The FBI has issued a warning that K-12 school cyberattacks could surge during the uptick in remote-learning due to the COVID-19 pandemic.

Hackers find school cyberattacks attractive for two important reasons. First, schools hold troves of sensitive student data and have minimal defense mechanisms. That makes them the low-hanging fruit of cyberattack targets. Second, short-staffed IT teams are likely making school cyberattacks easier.

School cyberattacks make the news regularly. For example, virtual classes at Selma, California, schools abruptly ended last Friday after malicious hackers targeted the school district with a ransomware attack. And cybercriminals are increasingly targeting North Carolina school districts.

To find out more about school cyberattacks, we spoke with Guy Propper, threat intelligence team leader at Deep Instinct.

Channel Futures: Why is remote learning prompting more school cyberattacks?

Guy Propper: The transformation to a hybrid learning environment or mostly digital learning environment will make schools more vulnerable and targeted in two ways.

Deep Instinct’s Guy Propper

They become more accessible and easier to compromise. With the sudden thrust from brick-and-mortar to virtual, VPN etc., outside access transformed from occasional use to mainstream. Since a lot of this access was from home networks and home machines, schools didn’t and don’t have any way of protecting those devices. This new attack pathway enables the attacker to silently access the network and cause vast amounts of damage before the school’s security team even notices. In the time that it takes for the ransomware to be detected, the damage to bottom lines could be worse and the recovery process even longer. This creates unparalleled opportunity for threat actors.

If a school’s network has been taken down due to a ransomware attack, in today’s circumstances it [means] that the school simply cannot function at all. That is intrinsically different than before COVID-19 where if a ransomware attack occurred, it may have caused a major disruption, but it didn’t inevitably mean that schools could not open and hold classes. And if you add to that the fact that governments have earmarked funds for school districts, this simply increases their exposure.

CF: What sort of damage can be inflicted by successful school cyberattacks?

GP: In the worst situation, a school could be forced to close its doors. However, the level of damage … is likely to be in line with the attacker’s objectives. Typically attackers have two main objectives when targeting schools.

The first is to gain access to the student information system, where the attacker’s goal is likely to acquire student data and perhaps change grades. Most students do not have established credit ratings, which makes their personal information especially valuable. The second target is the school’s network. By encrypting the entire network, schools can become completely nonfunctional. It’s this lack of focus and staffing that the threat actors are going to maximize.

In a ransomware attack, the damage is likely to be the high ransoms that schools will be coerced to pay. Attackers appear to be aware of the greater vulnerability that schools are in. And they aren’t hesitating to manipulate the situation to coerce schools to pay high ransom amounts to resume normalcy.

CF: What aren’t schools doing that they should be doing to protect themselves?

GP: First, backups of key systems need to be made [and] written in an encrypted format offsite.

Secondly, I cannot emphasize enough the importance of …

… building awareness of students, teachers — really any and all users. The weakest link in any organizational security structure is almost always the users.

Patch cycles must also be quicker and focus on systems with distributed access.

Having adequate endpoint protection systems in place is crucial. Unlike the corporate environment that may have heaps of money to spend on products and a large security operations center (SOC) team, schools should be focused on having solutions that prevent the widest possible range of attacks. There simply aren’t the time or resources available to investigate every incident that occurs. And endpoint protection really needs to be geared toward preventing those attacks from the outset.

CF: Are cybercriminals advancing their tactics for school cyberattacks? If so, how?

GP: As schools and universities increase their reliance on remote connection and access for teachers and students alike, they are also inadvertently expanding their threat surface by providing attackers with many more touch points which attackers can manipulate to gain access.

The main point of focus for ransomware is to target a network, replicate itself and cripple the organization. Remote learning provides the perfect opportunity for threat actors to install trojans and malware on machines being used by students and teachers that are not owned or protected by the school.

New Zealand Stock Exchange Attack

A series of distributed denial of service (DDoS) attacks halted trading on the New Zealand stock exchange (NZX) for four days last week.

NZX said it experienced DDoS attacks from overseas through its network service provider last Tuesday and Wednesday. Trading resumed on Friday.

Mark Kedgley is CTO at New Net Technologies. He said DDoS is a relatively simple attack to orchestrate since all public internet-facing websites and services are “sitting ducks.”

New Net Technologies’ Mark Kedgley

“The only solutions are to use content-distribution networks or web application firewall technology to filter out malicious traffic,” he said. “However, it remains an inherently difficult problem to mitigate.”

