Follow ISA on LinkedIn to get notified of the latest cybersecurity news.
FBI flash alert warns of attacks on education sector
On March 17, the FBI issued a flash alert warning the education sector of a marked increase in cyber attacks using “Pysa” ransomware.
Pysa, also known as Mespinoza, was first reported in October 2019; by March 2020, it had gained the attention of the FBI with concentrated attacks on government, education, healthcare, and the private sector. The current wave of attacks appears to be focused on K-12 schools, post-secondary institutions, and seminaries in the United States and the United Kingdom. The two-stage attacks feature an attempt to exfiltrate data before locking up the victims’ systems with ransomware. The encrypted files left behind after successful attacks are typically tagged with a “.pysa” file type.
The malware is most often introduced through phishing emails, or by exploiting unprotected systems through compromised user credentials. Once a system is breached, the attackers have been moving laterally through networks to deploy malware, steal credentials, and disable anti-virus protections before locking up endpoint computers.
The FBI alert provides a detailed set of indicators of compromise (IOCs) and suspicious email addresses known to have delivered the malware exploits. The recommended mitigation efforts are all “best practice” activities, concluding with one of the most important pieces of advice: focusing on awareness and training for staff to help them avoid being duped by phishing schemes.
On the same day, CISA and the FBI published a joint statement warning about a trend of spearphishing attacks involving TrickBot malware activity. The statement lays out the MITRE ATT&CK enterprise techniques used by TrickBot, and presents examples of IOCs for system administrators to employ to detect potentially harmful network activity.
Computer manufacturer Acer reportedly hit with $50 million ransomware demand
According to a report in Bleeping Computer, Acer, the Taiwanese hardware and electronics manufacturer, has been victimized by the REvil ransomware group. The ransomware demand is reportedly $50M (USD), one of the largest ransoms ever recorded: further, if the ransom is not paid by March 28, the price will double to $100M (USD), according to a screenshot in the report.
The attack appears to have been made on March 13, but was only disclosed by the media on March 19. There is wide speculation that the breach may have been related to the Microsoft Exchange vulnerability that is being felt on in-house mail servers around the world.
REvil, the suspected attackers, are infamous for the devastating attack against currency dealer Travelex in December 2019. In that incident, Travelex reportedly paid $2.3M in order to decrypt its files and allow them to resume operations, but the impact of the cyberattack and financial uncertainty due to the COVID-19 pandemic eventually forced Travelex into bankruptcy by August 2020.
Acer has neither confirmed nor denied whether it was involved in a ransomware attack. A vague statement was issued by the company, only conceding that “recent abnormal situations observed” have been reported to “law enforcement and data protection authorities in multiple countries”.
“Acer routinely monitors its IT systems, and most cyberattacks are well defensed [sic]. Companies like us are constantly under attack… We have been continuously enhancing our cybersecurity infrastructure to protect business continuity and our information integrity. We urge all companies and organizations to adhere to cyber security disciplines and best practices, and be vigilant to any network activity abnormalities,” according to Acer’s statement.
When pressed for additional details by a number of news outlets, Acer’s only further comment was that “there is an ongoing investigation and for the sake of security, we are unable to comment on details.”
This news ends the week on a sour note for the tech company, which saw its stocks rise sharply after they reported significant revenues in its financial statement released on March 17 (a few days after the suspected ransomware attack). Acer announced 2020 consolidated revenues of $12.19B ($3.64B in Q4), 2020 gross profits of $1.33B ($423M in Q4), and 2020 net profits of $265M ($87.6M in Q4). All figures are approximated in Canadian dollars.
Charges laid in “Homecoming Queen” hacking incident
Not all cybercrime is for financial gain. Consider the recent incident in Cantonment, Florida in suburban Pensacola. A 17-year-old high school student and her mother were arrested this week, charged with a variety of computer-related offenses after allegedly accessing student records to rig the school’s Homecoming Queen election in October 2020.
While the daughter cannot be identified, the mother is 50-year-old Laura Rose Carroll, an assistant principal at an elementary school in the same district where her daughter attended high school. Carroll allegedly used her broad access to the district’s student-information system to cast fraudulent votes for her daughter in the two-day election.
After Carroll’s daughter was crowned Homecoming Queen, the voting system sent an alert to the school warning that many of the votes were suspected to be fraudulent. Investigation into the incident revealed that, over a short period of time, approximately 117 of the votes in the election came from a single IP address; in all, 246 votes appeared to have been made from computers and mobile phones associated with the Carroll residence.
After the charges were laid, students came forward alleging that the unauthorized system access was a pattern of behaviour for Carroll’s daughter. Over her high school years, her daughter allegedly looked up grades, test scores, schedules, etc., openly sharing confidential data with others on a routine basis.
Carroll was apparently complicit in the unauthorized access, as she would have received notifications about each login event. Further, the school system enforces a 45-day password reset policy, meaning her daughter would have had to be exposed to new credentials every month and a half in order to maintain access, likely in violation of the school’s “Staff Responsible Use of Guidelines for Technology”.
According to a statement by the Florida Department of Law Enforcement (FDLE) on Facebook, “The investigation also found that beginning August 2019, Carroll’s FOCUS account accessed 372 high school records, and 339 of those were of Tate High School students.”
Carroll and her daughter were arrested on one count each of offenses against users of computers, computer systems, computer networks and electronic devices (a third-degree felony); unlawful use of a two-way communications device (also a third-degree felony); criminal use of personally identifiable information (yet another third-degree felony); and conspiracy to commit these offenses (a first-degree misdemeanor), according to the statement.
The incident underscores that cybercrime is truly a crime, and law enforcement is taking these incidents seriously. Further it serves as a reminder that even a well-secured system can be subject to unauthorized access. Regular access and data audits need to be conducted to ensure that privileges are not overly broad, and are not being abused for unofficial business.