Headline
FBI warns of education sector credentials on dark web forums
The FBI warns of education sector credentials being placed for sale on the dark web. We take a look at the risks involved. The post FBI warns of education sector credentials on dark web forums appeared first on Malwarebytes Labs.
The FBI is warning academics to be on their guard, as an embattled education sector continues to experience attacks and breaches, with data spilling onto the so-called dark web. The government agency’s Private Industry Notification [PDF] cites US academic credentials up for grabs from a variety of sources.
A stepping stone to compromise
From the summary:
The FBI is informing academic partners of identified US college and university credentials advertised for sale on online criminal marketplaces and publicly accessible forums. This exposure of sensitive credential and network access information, especially privileged user accounts, could lead to subsequent cyber attacks against individual users or affiliated organizations.
Data for sale is not unusual. Phishing, social engineering, and credential stuffing are often the end result. Dumps of education/university data can offer specific in-roads into campus networks, or further harvesting of student and employee credentials or personal information. Additionally, the FBI warns:
If attackers are successful in compromising a victim account, they may attempt to drain the account of stored value, leverage or re-sell credit card numbers and other personally identifiable information, submit fraudulent transactions, exploit for other criminal activity against the account holder, or use for subsequent attacks against affiliated organizations.
A wide range of data possibilities
Private sites and regular forums aren’t the only cause for concern. The FBI also observed data sitting on instant messaging platforms too. Some of their findings:
- Late 2020: 2,000 unique username/password .edu combinations were up for sale on the dark web. Payment for this was made via donations to an unspecified Bitcoin wallet.
- May 2021: Over 36,000 email/password combinations for .edu addresses were observed on a “publicly available instant messaging platform.” This apparently fed into other unnamed illegal activities.
- January 2022: “Russian cyber criminal forums” were offering network and VPN credentials, both for sale or free to access. Screenshots showing the attacker’s proof of access is common on portals such as this. Prices of stolen accounts ranged from “a few to multiple thousands of US dollars.”
Keeping the education sector safe: an uphill struggle
This warning comes at a time of sustained cyber attacks in and around education. Last year, the FBI warned of an increase in ransomware targeting institutions. Sure enough, in 2022 we’ve seen colleges close down and data lost. There’s also constant concerns over cyber security funding to contend with.
The FBI recommends colleges, universities, and other academic entities establish and maintain strong relationships with the FBI field office in their region, along with observing the various mitigation strategies in their notification alert. We expect to see more data dumps and breaches over the coming months, but hopefully careful observation of security procedures and mitigations will make a dent in some criminal’s plans.
Tips from the FBI
- Keep operating systems up to date, and patch in a timely fashion. Beware of End of Life (EOL) support for systems and applications.
- Implement user training to reduce the risk of phishing and social engineering.
- Use strong passwords, avoid password reuse, and establish lock-out rules for incorrect attempts.
- Encourage the use of multifactor authentication (MFA) for as many services as possible, including webmail, VPN, and critical systems.
- Reduce credential exposure by restricting where accounts can be used alongside local device credential protection features.
- Segment networks to help prevent spread of malware and unauthorized access.
- Automate security scanning, and use monitoring tools to help identify network abnormalities and compromise attempts.
- Secure and closely monitor remote desktop protocol (RDP) use, alongside restricting login attempts and using additional authentication measures for logging in remotely.