U.S. agencies are warning of an increase in ransomware attacks against the K-12 education sector, singling out a relatively new threat actor that has been observed disproportionately targeting school systems as they welcome students back into their buildings.
That threat actor is Vice Society—an intrusion, exfiltration and extortion hacking group that first appeared in summer 2021, according to a joint cybersecurity advisory from the U.S. Cybersecurity and Infrastructure Security Agency, the FBI and the Multi-State Information Sharing and Analysis Center.
Ransomware attacks against the education sector has increased in recent years, but the agencies call attention to Vice Society, which has been “disproportionately targeting the education sector” with their ransomware attacks.
Ransomware attacks on schools can be extremely disrupting, impacting access to data, delaying exams, exposing personal information. In some cases, school days have even been cancelled. The agencies say school districts should be on the lookout as the school year progresses and hacking groups perceive opportunities for successful attacks, especially against public school systems with limited IT and security capabilities.
The advisory comes after several news reports suggesting K-12 institutions have been hit with cyberattacks, including the Los Angeles Unified School District, the second largest school district in the country.
Although not yet attributed to any specific group, the school district said it was hit with ransomware over this part weekend, reporting trouble accessing email servers and other systems. However, the district said it resumed normal operations on Tuesday.
How Vice Society attacks school districts
According to the agencies, Vice Society actors do not use a unique ransomware variant, opting to deploy versions of Hello Kitty/Five Hands and Zeppelin ransomware.
Initial access is likely obtained through compromised credentials for internet-facing applications. Once in, Vice Society actors spend time learning about the victim and identifying opportunities to increase access and exfiltrate data for double extortion to help convince the victim to pay the ransom.
Like other threat actors, Vice Society uses a wide variety of legitimate IT tools, including SystemBC, PowerShell Empire and Cobalt Strike to move laterally and gain further access. The also use “living-off-the-land” techniques that target the Windows Management Instrumentation service and tainting shared content.
Other actions observed include exploiting the PrintNightmare vulnerability in Windows Print Spooler to escalate privileges and leveraging scheduled tasks, creating undocumented AutoStart Registry keys and pointing legitimate services to their custom malicious dynamic link libraries through DLL side-loading to maintain persistence.
In addition, Vice Society hides their malware and tools as legitimate files to evade detection, and likely use evasion techniques to defeat automated dynamic analysis.
According to the agencies, Vice Society actors have also been observed escalation privileges, gaining domain admin access and running scripts to change the password of their victim’s network accounts to prevent them from logging in and preventing the unauthorized actions.
Satnam Narang, a senior staff research engineer at vulnerability scanning provider Tenable, says Vice Society—like most modern ransomware groups—operates as a ransomware-as-a-service (RaaS) model in which they split profits with affiliates tasked with gaining initial access into victim networks.
However, one common element among the group’s affiliates is the exploitation of vulnerabilities in public-facing applications.
“This is a broad category, but we know that many affiliates target newly disclosed vulnerabilities in applications like VPNs, collaboration software, as well as email servers,” Narang says. “Additionally, these affiliates may leverage compromised valid account details that were obtained either through exploiting vulnerabilities, purchased from underground forums or sold by initial access brokers.”
Narang also highlights the use of the PrintNightmare vulnerabilities to elevate privileges, which can lead to an expanded attack surface and remote code execution.
What education IT and security admins should do now
The agencies suggest network defenders—especially those working in K-12 education—take a variety of measures to prevent such attacks, including taking necessary preparations and forming response plans, securing identity and access management, taking protective measures and hardening network architecture, and keeping robust vulnerability and configuration management programs.
Victims are urged to share any information with federal agencies, including boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Vice Society actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.
Here is the full list of recommendation actions, per the advisory:
Preparing for Cyber Incidents
- Maintain offline backups of data, and regularly maintain backup and restoration. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.
- Ensure all backup data is encrypted, immutable(i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure. Ensure your backup data is not already infected.
- Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.
- Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy.
- Document and monitor external remote connections. Organizations should document approved solutions for remote management and maintenance, and immediately investigate if an unapproved solution is installed on a workstation.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
Identity and Access Management
- Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with National Institute of Standards and Technology (NIST) standards for developing and managing password policies.
- Use longer passwords consisting of at least 8 characters and no more than 64 characters in length;
- Store passwords in hashed format using industry-recognized password managers;
- Add password user “salts” to shared login credentials;
- Avoid reusing passwords;
- Implement multiple failed login attempt account lockouts;
- Disable password “hints”;
- Refrain from requiring password changes more frequently than once per year unless a password is known or suspected to be compromised.
Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher. - Require administrator credentials to install software.
- Require phishing-resistant multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
- Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
- Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
- Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
Protective Controls and Architecture
- Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
- Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
- Install, regularly update, and enable real time detection for antivirus software on all hosts.
- Secure and closely monitor remote desktop protocol (RDP) use.
- Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. If RDP is deemed operationally necessary, restrict the originating sources and require MFA to mitigate credential theft and reuse. If RDP must be available externally, use a VPN, virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices. Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block brute force campaigns, log RDP login attempts, and disable unused remote access/RDP ports.
Vulnerability and Configuration Management
- Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Organizations should prioritize patching of vulnerabilities on CISA’s Known Exploited Vulnerabilities
- Disable unused
- Consider adding an email banner to emails received from outside your organization.
- Disable hyperlinks in received emails.
- Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
- Ensure devices are properly configured and that security features are enabled.
- Disable ports and protocols that are not being used for a business purpose (e.g., RDP Transmission Control Protocol Port 3389).
- Restrict Server Message Block (SMB) Protocol within the network to only access servers that are necessary, and remove or disable outdated versions of SMB(i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply