Educational institution networks continue to be a favorite playground for cybercriminals. Because of the age and interests of the majority of educational users, these networks tend to incorporate cutting edge technologies and strategies. And at the same time, those students also tend to push hard against network restrictions, looking for workarounds to access data and applications that IT administrators may have restricted. To do that, a disproportionate number of users begin cutting their teeth on things like hacking.
In the first half of 2017, the education sector accounted for 13 percent of data breaches, resulting in the compromise of around 32 million records. Although educational institutions may not seem as wealthy or as target-rich as healthcare organizations or private businesses, they in fact house a great deal of sensitive personal and financial information, as well as valuable proprietary research data. But cybercriminals are attracted to these environments for more than just the PII data they can steal. Many schools now conduct cyber research, and can be a gold mine of information on vulnerabilities, exploits, breaches, and techniques. And where do you think the majority of cyber criminals learned to do what they do in the first place?
As a result, in many ways these networks are a canary in the coalmine for cybersecurity that we should all be paying attention to.
The IT teams responsible for protecting these environments have to be at the top of their game as well. The sheer numbers of computers and devices connecting to their networks, whether in classrooms, administrative offices, research labs, or those brought by students, coupled with legal mandates to protect these students, guarantee that the battle against cyberthreats is something that education sector security professionals need to take seriously. But knowing where to focus limited security resources isn’t easy.
In an effort to help education-industry security professionals in their efforts to protect their environments from malicious intrusions and data breaches, FortiGuard Labs, Fortinet’s threat intelligence organization, has provided a quick rundown on nine of the newest, most frequently encountered, and most dangerous threats currently active in the education sector.
- ZeroAccess Botnet is Trojan horse malware that affects Microsoft Windows operating systems. It’s used to download other malware into an infected machine using a botnet that previously had been associated with bitcoin mining and click fraud. It’s designed to remain hidden on targeted systems using rootkit techniques.
- The Andromeda Botnet, also known as Gamarue, is an HTTP-based botnet first spotted in late 2011, and it has been observed to drop other malware, such as ZeuS, Torpig, and Fareit, into infected systems. As a modular bot, Andromeda simply consists of a loader that downloads modules and updates from its command and control (C&C) server during execution. The loader has both anti-virtual machine and anti-debug features. It injects itself into otherwise trusted processes to hide, and then delete, the original bot. The bot often hibernates for several days to months between communications with its C&C server, making it difficult to detect or to obtain information about what kind of malicious content traffic travels between an infected system and the C&C server.
- The new Mirai Botnet looks suspiciously like another Mirai variant. That’s because while the authors of the Mirai botnet were eventually caught, it was not before they made their code public, so we will probably continue to see variants of this attack for the foreseeable future. This particular malware attacks Huawei network gear and aims to create botnets. It’s interesting that the Mirai malware platform continues to be used for integrating various other malware packages and attack vectors.
- The W32/MS04028.fam! exploit is classified as malware using a known Windows XP vulnerability. This particular exploit leverages a buffer overrun in the Graphics Device Interface (GDI) processing library in Windows XP, allowing malicious code execution that appears authorized by the current user of the system. W32/MS04028.fam! should have faded out years ago, but it remains a force to be reckoned with because many educational institutions still use legacy applications that only run on Windows XP,
- The W32/StartPage.NIK!tr malware arrives as a .CAB file, which is a Windows format for self-contained installable software such as device drivers or system files. Although this malware is almost three years old, we are still seeing it target educational institutions worldwide.
- Riskware/BitCoinMiner93EA malware is used to mine bitcoins by stealing unused CPU cycles from an infected computer. Initially observed on December 10, 2017, bitcoin mining often involves unauthorized appropriation of computer processing, communications, and file resources to perform actions required to maintain the block chain operations needed to maintain the public ledgers of bitcoin transactions. These can consume extreme amounts of computing power and electricity – the computing equivalent of illegally siphoning gasoline from a car.
- Bash.Function.Definitions.Remote.Code.Execution is another name for the shellshock vulnerability. It allows for remote code execution when exploited. The most likely avenue for this attack involves a user crafting the parameters of an HTTP connection utilizing the HTML Common Gateway Interface (CGI). An attacker could exploit web servers using Bash shell scripts to inject malicious code into computer memory and processing resources.
- Apache.Tomcat.Arbitrary.JSP.file.Upload indicates an attack attempt against a code execution vulnerability in the Apache Tomcat Java language support software that is installed on millions of computers. The successful exploitation of this vulnerability could lead to a full system compromise by an attacker.
- Apache.Struts.2.Jakarta.Multipart.Parser.Code.Execution is another attack seeking to exploit a remote code execution vulnerability in the Apache Struts application design framework. It should be noted that this is the vulnerability that was notoriously used to compromise Equifax. A remote attacker may be able to exploit this vulnerability to execute arbitrary malicious code within the context of an otherwise trusted application. As with the vulnerability listed in #8, above, this exploit could lead to a full system compromise.
I’ll admit that the above information gets very technical, very fast. But it’s easy to read between the lines to understand how savvy adversaries have become in discovering and exploiting every weakness unintentionally and inadvertently designed into computing devices of all kinds. It is also clear how far these attacks have gone to evade conventional cybersecurity countermeasures to detect and defeat them. It really does require constant vigilance and expertise to keep pace with the new and innovative threats that appear every day.
Since educational institutions face unique security challenges ranging from tight budgets, to astonishing numbers of BYOD devices, to e-learning initiatives, Fortinet works with education-industry customers to find the right solutions for their unique digital requirements. The challenge for all of us in the cybersecurity space, however, is that these attacks are not limited to educational networks. Once refined, they will soon be coming to a network near you.
Which is why all organizations, not just educational environments, require high-performance, comprehensive security offerings designed to work together for easy management and faster response. Fortinet solutions are designed to let you reduce complexity and protect users without compromising network performance.
Visit our education sector solutions page for more information.
You can read other important threat landscape takeaways in our Global Threat Landscape Report. Also, view our video (above) summarizing valuable data points from our most recent report.
Sign up for our weekly FortiGuard intel briefs or to be a part of our open beta of Fortinet’s FortiGuard Threat Intelligence Service.
This byline originally appeared in CSO.