Educational Institutes are easy prey for hackers to compromise and covertly launch Cyber Attacks/Malicious Campaigns under the hood, without divulging their real identity. This is majorly due to the reckless attitude of IT Administrators towards their Network Assets as the software programs (which are being used in the production) need to undergo several patches/updates to mitigate any exposed risk. School of Villains by Naolito | Source: DeviantArt Here, we are going to discuss each Threat Vectors where Educational Institutes are being targeted and being used for possible malicious campaigns or exploitation. DATABASE TRADING It is notable that there is a significant rise of “ ” detected on various underground hacking forums or DarkNet Marketplaces during this pandemic (COVID-19). The and are bagging huge amounts (in the form of Cryptocurrency) into their Hot or Cold wallets. Database Trading compromised databases (University/Schools) are being sold on different underground forums Student Record of Brazil advertised in Raid Forum Compromised FTP Servers of Academic Sites The above-listed screenshots are just an example to back the statement for Database Trading at large ( ) and sometimes, it is distributed for free on such communities. if you note the Timestamps It is also important to note that the Online Educational Platforms are also being targeted on a continual basis. One of the largest breaches was the compromise of an Online learning Platform “ ” that got hacked and put for sale on Dark Web Marketplace in May, 2020. Unacademy for $2,000 consisting of 22M Userbase Advertised in Empire Market Note : The Empire Market (Dark Web Marketplace) had gone exit scammed in August 2020, after a long standing for 3 years. Another Indian Tutor website “ ” observed a data breach in 2019, . Vedantu exposing ~700K Student/Tutor Records EDUCATIONAL INFRASTRUCTURE FOR SALE It is common to find the vulnerable/open systems (Academic Infra) among the listing with other compromised servers in the Cyber Criminal Black Markets, but uncommon for the general public. Adversaries gain access to such systems using various methods like Spear Phishing Emails, Open RDP Access, Unprotected Elastic Servers etc. It is a common practice among criminals to conceal their presence (in the victim environment) after compromising the targeted systems, prevailing a backdoor access for extended network access(commonly called Lateral Movement) in order to sell the same on various Marketplaces. Some of the smooth offerings made in this arena are:- Webmail CPAnel Access Microsoft Webmail O365 Access Cpanel Access of various Educational Institutes across the globe Microsoft O365 Domain Accounts for Sale While offering the offensive services, it is remarkable that the hackers/adversaries are redefining their rules of etiquette by providing the legitimacy of the sources like , hence showcasing a professional line. The proves that the listed hacked accounts are recent, which again amplifies the trust factor for the Exploit Seekers. whether the listed assets are in working condition timestamps : Once the actor gains access to the University Infrastructure (such as Email), the same can be against any entity, as Educational Domains are (generally) not included in any of the Blacklist, hence clearing the initial level of defense (traffic from blacklisted IPs are usually blocked). This can also be used for , hence leveraging access to any restricted system (which is being defined via admin policies). Outcome used to launch a Spear Phishing Email Campaigns Impersonation Attacks DOMAIN LIST OFFERING[.EDU] Another kind of novice threat to the Academic Domain is the selling of a large number of Educational Domain lists, hence narrowing down the effort of hackers to find vulnerable systems. Domain Sale Once identified, the actor can scan for the targeted network look for the unsecured Ports/Services, mirroring the website, Exploiting the Weaknesses (in case of unpatched), Gaining Unauthorized Access, Stealthy Integration to a Bot Army (Botnet), Launch DDoS and any imaginable Cyber Destruction. — Note: This threat is not only pertaining to the Educational domain, but also affects other TLDs and Country-Specific TLDs. CREDENTIAL LEAK FROM EDU-PLATFORMS There are ample Credential leaks for Online Educational Platforms (or MOOCs) surfaced on Deep Web, which are being captured by various methods such as etc. and are shared on various Deep Web channels. Keylogging, Spyware Activity, Running Malicious Stealthy Programs, Below is a list of Email-Password combination of Udemy Accounts which appeared on a Turkish forum:- Udemy Accounts listed for free Here is another listing of found on an individual blog:- Username-Password Combo for Code Academy Accounts CodeAcademy Account