Educause Security Discussion mailing list archives
Potential Higher Ed focused Ransomware attacks
From: Brian Kelly <bkelly () EDUCAUSE EDU>
Date: Fri, 11 Dec 2020 15:48:14 +0000
The EDUCAUSE Cybersecurity Program would like to alert our community to a recent attack at a member institution. Identification of the threat actor indicate a connection to a known ransomware attack group and actions seen by the institution are often a precursor to a ransomware attack. The member institutions consulted with [Law Enforcement] Authorities during this incident, who believe the perpetrators may be an emerging threat group focusing on Higher Education or a previously existing group who is now targeting Higher Education. The overview below was provided by the impacted institution, who was able to detect and mitigate the attack before the attacker was able to deploy ransomware. The tools and techniques closely followed the PYSA/Mespinoza Ransomware playbook https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/ Overview - The threat actor, using stolen credentials of a former student (dormant account) gained access to the campus Citrix environment. The threat actor then escalated privileges, gaining access to a domain privileged account, and set up persistent access. Approximately one month later the threat actor used a system privileged account to gain access to campus Domain Controller, deploying various hacker tools including MimiKatz to collect the entire directory of campus credentials including encrypted passwords for offline cracking. The campus was alerted when virus protection software detected malware/tools activity. At this point, the campus was unaware of the source account, and the threat actor retained access via the former student account. During the ensuing month, the threat actor continued access to campus systems conducting reconnaissance to regain privileged access. The institution put added monitoring in place, and roughly one month later, the campus was alerted to the threat actor (via added monitoring); again, they disabled relevant accounts; and took further actions to investigate and remediate. The campus engaged a third-party forensic firm, and the full course and extent of compromise was determined. The campus had begun a multi-factor authentication (MFA) roll out but had been hampered by COVID pandemic impact. Within a two-week period, the campus was able to “virtually authenticate” and enroll all faculty, staff, and students (more than 18,000 individuals total) into their MFA program prior to a complete rebuild of the Domain Controller and Active Directory infrastructure and ejection of the threat actor. Subsequent actions by threat actor revealed over 5,000 later attempts to re-compromise the campus network. Key issues found that contributed to “success” of threat actor and should be reviewed at your institutions: · Dormant student user accounts (not disabled) · Lack of tiered security model to protect core infrastructure · Weakness in Domain Privileged Account Passwords · Lack of MFA · Availability/use of obsolete encryption protocol (RC4) · Unlimited access to virtual desktop environment At this point, We are unable to provide additional details. I will provide more information as allowed. If you wish to discuss this incident or indicators at your institution that might be related, please utilize the REN-ISAC OPS discussion list for greater confidentiality. Impacted institutions are encouraged to contact the REN-ISAC's SOC 24 x 7 Watch Desk at +1 317-274-7228 and/or soc () ren-isac net . Guidance and resources from NIST NIST's National Cybersecurity Center of Excellence (NCCoE)—in collaboration with members of the business community and vendors of cybersecurity solutions—has built example solutions to address the data integrity challenges posed by ransomware and other destructive events. These are described in NIST Special Publication (SP) 1800-25, Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flnks.gd%2Fl%2FeyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDIsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDEyMDguMzE3NTQ5NzEiLCJ1cmwiOiJodHRwczovL2NzcmMubmlzdC5nb3YvcHVibGljYXRpb25zL2RldGFpbC9zcC8xODAwLTI1L2ZpbmFsIn0.GqwV6ZxZ610_GULfg6yEhUqXI21ZPfWx4kSIPySksZk%2Fs%2F971992157%2Fbr%2F91312774028-l&data=04%7C01%7C%7C620924bdb2b54d13831b08d89bad2a3b%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C637430515336105609%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=27u2%2Ft1%2BvYtVL3KmNkJM9XsfEh9UAU0GuJxw0eFNNhA%3D&reserved=0>, and SP 1800-26, Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flnks.gd%2Fl%2FeyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDMsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDEyMDguMzE3NTQ5NzEiLCJ1cmwiOiJodHRwczovL2NzcmMubmlzdC5nb3YvcHVibGljYXRpb25zL2RldGFpbC9zcC8xODAwLTI2L2ZpbmFsIn0.