Threat Actors are Targeting K-12 Educational Institutions in the U.S



Threat actors in the United States are targeting K-12 education institutions to install ransomware, steal information, or interrupt distance learning programs.

In a joint alert this week, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) warned of continuous attacks targeting K-12 educational institutions.

A significant number of reports describing malware attacking school computer networks have been collected by the FBI, CISA, and MS-ISAC. The events resulted in slow access to the compromised computers and rendered them unavailable for distance learning and other functions in some cases.

The ransomware operators have engaged in double extorting, stealing confidential data, and attempting to spill it on the Internet, much as in attacks against companies and industry, before a ransom is paid.

According to MS-ISAC, at the beginning of the 2020 academic year, the number of ransomware attacks on K-12 schools rose considerably, accounting for more than half (57 percent) of confirmed incidents in August and September, compared to less than a third (28 percent) between January and July.

During the first nine months of 2020, AKO, Ryuk, Maze, Nefilim, and Sodinokibi/REvil were listed as the most popular ransomware families used in attacks on K-12 schools.

The ZeuS Trojan (targeting Windows) and the Shlayer malware downloader (targeting macOS) were the most prevalent malware families targeting K-12 schools over the past year the FBI, CISA and MS-ISAC say. Rounding up the top 5 are Agent Tesla, NanoCore, and CoinMiner.

In distributed denial-of-service (DDoS) attacks, K-12 schools and third-party providers used for distance learning were also attacked. Any want tobe criminal will conduct destructive attacks, regardless of experience level, courtesy of DDoS-for-hire services.



Live video-conferenced classroom sessions were also interrupted by uninvited participants, revealing updates that have been submitted by the FBI, CISA, and MS-ISAC since March 2020. These uninvited visitors showed pornography and/or abusive images, or doxed meeting attendees in addition to physically assaulting students and teachers.

The warning reads, “In addition to the recent reporting of distance learning disruptions received by the FBI, CISA, and MS-ISAC, it is expected that malicious cyber actors will continue to seek opportunities to exploit the evolving remote learning environment.”

These threat actors are likely to use social engineering techniques (usually found in phishing attacks) in their attacks to trick victims into exposing confidential details, targeting flaws in infrastructure and open/exposed ports, or leveraging malware from End-of-Life (EOL).

K-12 educational organizations can ensure their applications and operating systems are up-to-date, update network device keys periodically, use multi-factor authentication, uninstall unused technologies, verify user and administrator accounts, enforce network segmentation, recognize and remedy open ports, use anti-malware solutions, and advise users on phishing in order to remain secure.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.