A Ransomware Gang from Vice Society Also Takes Credit for the malware attack. The fact that the malware attack against the Los Angeles Unified School District did not occur sooner is maybe the only unexpected part of it.
A cyber intelligence firm claims that through an intermediary, it informed the district that its network had been seriously breached by cybercriminals in February 2021. Additionally, a September 2020 cybersecurity review by the Inspector General discovered elevated risks related to database credentials, software patching, and password management.
The district, which has more than 600,000 pupils and is the second-largest in the nation, learned it had been attacked by a ransomware gang around September 3. An official from the ransomware gang Vice Society took responsibility for the malware attack early on Friday morning Sydney time. According to a recent U.S. government alert, the gang frequently targets the education sector.
Applications such as email were impacted by the malware attack. However, the district continued to hold lessons on Tuesday, the first day back in the classroom following the attack and the lengthy Labor Day holiday.
Issues
The theft of student personal information by ransomware hackers is still a mystery, though. Before deploying the virus that encrypts files, ransomware groups frequently trawl through networks and steal private information.
In this manner, threats of the release of those files might be made against victims who refuse to pay for a decryption key.
According to the Los Angeles Times on Wednesday, district superintendent Albert Carvalho claimed that the intruders did succeed in accessing “the student management system”. According to Carvalho, the district was attempting to determine what might have been accessed. When questioned, the Vice Society representative supplied a link to the website where it posts stolen data. But did not immediately respond when asked if the personal information of kids was stolen. LAUSD has not yet been mentioned on that page. Given that the district claims to have more than 600,000 kids from kindergarten through high school, if it does occur, it might be spectacular.
District Warned of Trickbot
Last year, the district might have narrowly escaped a malware attack. Through an intermediary, Hold Security, a Milwaukee-based cyber intelligence agency that monitors cybercrime, alerted LAUSD in February 2021.
According to Alex Holden, CISO and CEO of Hold Security, the Trickbot virus was installed on a school psychologist’s computer at the time. Trickbot is a notorious form of malware that is designed to gather login information. This is frequently an early warning sign of a ransomware assault.
The district’s Active Directory domain controllers, which are the servers that handle authentication for users logging on to systems, were crawled and mapped by the attackers using Trickbot. The victim frequently loses all hope at that time.
Since the threat actors are so firmly ingrained in the systems, ransomware distribution typically follows and is a disaster. Fortunately for the district, though, that didn’t occur.
Holden claims that Trickbot’s backend was entirely accessible to his analysts. They chose to alert the district through an intermediary after determining that it was at risk. He explains, “This was only an example of the protective measures we took to aid the [Trickbot] victims.
We don’t know what transpired after that warning. It’s possible that the district handled incident response and cleaned up the infections. But it hinted at what would happen this year.
Penetration Test: Cybersecurity Weaknesses
The district had just received a cybersecurity assessment and audit that identified a number of flaws in its information security procedures when the Trickbot notice was sent.
Soheil Katal, the district’s chief information officer, got a report titled “Information Security Audit, Cyber Security Assessment, and Internal and External Penetration Assessment” in January 2021 from the Office of the Inspector General.
The consultancy Crowe LLP performed penetration testing both internal and external. Security concerns prevented the release of the complete study with technical detail. But made a redacted version available to the public that highlighted key problems.
LAUSD has a vast, intricate network. The internal network contains 259,200 services, including 85,241 web services, and 57,765 other services. And 116,219 miscellaneous services, such as SSH, POP3, and NTP, according to the report. There were 109 externally exposed services, which includes 77 web services, 8 VOIP, and 24 other services. All of those were held at LAUSD.
Crowe LLP tested its internal network as though it were an unauthorized person accessing a secured network. Fortunately, Crowe discovered that the data center’s important applications “were adequately separated from the basic user network.”
However, “serious dangers” were discovered with regard to software patching, “guessable SQL” database credentials, internal email spoofing problems, social engineering, and anonymous file access.
The study also claims that the district did not have systems in place to verify control compliance at the time, conduct incident response training, or conduct an IT risk assessment. However, following the report’s completion, those procedures might have been put into place. A private report containing 38 findings was delivered to CIO Katal once the test was finished.
Significant risks related to passwords and credentials are among the findings, the report states.
Improvements
The cybersecurity assessment found key areas where LAUSD needed to improve.
The Los Angeles Unified School District (LAUSD) said in a news release on Thursday that it would “convene an Independent Information Technology Task Force to review all previous network audits and reports, including the Inspector General’s report.”
Superintendent Alberto M. Carvalho is quoted in the news release as saying, “I want our new task force to do a deep dive into the recommendations and implementation status of this security audit. This incident has served as a clear warning that cybersecurity attacks pose a genuine concern to our district and districts around the country. The task force of Los Angeles Unified will evaluate the audit’s authenticity and viability before reporting back with further
As of Wednesday, at least 23 employee or contractor accounts were accessible on the Dark Web, according to Information Security Media Group. The data included passwords and usernames, which were email addresses ending in “@lausd.net.”
Numerous passwords were straightforward, like “frenchfries” plus a number. A virtual private network service account for the district could be accessed with at least one set of credentials (see Dark Web Before Attack).
Initial access brokers are cybercriminals who sell stolen account credentials to ransomware attackers. With that access, ransomware gangs can probe a victim’s network, collect data, and finally install malware that encrypts files.
The district also refuted on Thursday that the ransomware assault was caused by such credentials, but it did not elaborate. A district spokeswoman declined to respond to any inquiries.
Federal investigating authorities have confirmed that the hacked email credentials that were allegedly discovered on malicious websites had nothing to do with this incident, according to the district’s news release. To safeguard network integrity, all compromised credentials have been completely disabled.
Phishing Phestival
Phishing campaigns continuously target LAUSD, like many other institutions. The goal of these email and text message campaigns was to deceive recipients into disclosing their login information. When the CIO, Katal, tweeted a warning in May, the targeting increased significantly.
Such alerts are common from businesses and organizations attempting to prevent from scams and endangering their networks. Additionally, the district provided examples. Work-from-home programmes and phoney overdue payment notices are among the usual junk. But some, like the one below, were really good.
