Countering the Threat of Vice Society

by | Apr 13, 2023

A PROFILE OF AN ADVERSARIAL GROUP TARGETING THE EDUCATION SECTOR

In September 2022, The LAUSD (Los Angeles Unified School District) disclosed that it was attacked by Vice Society attack group.

The attack targeted the school district’s computer systems. It resulted in closure of all online learning for the district’s 600,000 students and disorder in operations of district services. This includes email, payroll, and grading systems which caused significant disruptions to online learning for thousands of students and teachers. In addition, Vice Society published 500 GB of files containing payroll records and other labor-related documents that included SSNs and impacted peoples’ names and home addresses.

The impact of the attack was widespread, affecting not just students and teachers but also the wider community. It highlighted the growing threat of cyberattacks and the importance of cybersecurity measures for educational institutions.

In this paper, we will shed light on the Vice Society attack group, discuss the attack techniques and implications of the LAUSD attack, and provide preventative measures against ransomware attacks.

Vice Society Attack Group

Vice Society is an intrusion, exfiltration, and extortion hacking group that first appeared in the summer of 2021. Its malicious actors do not use a ransomware variant of unique origin. Instead, they have deployed versions of Hello Kitty/Five Hands and Zeppelin ransomware.

Since its launch and until mid-June 2022, the group claimed campaigns targeting at least 88 victims. All of whom are still listed on their dedicated data leak site (DLS). While some ransomware gangs refrain from targeting healthcare, government, and education organizations, Vice Society was not observed applying such restrictions. This group notably targets public school districts and other academic institutions, as 26.1% of the victims listed on their data leak site are educational-related entities . They may view education as a quieter and less well-funded category where it can fly under the radar. Among the school districts that have disclosed ransomware attacks perpetrated by Vice Society are Frederick Public Schools in Oklahoma, Whitehouse Independent School District in Texas, Manhasset Free Union School District in New York, and Linn-Mar Community School District in Iowa last month. 

Another high-profile education sector victim is the Austrian Medical University of Innsbruck which had to reset all 3,400 students’ and 2,200 employees’ account passwords following severe IT service disruption.

73.9% of known victims of this cyber criminal group are located in France, the United States of America, the United Kingdom, Spain, Italy, Germany, and Brazil.

Countries most impacted by the Vice Society ransomware group, by increasing number of attacks

The group is known for its double-extortion tactics. It sneaks onto victim servers, copies private and sensitive data, then locks up the systems, encrypts the victim’s data, and demands a ransom payment. If the ransom is not paid, the attackers typically sell the private data on the dark web or publish it.

These tactics pressure victims into making a ransom payment on two fronts:

  1. The longer critical systems remain encrypted, the longer a business is unable to operate – which could result in SLA violations.
  2. A business could suffer enormous reputational damage if sensitive customer data is leaked.

Vice Society actors likely obtain initial network access through compromised credentials by exploiting internet-facing applications [T1190]. 

The actors have been mainly exploiting the PrintNightmare vulnerability (CVE-2021-1675 and CVE-2021-34527 ) to escalate privileges [T1068].

LAUSD Ransomware Attack

LAUSD, the second-largest school district in the United States, announced on September 3, 2022, that they fell victim to a ransomware attack launched by a Russian-speaking ransomware gang known as Vice Society. In the announcement, LAUSD’s Superintendent Alberto Carvalho revealed that the threat actors were active in its network for over two months, between July 31, 2022, and September 3, 2022. LAUSD is the largest school district in the nation to have experienced a ransomware attack. 

Vice Society has used internal login credentials leaked on the dark web to access LAUSD’s network and launch the ransomware attack.

Two weeks later, the hackers issued a ransom demand with a three-day ultimatum. However, LAUSD, rightfully following the FBI’s strict no-ransom payment advice, denied the ransom payment. 

As a result, Vice Society published 500GB of data stolen from LAUSD’s systems. This includes the personal data of students who had attended LAUSD between 2013 and 2016. The stolen data included social security numbers, financial and tax information, health details, passport data, legal records, and labor compliance documents, including certified payroll records that contractors provided to LAUSD in connection with Facilities Services Division projects.

Attack Aftermath

The fallout from the attack was significant, with LAUSD setting up a hotline for worried families and scrambling to deal with the situation. The FBI, CISA, and MS-ISAC jointly published an advisory warning that Vice Society disproportionately targets the U.S. education sector. However, the hackers behind the attack seemed to move on without profiting from the incident.

