Cyberattacks: higher education on high alert during the holidays
Cyberattacks: higher education on high alert during the holidays
[Exclusive] Toulouse INP, Grenoble INP, and IUT Paris – Rives de Seine were not isolated cases. Vigilance efforts have been requested during the Christmas school holidays in order to prevent further cyberattacks.
Valéry Riess-Marchive
par
Valéry Rieß-Marchive, Editor-in-Chief
Posted: Dec 29 2022
In mid-September, Toulouse INP started the school year on a cyberattack with ransomware . At the beginning of December, Grenoble INP informed of an “intrusion” on its computer servers, but not to mention a cyberattack . At the same time, our colleagues from Parisian revealed that the IUT Paris – Rives de Seine was openly the victim of a computer attack. These cases are not isolated. According to our information, 4 major incidents in higher education were reported in November, and 3 in December.
At the beginning of November, the IT teams of a university detected suspicious traffic and spotted the presence of an attacker, who entered deep into the information system, before he had time to deploy and trigger ransomware. .
Ten days later, history repeats itself at a second university. A compromised student account had been hijacked for initial access to a remote access server. A comparable scenario repeated itself in an engineering school ten days later.
At the very end of November, it is the turn of Grenoble INP. According to our information, the attacker managed to touch the heart of the information system. The latter was completely shut down to counter the attack.
On December 4, the IUT Paris – Rives de Seine is less fortunate: a ransomware is deployed and triggered. The attack has since been claimed on the showcase site of Vice Society. Rebuilding the information system is expected to take weeks, if not months.
But the series continues, with another IUT, on December 8. There, the ransomware was only deployed on a limited perimeter. Two days later, another engineering school is involved. The attacker is cut in his tracks before triggering the ransomware .
In the grip of info-stealers
These incidents, which occurred between November and mid-December 2022, have one thing in common: they all started with the misuse of a user account allowing remote access to information system resources. A diversion made possible by the theft of identifiers using specialized malware: info-stealers, also called information thieves or password stealers.
The Sekoia.io teams have been carrying out extensive investigative work on this specialized malware for several months. In April 2022, they were looking at one of them, Mars Stealer. And to summarize its capabilities: “Mars Stealer is able to collect data from multiple browsers (passwords, cookies, credit cards, etc. ), steal credentials from crypto plugins, crypto wallets and 2FA plugins, recover files, [perform a] fingerprint of the infected host”. Mars Stealer is not alone and shares its code “ with other information thieves including Arkei, Oski and Vidar”. Added to this are Racoon, Redline, and Amadey, to name but a few.
According to our information, more than a thousand detections of stealers in higher education were reported between November and mid-December. A situation described as worrying at the Ministry of Higher Education and Research which justified the activation, at the beginning of December, of the cyber crisis operational cell (COCC) including the National Agency for the Security of information (Anssi) and CERT-Renater.
Where do these password stealers come from?
These info-stealers are very notably hidden in pirate software, called cracked . At the end of August 2022, Zscaler analyzed the approach of actors distributing infostealers: "Since obtaining and using pirated software is prohibited by law, many people engaging in this type of behavior do not pay attention to the source of their download”. And are therefore quick to be trapped with an infostealer.
A few days later, Cyware in turn highlighted the phenomenon, reporting SEO poisoning and malvertising campaigns – malicious advertising diversion – to promote real-fake sites distributing pirated software, cracks and other number generators. series, but also and above all infostealers. All while relying on compressed archives large enough and protected by password to escape analysis by workstation protection tools.
This is where traffickers come in, specialists in generating traffic, or rather redirecting Internet users to malicious content. According to Sekoia.io teams, these traffers “monetize traffic to these botnet operators who intend to compromise users either on a large scale or in a region or operating system specific way. […] In other words, the activity of traffickers is a form of lead generation”.
And precisely, a growing number of traffers "join teams to distribute information theft malware", infostealers. In other words: they are indirectly at the service of supplying the market for initial access brokers . What, then, feed the economy of ransomware. And this with a particularly low barrier to entry.
Regular threats
According to our information, the detections that have occurred in French establishments in recent months have mainly concerned teaching networks and WiFi networks where student computers are connected. Unadministered, unsupervised machines, but from which legitimate users access information system resources and may contain authentication data.
In itself, the situation is not unprecedented for the world of education, which must deal with this context comparable to BYOD on a very large scale. Email accounts of French academies were hijacked by Emotet operators in the fall of 2020 . In March 2021, the alert had been launched to compromises with IcedID .
A year ago, the information systems security official (FSSI) of higher education, research and innovation, warned of " compromising attempts particularly targeted towards our community", evoking a "threat very active." However, the scenario was different here: according to our information, everything would then have started from a compromise having targeted an instance, within a university, of the authentication system of the shared access portal of the Education-Research Federation, which offers SSO (Single Sign-On) mechanisms to applications hosted outside member organizations of the federation.
Christmas holidays under the sign of vigilance
Faced with the threat of intrusions with reinforcement of compromised identifiers, the rectors of academies and directors of higher education and research establishments, in particular, were asked to ensure during the Christmas school holidays a permanence of the teams computers "in order to take into account and process" in less than two hours any report sent by the services of the senior defense and security official of the Ministry of National Education, Higher Education and Research.
In addition, it was recommended to re-raise awareness, in the establishments, “of the potential major consequences [for the users themselves as well as the establishments] in the use of software downloaded from unreliable sources”.
In addition to the alerts and technical markers provided by the authorities, it is also recommended to rely on the data collected and distributed by Abuse.ch to block outgoing flows linked to already identified threats, starting with command servers and malware control.
The recommendations are very far from stopping at that and also cover "a set of technical actions to reduce the surface of exposure to attacks on [computer systems] exposed on the Internet".