Credentials It is notable that the passwords are in plain-text which would facilitate adversaries to launch a on various digital platforms of the targeted individual. Password-Spraying Attack There are various dedicated checker programs available for each Educational Platform such as etc. Udemy, CodeAcademy, Coursera Checker Program found for Code Academy Note : Checker Programs are used by attackers to launch Brute Force logins on multiple platforms to check whether the acquired credentials are in working state or not. Similarly, there are various cracked Academic Programs which are being offered for cheaper prices on the Underground Dark Web Marketplaces. Premium Courses offered at cheaper prices As the education is provided for cheaper or free, it can be considered as a Robinhood Act, but cracking into the personal accounts are not justifiable. ATTACKS— RISE OF RANSOMWARE INFECTION & HACKTIVISM It is an undeniable fact that there are many prestigious Academic Institutes hit by numerous ransomware programs at different timelines. By closely inspecting the same fact, it is evident that Ransomware Attacks seen a sudden uptick since 2016; as the victims became ready for the negotiation offered by the hackers in order to recover the files, by paying the ransom. This ignited the interest of attackers and began to invest more resources for the Ransomware Programs. : Now, you may know several RaaS (Ransomware as a Service) programs like along with major Ransomware Gangs like and their experimental business strategies like etc. Outcome Smaug, GandCrab, Project Root Maze, Clop, Netwalker, Nefilim, REvil, Snake Live Data Auction, Storage as a Service, Affiliate Programs, Feedback Collection Here is a list of few Universities who had paid Ransomware Operators to gain back the compromised data:- UNIVERSITY OF CALGARY — 2016 — Paid $20,000 HORRY COUNTY SCHOOL DIST. — 2017 — Paid $8,500 LOS ANGELES VALLEY COLLEGE — 2017 — Paid $30,000 UNIVERSITY OF MAASTRICHT — 2020 — Paid $220,000 UNIVERSITY OF UTAH — 2020 — Paid $457,059 to Netwalker (Suspected) UNIVERSITY OF CALIFORNIA — 2020 — Paid $1.14M to Netwalker MAYNOOTH UNIVERSITY — 2020 — Paid Undisclosed Amount UNIVERSITY HOSPITAL NEW JERSEY — 2020 — Paid $670,000 to SunCrypt It is also interesting to note that the took place recently (May 2020) that compromised more than 10 Universities from the UK, US and Canada. BlackBaud Hack Note : BlackBaud is a Cloud Hosting Provider majorly used by Educational Institutes and various Non-Profit Organizations. Here is a of Educational Institutes who were hit by various Ransomwares in 2020. list The Hacking Campaigns orchestrated by APT Groups such as (Iran) against Global Universities is the that the attacks against Educational Institutes are on a rise. Silent Librarian newest evidence Nowadays, though many institutes are aided by ( is one such), it would be a healthy practice to patch up the old legacy tools in order to keep the cyber attacks at a bay. Cyber Extortion Insurances Cyber Extortion Coverage from IRMI KEY-TAKEAWAYS > Quick fix to the Open/Unsecured ports, especially RDP and Elastic/Mongo > Never to fall for any phishing email attachments/links > Not to blindly trust request coming from EDU Domains > Disown the used passwords in Educational Moocs Platform > Regular Data Backup > Isolate the Mirror/Backup Archives from Mainframe Systems > Never pay demanded ransom, in case of Ransomware Attack The largest IoT Botnet “ ” brought down various online services such as etc was created in a . Mirai OVH, Netflix, Spotify, PayPal University Dorm Room So, Dear Sys-Admins! Never under-estimate the power of Educational Platforms!!! Follow me on for interesting DarkWeb/InfoSec Short findings! ;-) Twitter Note:- The Article is purely an Individual Research and is not subjected to be used/published anywhere without the Author’s consent.

Microsoft

Netflix

Robinhood

Why Educational Platforms are a Favorite Target Among Attackers?

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Windows Sticky Keys Exploit: The War Veteran That Never Dies

06/02/2018: Biggest Stories in the Cryptosphere

0-Days are on the Rise and that Means a Lot More Work for SOC Teams

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

The Noonification: How the Liver Transplant System Changed Forever (11/25/2023)

The Noonification: Panda Power (11/28/2023)

Windows Sticky Keys Exploit: The War Veteran That Never Dies

06/02/2018: Biggest Stories in the Cryptosphere

0-Days are on the Rise and that Means a Lot More Work for SOC Teams

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

The Noonification: How the Liver Transplant System Changed Forever (11/25/2023)

The Noonification: Panda Power (11/28/2023)

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps