has not yet received a ransom demand. LAUSD serves more than 600,000 students and employs more than 26,000 teachers at over 1,000 schools, and employs more than 26,000 teachers, and Bleeping Computer notes that the Federal Bureau of Investigation and the Department of Homeland Security are joining forces with local law enforcement to investigate the far-reaching incident. "After the District contacted officials over the holiday weekend, the White House brought together the Department of Education, the Federal Bureau of Investigation (FBI) and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) to provide rapid, incident response support to Los Angeles Unified, building on the immediate support by local law enforcement agencies," the district said. KTLA adds that the school district is requiring all students and employees to reset their passwords for their district accounts.
Stephan Chenette, Co-Founder and CTO at AttackIQ, sees no coincidence here at all; school reopens, and a very large school district sustains a ransomware attack.
“With kids returning to school all over the country, it is unfortunately no surprise that cybercriminals have seized the opportunity to disrupt essential systems at America’s second largest school district. Educational institutions continue to be an attractive target for cybercriminals because they store large amounts of valuable Personally Identifiable Information (PII) and often lack critical resources for proper security measures. It is unknown how the adversary gained access to the school district’s systems, but it is nonetheless critical for educational organizations to implement security solutions that monitor and scan the organization’s owned and managed assets for potential vulnerabilities in order to prevent disruption.
"School districts’ lack of staff and resources to defend against cyber threats make them an attractive target for cybercriminals. The aftermath of a ransomware attack on underfunded school systems can be crippling, both financially and in loss of data. To prevent another similar attack, school districts should study the common tactics, techniques, and procedures used by common threat actors, which will help them build more resilient security detection, prevention, and response programs mapped specifically to those known behaviors. Organizations should use automated solutions that safely validate their defensive controls against ransomware campaigns and their techniques to better prepare for the next threat.”
Aaron Sandeen, CEO, Cyber Security Works, points out the lapses in hygiene that continue to render schools vulnerable:
“In recent years, the top causes of education breaches include unpatched vulnerabilities, connected devices, exposures in third-party software and exposures introduced by misconfigurations. In this case, an upatched vulnerability lead to Vice Society Ransomware infiltrating Los Angeles Unified School District's systems. This specific scenario was covered in CSW’s 2021 Q3 ransomware report and in response created a script any organization can run to identify this vulnerability. Furthermore, we advise schools to keep up to date with the K-12 cybersecurity act and other advisories, implement CISA KEV and advisory patch recommendations sooner rather than later.
"Lack of resources and funding, combined with the usage of legacy systems, is enabling cyberattackers to disrupt the day-to-day operations of schools while stealing valuable information to ransom them for amounts that the schools could ill afford. Ransomware incidents cause significant damage in terms of finances, reputation, and data security. In 2021, U.S. schools lost $3.56 billion due to ransomware attacks, and it led to the shutting down of two educational institutions for good. LAUSD seems to have minimized disruption, but it is certainly another reminder of what schools are up against.”
Steve Moore, chief security strategist at Exabeam, laments the wave of attacks against under-resourced institutions that provide valuable public services:
"It's sad to see these successful attacks against critical services, such as hospitals and schools, which often don't have the resources to manage them. Worse, the importance isn't understood by most until it is fully experienced. Although the LA School District's announcement includes sweeping changes, it's a shame they didn't make them before the crisis.
"People still have a diluted perspective on ransomware. There is enough out there on what it is, how it works, and a massive push to "stop" it, but we never solved the foundational problems that make it possible. Ransomware is a missed intrusion, period - I hope their new Advisory Board understands this. The attacks are only possible because of a weakness in an environment that begins with or later involves compromised credentials. If you unsuccessfully manage intrusions, you will eventually fail amazingly with ransomware.
"Ransomware is on the rise; but again, that is because of these three reasons: 1. We never fixed the core problems (break the cycle of compromise), which allow it to occur 2. It's profitable for the adversary - therefore, vast incentive.3. It detects itself, so the reported numbers increase – so anyone can 'find' it."
And Tom Kellermann, senior vice president of cyber strategy at Contrast Security, sees this attack as an instance of threat actors shifting to softer targets:
“The attack against the LA School district should server as a harbinger. Ransomware crews are shifting to soft targets. Had law enforcement not interceded they would have been crippled. The cybercrime wave continues because law enforcement is forced to combat this global threat with one hand tied behind its back. It is time for US law enforcement to be endowed the authorities necessary to both actively disrupt the forums associated with these cyber cartels and to disable the virtual currency exchanges that are complicit in the laundering the proceeds of cybercrime.”