DDoS bot networks have been available as a cyber weapon-for-hire for many years now, Kedgley said. And this will continue to be a problem for any web-based services, anywhere in the world.

“Key to this is the fact that a DDoS attack can be monetized, both by the ‘bot wranglers’ running the botnet, and by the organized crime gangs holding businesses to ransom with a ‘your money or your web presence’ threat,” he said. “The problem is it that this is a classic security versus function paradox. There is an irreconcilable gap between providing protection against DDoS attacks while offering an accessible service, open to the internet.”

Brandon Hoffman is NetEnrich‘s CISO. The interesting part of DDoS attacks is almost always whom the target is, he said. An attack on a specific target means the attacker had a specific interest or outcome in mind, he said.

NetEnrich’s Brandon Hoffman

“In this case it could be to disrupt trading specifically in that market for some complex financial gambit,” he said. “It could have been to disrupt trading for a more global end game.”

At times, cybercriminals use DDoS attacks to distract, Hoffman said. Cybercriminals can use DDoS attacks to keep security personnel busy while data exfiltration or malware loading takes place.

“Certainly the notion of DDoS attacks will not go away,” he said. “It is a basic tool in the adversary kit, and provides significant …

… flexibility and ease of use, although limited in the direct outcome.”

Stephen Manley is Druva‘s chief technologist.

Druva’s Stephen Manley

“From a hacker’s perspective, local governments, schools and critical services are at their most vulnerable,” he said. “Due to the pandemic, these organizations have rapidly moved online, so they do not have full protection in place. Now that they are online, central services need to protect their users’ health, safety and sensitive data by securing their infrastructure against cyberattacks.”

OneLogin: Security and Online Voting

A new study of more than 1,000 registered voters by OneLogin shows 35% of voters are at least somewhat concerned about security or fraud when it comes to in-person voting. And 52% worry about it with regard to voting by mail.

The three biggest threats that voters see to having a fair election are:

Some 59% of voters believe online voting will be a reality in the next five years.

Brad Brooks is OneLogin’s president and CEO. He said the foundation of a secure online voting system is the ability to manage and authenticate voter identity. Most breaches occur due to poor password practices and stolen credentials; therefore, ensuring secure access is critical to enabling online voting in any capacity, he said.

OneLogin’s Brad Brooks

“We have a very antiquated way of approaching voting right now and it has become necessary that we update our methodology,” he said. “By responsibly taking voting online, we could eliminate concerns regarding polling locations, workforce hours, onsite voter intimidation, inefficiencies in the postal system along with many other issues that we face during an election.”

Before online voting is implemented, a digital ID needs to be issued by the government at the state level, Brooks said.

“The European Union did this and now has three levels of ID verification,” he said. “It’s important to note that unless digital IDs can be made available to underrepresented communities, the same challenges we face now are going to exist later.”

Successful online voting is going to require a partnership between state legislatures, society and tech companies, Brooks said.

“This type of partnership will definitely provide opportunities for MSSPs and other cybersecurity providers,” he said. “The diversity of multiple service providers based on a common standard lowers the states’ cost to bid from a marketplace of suppliers. And competition means security approaches will need to maintain the latest technology.”

Infrascale: Limit the Damage of Ransomware

Ransomware is on the rise and shows no signs of slowing down. The global cost of damages due to ransomware attacks should reach $20 billion by the end of 2021.

Infrascale has compiled a list of tips for organizations that may be compromised by ransomware:

Brian Khun is Infrascale’s COO. He said not being ready in the first place is a common mistake. That includes the preventative steps of antivirus protection, team education, and having a recovery plan and testing the plan.

Also, paying the ransom without performing some forensics/analysis is a mistake, he said. Take a photo/screen capture of the ransomware and consult with an expert. Then the expert can help identify the ransomware and determine whether it can be defeated.

In addition, it’s important to understand whether the issue is encrypting ransomware or screen-locking ransomware, Khun said. If it’s screen-locking ransomware, the situation may be more easily remedied.

Infrascale’s Brian Khun

“Contain the ransomware as quickly as possible,” he said. “Don’t allow the ransomware to come back. Ransomware is a virus. Reinfections happen unless you take precaution.”

Infrascale research shows almost a third of SMBs have limited time to research ransomware mitigation solutions, Khun said. The same share also said that they don’t have the proper IT resources in place to address ransomware threats.

“MSPs can assist by handling heavy lifting around ransomware protection, education, implementation and setup,” he said. “Most importantly, they can help establish the best countermeasures — antivirus, endpoint security, and a great backup and recovery solution.”