-RgO9ql1HqRDJYby9U6AjGy2rYaimxdnnOrJY4689fQ%2Fs%2F971992157%2Fbr%2F91312774028-l&data=04%7C01%7C%7C620924bdb2b54d13831b08d89bad2a3b%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C637430515336115605%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=kjAv%2BzhoTE%2FeitT3hBOork%2BioEFmpQkSJpPEW3YCU3o%3D&reserved=0>. Ransomware, destructive malware, insider threats, and even honest user mistakes present ongoing threats to organizations. All types of data are potential targets of data corruption, modification, and destruction. Formulating a defense against these threats requires thorough knowledge of the assets within the enterprise and protection of these assets against data corruption and destruction. Furthermore, quick, accurate, and thorough detection and response to a loss of data integrity can save an organization time, money, and headaches. These two new publications complement SP 1800-11<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flnks.gd%2Fl%2FeyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDQsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDEyMDguMzE3NTQ5NzEiLCJ1cmwiOiJodHRwczovL2NzcmMubmlzdC5nb3YvcHVibGljYXRpb25zL2RldGFpbC9zcC8xODAwLTExL2ZpbmFsIn0.eS4YJinnjPe9nFPQlOeZhK3yIVjryfoxPW_-XybFIrY%2Fs%2F971992157%2Fbr%2F91312774028-l&data=04%7C01%7C%7C620924bdb2b54d13831b08d89bad2a3b%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C637430515336125602%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=DXY2zcpvmfBXM0oTCj6X8EKBZ0weM77vL0VEXh8hIRY%3D&reserved=0>, which addresses recovering from ransomware and other destructive events. For more details and links to related efforts, see the Data Security program page<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flnks.gd%2Fl%2FeyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDUsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDEyMDguMzE3NTQ5NzEiLCJ1cmwiOiJodHRwczovL3d3dy5uY2NvZS5uaXN0Lmdvdi9wcm9qZWN0cy9idWlsZGluZy1ibG9ja3MvZGF0YS1zZWN1cml0eSJ9.2OvBKwCAjoEcIYs3Ic96V8fs4MCu_nBgjeZ9tZeVXYM%2Fs%2F971992157%2Fbr%2F91312774028-l&data=04%7C01%7C%7C620924bdb2b54d13831b08d89bad2a3b%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C637430515336125602%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=h1zX8htJvrveX67vXumkqQq90XIfidJbzKIKVAMnGlg%3D&reserved=0>. SP 1800-25: https://csrc.nist.gov/publications/detail/sp/1800-25/final<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flnks.gd%2Fl%2FeyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDYsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDEyMDguMzE3NTQ5NzEiLCJ1cmwiOiJodHRwczovL2NzcmMubmlzdC5nb3YvcHVibGljYXRpb25zL2RldGFpbC9zcC8xODAwLTI1L2ZpbmFsIn0.VrvXO59P18qLwLUHo5KReDVn_SW2AH0nmL43ziMDrho%2Fs%2F971992157%2Fbr%2F91312774028-l&data=04%7C01%7C%7C620924bdb2b54d13831b08d89bad2a3b%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C637430515336135592%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Hp2iM%2Fj8f9HA8jU1qfNtyVDIskIVY53cJrGibmdDQJo%3D&reserved=0> SP 1800-26: https://csrc.nist.gov/publications/detail/sp/1800-26/final<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flnks.gd%2Fl%2FeyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDcsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDEyMDguMzE3NTQ5NzEiLCJ1cmwiOiJodHRwczovL2NzcmMubmlzdC5nb3YvcHVibGljYXRpb25zL2RldGFpbC9zcC8xODAwLTI2L2ZpbmFsIn0.xO5Jn6ZsvzJa5kpGLSkLFKnPYgXgFf5sjKsl9HIs5Nw%2Fs%2F971992157%2Fbr%2F91312774028-l&data=04%7C01%7C%7C620924bdb2b54d13831b08d89bad2a3b%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C637430515336145587%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=AZxz4z7cWaeAmft9TRp7hITrAyx7Z%2FBo6e0hU%2BRZBdA%3D&reserved=0> SP 1800-11: https://csrc.nist.gov/publications/detail/sp/1800-11/final<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flnks.gd%2Fl%2FeyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDgsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDEyMDguMzE3NTQ5NzEiLCJ1cmwiOiJodHRwczovL2NzcmMubmlzdC5nb3YvcHVibGljYXRpb25zL2RldGFpbC9zcC8xODAwLTExL2ZpbmFsIn0.dwdmvyAZ_pWm6K3WVnqxhwyISrW-7Vq9Ndjag3rOLaQ%2Fs%2F971992157%2Fbr%2F91312774028-l&data=04%7C01%7C%7C620924bdb2b54d13831b08d89bad2a3b%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C637430515336145587%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=pdC3ygPk8Rew%2FQzyG%2Byv2aq5hNwOYVSle1meFLTuWc4%3D&reserved=0> Data Security program page (NCCoE): https://www.nccoe.nist.gov/projects/building-blocks/data-security<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flnks.gd%2Fl%2FeyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDksInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDEyMDguMzE3NTQ5NzEiLCJ1cmwiOiJodHRwczovL3d3dy5uY2NvZS5uaXN0Lmdvdi9wcm9qZWN0cy9idWlsZGluZy1ibG9ja3MvZGF0YS1zZWN1cml0eSJ9.4tlWvC5iMnIGfzW0lt4Kf3Ak-5WjcE6jgoUNlT0cXV8%2Fs%2F971992157%2Fbr%2F91312774028-l&data=04%7C01%7C%7C620924bdb2b54d13831b08d89bad2a3b%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C637430515336155583%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=t525RmVGdfV7fTEl9cz2hypXY%2B1iOAF2v2OuhSQkOt0%3D&reserved=0> Additional EDUCAUSE resources https://library.educause.edu/resources/2019/10/national-student-clearinghouse-playbooks https://er.educause.edu/blogs/sponsored/2020/6/higher-ed-ransomware-playbook Brian Brian Kelly, CISSP, CISM, CEH Director, Cybersecurity Program<https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program> bkelly () educause edu<mailto:bkelly () educause edu> EDUCAUSE Uncommon Thinking for the Common Good Follow HEISC on LinkedIn<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fhigher-education-information-security-council-heisc-%2F&data=02%7C01%7C%7C7197d41189e4414981ae08d69dc9670a%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636869885680898966&sdata=%2FYvU%2BLTYHbPmcyL1AoksiKTSdMeFQ93qASFmTp8Emmo%3D&reserved=0> | Twitter: @HEISCouncil direct: 475.449.6440 | educause.edu<http://www.educause.edu/> 1150 18th Street, NW, Suite 900 Washington, DC 20036 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Potential Higher Ed focused Ransomware attacks Brian Kelly (Dec 11)