The U.S. Cybersecurity and infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued a joint advisory to K-12 schools warning that cyber actors are conducting targeted attacks on distance learning education.
Cyber actors are attempting to disrupt distance learning services, gain access to sensitive data, and conduct ransomware attacks. CISA, the FBI, and MS-ISAC have received reports from several K-12 schools that have been attacked and have experienced disruption to their distance learning efforts.
Several schools have reported being attacked with ransomware, which has prevented access to the systems that support distance learning. As with attacks on businesses and industry, prior to file encryption confidential data has been stolen. The attackers have threatened to publicly release stolen student data if the ransom is not paid.
MS-ISAC said from January to July 2020, 28% of all reported ransomware attacks were on K-12 schools, but the percentage increased to 57% at the start of the school year. The most common strains of ransomware used in the attacks were Ryuk, Maze, Nefilim, AKO, and Sodinokibi/REvil.
Malware is also being used in attacks on K-12 schools, with the two most common strains being ZeuS and Shlayer. ZeuS is an information stealer and Shlayer is a downloader and dropper of MacOS malware. The malware is commonly delivered via attacker-controlled websites, often via malicious adverts on legitimate websites that claim Adobe Flash needs to be updated. A range of other information stealers, Remote Access Trojans, and cryptocurrency miners have also been used on cyberattacks on K-12 schools.
Distributed-Denial-of-Service (DDoS) attacks are being conducted that prevent access to distance learning services and there have been multiple reports received of disruption to live video-conferenced classroom sessions. Often referred to as Zoom-bombing, this attack is achieved by tricking hosts into accepting individuals into class sessions or using publicly available links and links that have been shared with outside users by students. In these attacks, teachers and students have been harassed and obscene and violent images and videos have been displayed.
Phishing attacks are also common on students, teachers, IT staff, and others involved in distance learning. These attacks are conducted to obtain sensitive information for identity theft and fraud, to steal login credentials that allow remote access to email accounts and other systems, and to distribute malware, either directly through malicious attachments or using links to malicious websites. Cyber actors have also been observed exploiting exposed Remote Desktop Protocol (RDP) services to gain access to networks in order to manually deploy ransomware.
The advisory includes mitigations that can be implemented to improve security and prevent these attacks from succeeding. In the most part they are cybersecurity best practices that are easy for K-12 schools to implement and should be sufficient to block all but the most determined hackers. The measures include implementing anti-virus and anti-malware solutions and configuring them to update automatically, using multi-factor authentication on accounts whenever possible, setting strong, unique passwords, and disabling ports that are not needed.