The LAUSD attack sparked debates about the safety and security of online learning, as well as the need for increased investment in cybersecurity measures. In response, the school district pledged to improve its cybersecurity protocols and work with law enforcement agencies to investigate the attack and bring those responsible to justice.

Preventative Measures

In general, The FBI, CISA, and the MS-ISAC recommend network defenders apply the mitigations in this link to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Vice Society actors. 

After analyzing the tactics and techniques employed by Vice Society in recent attacks and comparing them to standard security configurations and mitigations, the results are concerning:

Reconnaissance

T1595 – Active Scanning

35% of organizations are not enforcing protections from external scanners.

Initial Access

T1189 – Exploit Public-Facing Applications- PrintNightmare (CVE-2021-1675) and (CVE-2021-34527), to gain initial access.

60% of vendors are protecting against these vulnerabilities.

50% of the protections are in ‘inactive’ mode (they are not actively protecting or alerting against these vulnerabilities.)

Execution

T1129 Shared Modules

45% of detection systems failed to detect the malicious samples used by the attackers.

Command and Control

T1573 – Encrypted Channel

32% of detection systems have failed to identify the exfiltration flow of the malware.

Exfiltration

T1567 – Exfiltration Over Web Service

Vice Society are using web services to upload the data that is stolen from the organization (using services such as Mega.nz, Anonfiles.com and others). 

26% of organizations allow fileshare upload from their organizations without content enforcement or protection.

TAKING THE PROACTIVE APPROACH

As cyber threats become more sophisticated, organizations can no longer afford to take a reactive approach to security. The LAUSD attack highlighted the importance of implementing a comprehensive security strategy that includes preventative measures. However, many organizations are hesitant to harden their security defenses (e.g. switch vulnerability protections to block mode), fearing that doing so may cause unintended downtime and negatively impact business operations. To address this challenge, organizations should continuously and automatically assess their security configurations and correlate them with security logs and alerts to ensure that they are properly secured while minimizing the risk of downtime. By prioritizing proactive security measures, organizations can better protect themselves from potential threats without sacrificing business uptime. 

USING VERITI 

Veriti is a consolidated security platform that integrates with the security stack to continually and proactively monitor exposure to threats and remediate security gaps across the organization’s infrastructure. 

Using machine learning algorithms, Veriti automatically analyzes threat configurations and correlates them with sensor telemetries, security logs, and threat intelligence feeds to provide contextual, actionable insights that: 

  • Remediate security gaps and misconfigurations proactively before they are exploited.  
  • Optimize security controls to address immediate risks without impacting business applications.  
  • Identify security controls impacting business applications with related IT malfunctions and help security teams quickly analyze scope and remediation options. 

Veriti’s solution platform helps organizations to maximize the value of their security investment proactively without impacting business operations. Its configuration-aware approach enables security teams to optimize security controls to address immediate risks and amplifies their efficiency. It enables quick analysis of scope and remediation options. Additionally, Veriti provides complete visibility into the entire security stack, allowing for a more comprehensive understanding of the overall preventative maintenance level and active vulnerabilities. 

Get your security controls assessment now


Recommended Articles

Subscribe to our BLOG

Get the latest security insights, news and articles delivered to your inbox.

Product

Product Overview

Maximize security posture while ensuring business uptime

Automated Security Controls Assessment

Validate your security control

Integrations

Connect Veriti with your security solutions

Use Cases

Agentless OS-Level Remediation

Proactively safeguard your systems directly at the OS-Level on the endpoint

Validate Risk Posture

Identify postural gaps by querying your security configuration

Eliminate False Positives

Reduce alert fatigue. Increase Security Effectiveness

Maintain Cyber Hygiene

Monitor the hygiene of your security solutions

Vulnerability Mitigation

Prioritize and virtually patch vulnerabilities

Enhance zero-day Protection

Identify and distribute zero-day indicators of attack

Solutions

VERITI FOR MSSPs

Efficiently manage multiple clients in a consolidated platform

VERITI FOR HEALTHCARE

Neutralize security gaps without impacting healthcare operations

VERITI FOR MANUFACTURING

Protect the heart of your production processes

LEARN HOW TO INCREASE BUSINESS OUTCOMES

DOWNLOAD EBOOK>>

Resources

See all resources

Blog

Veriti's security blog

Downloads

The latest guides, white papers and infographics

Events

Live event and on-demand webinars

MASTERING MODERN OS-LEVEL SECURITY: THE AGENTLESS APPROACH

WATCH NOW>>

Our Story

Learn about Veriti

Leadership Team

Meet the team

Careers

Work with us

Newsroom

Our latest updates

Partner with Veriti

Become a partner