U.S. Colleges Warned of VPN Credential Leaks

The FBI has warned of a widespread cyber crime campaign designed to compromise the network credentials and VPNs of US colleges and universities.

An FBI security alert stated that the login details of more than 36,000 .edu email accounts had been shared on dark web forums in May.

The agency said that credentials were mostly compromised through a combination of spear phishing and ransomware.

According to the alert, the attacks originated from Russia, which suggests that the US could have been specifically targeted because of its public backing of Ukraine following the Russian invasion.

Many cyber criminal gangs from the region have supported the war. The notorious ransomware group Conti, which disbanded last month, vowed to retaliate against anyone who launched a cyber attack against pro-Russian organizations.

Meanwhile, ‘Killnet’ and its affiliate ‘Legion’ were recently accused of attempting to disrupt the Eurovision Song Contest after Russia and one of its major allies, Belarus, were banned from the event.

However, it’s possible that the attack wasn’t linked to the war at all. It might simply be the case that the US education sector is notoriously vulnerable to cyber attacks, and a group of criminal hackers took advantage of that for financial gain.

Lack of evidence

Organizations are often reluctant to acknowledge that sensitive information has been compromised in cyber attacks. This is in part because of the US’s lax data breach notification requirements, but it’s also a result of a lack of cybersecurity awareness.

With ransomware attacks, for example, organizations are so preoccupied by the main signs of the intrusion, such as encrypted files, that they don’t realize that information has been stolen.

Likewise, many organizations – and schools particularly – lack the resources to perform a forensic investigation to recognize how the cyber attack affected them.

In these latest attacks, the FBI warned that the exposure of login credentials and network access information “could lead to subsequent cyber attacks against individual users or affiliated organizations.”

It added:

For example, in 2017, cyber criminals targeted universities to hack .edu accounts by cloning university login pages and embedding a credential harvester link in phishing emails. “Successfully harvested credentials were then sent to the cyber criminals in an automated email from their servers,” the FBI notice explained.

Such tactics have continued to prevail and ramped up with COVID-themed phishing attacks to steal university login credentials, according to security researchers from a US-based company in December 2021.

The FBI listed multiple instances where login credentials belonging to university accounts were listed for sale on Russia cyber crime forums.

The information is typically used to conduct credential-stuffing attacks, enabling criminal hackers to “drain the account of stored value, leverage or re-sell credit card numbers and other personally identifiable information, submit fraudulent transactions, exploit for other criminal activity against the account holder, or use for subsequent attacks against affiliated organizations.”

How should schools combat the risk?

The best way to prevent these types of cyber attacks is with penetration testing and phishing staff awareness.

As the FBI notes, phishing and ransomware are the most common techniques used to infiltrate organizations. To stop these attacks, organizations must understand how cyber criminals exploit system vulnerabilities and employee error.

This advice isn’t limited to schools and universities. Although they are one of the biggest targets, organizations in all sectors are vulnerable to cyber attacks.

You can find out how to get started by looking at out range of penetration tests. We offer a variety of CREST-accredited services to address specific risks.

They have each been developed to align with your business requirements, budget and value you assign to the assets you intend to test.