A PROFILE OF AN ADVERSARIAL GROUP TARGETING THE EDUCATION SECTOR
In September 2022, The LAUSD (Los Angeles Unified School District) disclosed that it was attacked by Vice Society attack group.
The attack targeted the school district’s computer systems. It resulted in closure of all online learning for the district’s 600,000 students and disorder in operations of district services. This includes email, payroll, and grading systems which caused significant disruptions to online learning for thousands of students and teachers. In addition, Vice Society published 500 GB of files containing payroll records and other labor-related documents that included SSNs and impacted peoples’ names and home addresses.
The impact of the attack was widespread, affecting not just students and teachers but also the wider community. It highlighted the growing threat of cyberattacks and the importance of cybersecurity measures for educational institutions.
In this paper, we will shed light on the Vice Society attack group, discuss the attack techniques and implications of the LAUSD attack, and provide preventative measures against ransomware attacks.
Vice Society Attack Group
Vice Society is an intrusion, exfiltration, and extortion hacking group that first appeared in the summer of 2021. Its malicious actors do not use a ransomware variant of unique origin. Instead, they have deployed versions of Hello Kitty/Five Hands and Zeppelin ransomware.
Since its launch and until mid-June 2022, the group claimed campaigns targeting at least 88 victims. All of whom are still listed on their dedicated data leak site (DLS). While some ransomware gangs refrain from targeting healthcare, government, and education organizations, Vice Society was not observed applying such restrictions. This group notably targets public school districts and other academic institutions, as 26.1% of the victims listed on their data leak site are educational-related entities . They may view education as a quieter and less well-funded category where it can fly under the radar. Among the school districts that have disclosed ransomware attacks perpetrated by Vice Society are Frederick Public Schools in Oklahoma, Whitehouse Independent School District in Texas, Manhasset Free Union School District in New York, and Linn-Mar Community School District in Iowa last month.
Another high-profile education sector victim is the Austrian Medical University of Innsbruck which had to reset all 3,400 students’ and 2,200 employees’ account passwords following severe IT service disruption.
73.9% of known victims of this cyber criminal group are located in France, the United States of America, the United Kingdom, Spain, Italy, Germany, and Brazil.
Countries most impacted by the Vice Society ransomware group, by increasing number of attacks
The group is known for its double-extortion tactics. It sneaks onto victim servers, copies private and sensitive data, then locks up the systems, encrypts the victim’s data, and demands a ransom payment. If the ransom is not paid, the attackers typically sell the private data on the dark web or publish it.
These tactics pressure victims into making a ransom payment on two fronts:
- The longer critical systems remain encrypted, the longer a business is unable to operate – which could result in SLA violations.
- A business could suffer enormous reputational damage if sensitive customer data is leaked.
Vice Society actors likely obtain initial network access through compromised credentials by exploiting internet-facing applications [T1190].
The actors have been mainly exploiting the PrintNightmare vulnerability (CVE-2021-1675 and CVE-2021-34527 ) to escalate privileges [T1068].
LAUSD Ransomware Attack
LAUSD, the second-largest school district in the United States, announced on September 3, 2022, that they fell victim to a ransomware attack launched by a Russian-speaking ransomware gang known as Vice Society. In the announcement, LAUSD’s Superintendent Alberto Carvalho revealed that the threat actors were active in its network for over two months, between July 31, 2022, and September 3, 2022. LAUSD is the largest school district in the nation to have experienced a ransomware attack.
Vice Society has used internal login credentials leaked on the dark web to access LAUSD’s network and launch the ransomware attack.
Two weeks later, the hackers issued a ransom demand with a three-day ultimatum. However, LAUSD, rightfully following the FBI’s strict no-ransom payment advice, denied the ransom payment.
As a result, Vice Society published 500GB of data stolen from LAUSD’s systems. This includes the personal data of students who had attended LAUSD between 2013 and 2016. The stolen data included social security numbers, financial and tax information, health details, passport data, legal records, and labor compliance documents, including certified payroll records that contractors provided to LAUSD in connection with Facilities Services Division projects.
The fallout from the attack was significant, with LAUSD setting up a hotline for worried families and scrambling to deal with the situation. The FBI, CISA, and MS-ISAC jointly published an advisory warning that Vice Society disproportionately targets the U.S. education sector. However, the hackers behind the attack seemed to move on without profiting from the incident.
The LAUSD attack sparked debates about the safety and security of online learning, as well as the need for increased investment in cybersecurity measures. In response, the school district pledged to improve its cybersecurity protocols and work with law enforcement agencies to investigate the attack and bring those responsible to justice.
In general, The FBI, CISA, and the MS-ISAC recommend network defenders apply the mitigations in this link to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Vice Society actors.
After analyzing the tactics and techniques employed by Vice Society in recent attacks and comparing them to standard security configurations and mitigations, the results are concerning:
T1595 – Active Scanning
35% of organizations are not enforcing protections from external scanners.
T1189 – Exploit Public-Facing Applications- PrintNightmare (CVE-2021-1675) and (CVE-2021-34527), to gain initial access.
60% of vendors are protecting against these vulnerabilities.
50% of the protections are in ‘inactive’ mode (they are not actively protecting or alerting against these vulnerabilities.)
T1129 Shared Modules
45% of detection systems failed to detect the malicious samples used by the attackers.
Command and Control
T1573 – Encrypted Channel
32% of detection systems have failed to identify the exfiltration flow of the malware.
T1567 – Exfiltration Over Web Service
Vice Society are using web services to upload the data that is stolen from the organization (using services such as Mega.nz, Anonfiles.com and others).
26% of organizations allow fileshare upload from their organizations without content enforcement or protection.
TAKING THE PROACTIVE APPROACH
As cyber threats become more sophisticated, organizations can no longer afford to take a reactive approach to security. The LAUSD attack highlighted the importance of implementing a comprehensive security strategy that includes preventative measures. However, many organizations are hesitant to harden their security defenses (e.g. switch vulnerability protections to block mode), fearing that doing so may cause unintended downtime and negatively impact business operations. To address this challenge, organizations should continuously and automatically assess their security configurations and correlate them with security logs and alerts to ensure that they are properly secured while minimizing the risk of downtime. By prioritizing proactive security measures, organizations can better protect themselves from potential threats without sacrificing business uptime.
Veriti is a consolidated security platform that integrates with the security stack to continually and proactively monitor exposure to threats and remediate security gaps across the organization’s infrastructure.
Using machine learning algorithms, Veriti automatically analyzes threat configurations and correlates them with sensor telemetries, security logs, and threat intelligence feeds to provide contextual, actionable insights that:
- Remediate security gaps and misconfigurations proactively before they are exploited.
- Optimize security controls to address immediate risks without impacting business applications.
- Identify security controls impacting business applications with related IT malfunctions and help security teams quickly analyze scope and remediation options.
Veriti’s solution platform helps organizations to maximize the value of their security investment proactively without impacting business operations. Its configuration-aware approach enables security teams to optimize security controls to address immediate risks and amplifies their efficiency. It enables quick analysis of scope and remediation options. Additionally, Veriti provides complete visibility into the entire security stack, allowing for a more comprehensive understanding of the overall preventative maintenance level and active vulnerabilities.