[Exclusive] Toulouse INP, Grenoble INP, and IUT Paris – Rives de Seine were not isolated cases. Vigilance efforts have been requested during the Christmas school holidays in order to prevent further cyberattacks.
Valéry Riess-Marchive
par
Valéry Rieß-Marchive, Editor-in-Chief
Posted: Dec 29 2022
In mid-September, Toulouse INP started the school year on a cyberattack with ransomware . At the beginning of December, Grenoble INP informed of an “intrusion” on its computer servers, but not to mention a cyberattack . At the same time, our colleagues from Parisian revealed that the IUT Paris – Rives de Seine was openly the victim of a computer attack. These cases are not isolated. According to our information, 4 major incidents in higher education were reported in November, and 3 in December.
At the beginning of November, the IT teams of a university detected suspicious traffic and spotted the presence of an attacker, who entered deep into the information system, before he had time to deploy and trigger ransomware. .
Ten days later, history repeats itself at a second university. A compromised student account had been hijacked for initial access to a remote access server. A comparable scenario repeated itself in an engineering school ten days later.
At the very end of November, it is the turn of Grenoble INP. According to our information, the attacker managed to touch the heart of the information system. The latter was completely shut down to counter the attack.
On December 4, the IUT Paris – Rives de Seine is less fortunate: a ransomware is deployed and triggered. The attack has since been claimed on the showcase site of Vice Society. Rebuilding the information system is expected to take weeks, if not months.
But the series continues, with another IUT, on December 8. There, the ransomware was only deployed on a limited perimeter. Two days later, another engineering school is involved. The attacker is cut in his tracks before triggering the ransomware .
In the grip of info-stealers
These incidents, which occurred between November and mid-December 2022, have one thing in common: they all started with the misuse of a user account allowing remote access to information system resources. A diversion made possible by the theft of identifiers using specialized malware: info-stealers, also called information thieves or password stealers.
The Sekoia.io teams have been carrying out extensive investigative work on this specialized malware for several months. In April 2022, they were looking at one of them, Mars Stealer. And to summarize its capabilities: “Mars Stealer is able to collect data from multiple browsers (passwords, cookies, credit cards, etc. ), steal credentials from crypto plugins, crypto wallets and 2FA plugins, recover files, [perform a] fingerprint of the infected host”. Mars Stealer is not alone and shares its code “ with other information thieves including Arkei, Oski and Vidar”. Added to this are Racoon, Redline, and Amadey, to name but a few.
According to our information, more than a thousand detections of stealers in higher education were reported between November and mid-December. A situation described as worrying at the Ministry of Higher Education and Research which justified the activation, at the beginning of December, of the cyber crisis operational cell (COCC) including the National Agency for the Security of information (Anssi) and CERT-Renater.
Where do these password stealers come from?
These info-stealers are very notably hidden in pirate software, called cracked . At the end of August 2022, Zscaler analyzed the approach of actors distributing infostealers: "Since obtaining and using pirated software is prohibited by law, many people engaging in this type of behavior do not pay attention to the source of their download”. And are therefore quick to be trapped with an infostealer.
A few days later, Cyware in turn highlighted the phenomenon, reporting SEO poisoning and malvertising campaigns – malicious advertising diversion – to promote real-fake sites distributing pirated software, cracks and other number generators. series, but also and above all infostealers. All while relying on compressed archives large enough and protected by password to escape analysis by workstation protection tools.
This is where traffickers come in, specialists in generating traffic, or rather redirecting Internet users to malicious content. According to Sekoia.io teams, these traffers “monetize traffic to these botnet operators who intend to compromise users either on a large scale or in a region or operating system specific way. […] In other words, the activity of traffickers is a form of lead generation”.
And precisely, a growing number of traffers "join teams to distribute information theft malware", infostealers. In other words: they are indirectly at the service of supplying the market for initial access brokers . What, then, feed the economy of ransomware. And this with a particularly low barrier to entry.
Regular threats
According to our information, the detections that have occurred in French establishments in recent months have mainly concerned teaching networks and WiFi networks where student computers are connected. Unadministered, unsupervised machines, but from which legitimate users access information system resources and may contain authentication data.
In itself, the situation is not unprecedented for the world of education, which must deal with this context comparable to BYOD on a very large scale. Email accounts of French academies were hijacked by Emotet operators in the fall of 2020 . In March 2021, the alert had been launched to compromises with IcedID .
A year ago, the information systems security official (FSSI) of higher education, research and innovation, warned of " compromising attempts particularly targeted towards our community", evoking a "threat very active." However, the scenario was different here: according to our information, everything would then have started from a compromise having targeted an instance, within a university, of the authentication system of the shared access portal of the Education-Research Federation, which offers SSO (Single Sign-On) mechanisms to applications hosted outside member organizations of the federation.
Christmas holidays under the sign of vigilance
Faced with the threat of intrusions with reinforcement of compromised identifiers, the rectors of academies and directors of higher education and research establishments, in particular, were asked to ensure during the Christmas school holidays a permanence of the teams computers "in order to take into account and process" in less than two hours any report sent by the services of the senior defense and security official of the Ministry of National Education, Higher Education and Research.
In addition, it was recommended to re-raise awareness, in the establishments, “of the potential major consequences [for the users themselves as well as the establishments] in the use of software downloaded from unreliable sources”.
In addition to the alerts and technical markers provided by the authorities, it is also recommended to rely on the data collected and distributed by Abuse.ch to block outgoing flows linked to already identified threats, starting with command servers and malware control.
The recommendations are very far from stopping at that and also cover "a set of technical actions to reduce the surface of exposure to attacks on [computer systems] exposed on the Internet".