CISA and FBI issue a Joint Advisory on the Vice Society.
In a related story, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) yesterday issued a joint Cybersecurity Advisory (CSA) warning that intrusion, exfiltration, and extortion hacking group Vice Society will be targeting the education sector. The #StopRansomware advisory states that, with the start of the 2022-2023 attacks on learning institutions may increase, especially given that schools, with their limited cybersecurity resources and ample sensitive student data, are seen as lucrative targets. Making its first appearance in summer 2021, Vice Society does not use a unique ransomware variant, but instead has deployed versions of Hello Kitty/Five Hands and Zeppelin ransomware, usually by obtaining network access through compromised credentials.
Campus Technology notes that the advisory lists specific Indicators of Compromise that administrators should be on the lookout for, such as e-mail addresses, TOR addresses, IP addresses, and file hashes. The CSA goes on to list mitigation strategies, including maintaining encrypted, immutable offline backups of data, reviewing the security posture of third-party vendors and other connected parties, requiring phishing-resistant multifactor authentication for user accounts, and segmenting networks to prevent the spread of ransomware. The advisory adds, “The FBI, CISA, and the MS-ISAC strongly discourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.”
Brian Murphy, founder and CEO of ReliaQuest, thinks the incident in Los Angeles ought to motivate potential ransomware victims to pay attention to this week's advisory from CISA and the FBI about the Vice Society:
“It is no coincidence that there is a cybersecurity attack not even 3 weeks into the new school year on the second largest school district in the country. The hackers know LAUSD can not close their doors and tell students to stay home, the ramifications and political fallout would be too great.
"Schools and universities have been a priority target for cyberattacks due to their networks being used by a wide variety of people and locations including students, professors, industry partners, research teams, medical institutions, sporting groups, entertainment, etc. Schools are desired by hackers due to their networks being trusted by other organizations, attackers will likely leverage a trusted educational network to try and compromise another target with the hopes that the trusted nature of the education organizations will make it easier to gain access to other networks for profit.
"With the new school year starting out, this is an ideal time of year for an attacker to leverage old tricks on new students. Those who aren’t familiar with proper security practices or hygiene for their connected devices, will fall susceptible to today’s attackers, and schools/universities are more likely to pay out given the additional notoriety and disruption at a busy time of year.
"The new joint-advisory from the FBI, CISA, and the MS-ISAC on the up-tick of ransomware attacks targeting the education sector rings true, and this is only the beginning as they are anticipating an increase in attacks as the school year begins, particularly for K-12 schools because of their collection of sensitive student data. It’s essential for school districts around the world to remember to do the simple and basic things well, ensure that sensitive information is walled off to a limited number of users. For a school district, the student population of the network offers the largest volume of users, it’s essential to confirm the environment is designed to separate student resources from all other resources. School districts will always struggle with limited resources, partner with technology platforms that make it simple to leverage the partners' scale and expertise. Instead of looking for niche systems, they should look for ways to leverage Microsoft, Google, and other environments that allow the school system to operate and educate instead of spending time chasing down technical issues and security events.”
Comment on the data incident at KeyBank.
The incident at KeyBank, in which customer information was compromised in an attack against a third-party, elicited some comment from Jeff Williams, co-founder and CTO at Contrast Security, who thinks the breach holds lessons for how organizations should respond to this kind of exposure, especially when it originates with a third-party:
“I find it interesting that KeyBank and their supplier were immediately sued for negligence after they reported this breach… even before any details of their actions and inactions were available. Is a security breach evidence that there was negligence by the victim? Surely companies have a duty to protect customer data and cyber attacks are certainly foreseeable. But are security breaches examples of res ipsa loquitur – the thing speaks for itself? Is every breach negligence per se? I don’t think that can be the case. I’m not defending KeyBank or their supplier – I have no knowledge of what they did or didn’t do. But even the best companies, with all the right processes and technologies, make cybersecurity mistakes. I know it’s easy to blame a company in the wake of a breach, but I’m waiting for more information to be disclosed before making judgements.
"I wasn’t impressed with the KeyBank response. I thought the tone was focused on blaming their partner and not on what they could have done better. Why did it take over a month, while attackers were presumably having a field day with the data, to let victims know about the breach? And if it took that long, why is there no transparency about what actually happened. How was it discovered? Do you know how they got in? Is it fixed? Did attackers gain control of any systems, or were they only able to steal data? Is there any ongoing risk? What are they doing to prevent similar attacks in the future?"