FBI: Russian Forums Sell Higher Education CredentialsAgency Spotted Compromised Credentials on Various Dark Web Forums
The FBI is warning the U.S. higher education sector about compromised sensitive credentials and network access information advertised for sale across various public and dark web forums. The agency states that this access to credentials could potentially lead to a cyberattack.
The FBI's Cyber Division sent a "private industry alert" to organizations around the U.S. on Thursday warning that threat actors are continuing to attack US colleges and universities leading to the exposure of user information on these underground forums.
"This exposure of sensitive credential and network access information, especially privileged user accounts, could lead to subsequent cyberattacks against individual users or affiliated organizations," the bureau says. "Credential harvesting against an organization is often a byproduct of spear-phishing, ransomware, or other cyber intrusion tactics."
Using an example from 2017, the bureau says that the cybercriminals targeted universities to hack .edu accounts by “cloning university login pages and embedding a credential harvester link in phishing emails.”
The FBI says this helped them harvest credentials and send them to cybercriminals in an automated email from their server.
"Such tactics have continued to prevail and ramped up with COVID-themed phishing attacks to steal university login credentials, according to security researchers from a US-based company in December 2021," the alert states.
The impact of cyberattacks on the education sector were highlighted in a December 2021 cyberattack which, combined with the aftereffects of the COVID-19 pandemic, forced permanent closure of the 157-year-old Lincoln College in Illinois.
A 2021 report by the cybersecurity firm Emsisoft shows that 88 U.S. education sector organizations were affected by ransomware in 2021, of which 62 were school districts while the rest were colleges and universities. The attacks disrupted learning at 1,043 individual schools, the report says.
Targeting Educational Institute
The FBI's warning states that it has observed incidents of stolen higher education credential information posted on publicly accessible online forums or listed for sale on criminal marketplaces.
"The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyberattacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the bureau says.
The alert further warns that if the attackers are successful in compromising a victim's' account, then they can also attempt to drain the account, exploit credit card numbers and other personally identifiable information, submit fraudulent transactions, conduct criminal activity against the account holder, or use it for subsequent attacks against any related organizations.
The FBI alert included three different examples of compromised university account data:
- The FBI says it has observed Russian cybercriminal forums offering network credentials and virtual private network access to a multitude of identified US-based universities and colleges across the country. The bureau also says that these posts include screenshots as proof of access. As of January 2022, sites posting credentials for sale typically listed prices varying from a few dollars to many thousands of dollars.
- More than 36,000 email and password combinations - including some duplications - for email accounts ending in .edu were identified on an instant messaging platform in May 2021. The group posting the compromised data appeared to be involved in the trafficking of stolen login credentials and other cybercriminal activities, the FBI says.
- In 2020, US territory-based university accounts with around 2,000 unique usernames and accompanying passwords with the domain .edu were found for sale on the dark web. The FBI says that the seller asked for donations to be made to an identified bitcoin wallet. However, as of early 2022, the site containing the credentials was no longer accessible.
The FBI recommends that colleges, universities and all academic entities establish and maintain strong liaison relationships with the FBI Field Office in their region and keep all operating systems and software up to date.
"Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Regularly check for software updates and end-of-life (EOL) notifications, and prioritize patching known exploited vulnerabilities. Automate software security scanning and testing when possible," the FBI says.
The bureau also recommends implementing user training programs and phishing exercises for students and faculty to raise awareness about the risks of visiting suspicious websites, clicking on suspicious links and opening suspicious attachments.
The agency recommends multifactor authentication, preferably using phishing-resistant authenticators, especially for accounts that access critical systems, webmail, virtual private networks, and privileged accounts that manage backups.
In the first week of May, Kellogg Community College, which houses nearly 8,400 students across five campuses in Michigan, suspended classes in all its campuses owing to a ransomware attack from an unnamed threat actor (see: Update: KCC Resumes Operations Post-Ransomware Attack).
KCC has resumed operations but all its staff and students are mandated to reset passwords and set up multi-factor authentication to securely access the college's online systems.
Separately, BlackCat, aka Alphv, which is considered to be a rebrand of the DarkSide or BlackMatter ransomware group, also claimed to have targeted at least three universities. Two of them - the Florida International University and the North Carolina Agricultural and Technical State University - are based in the U.S. (see: Update: What's BlackCat Ransomware Been Up to Recently?).