Digital transformation is instrumental in shaping how organizations function and the education sector is no different. With increased expectations from students and stakeholders alike, educational institutions have overhauled their systems and operations to enable remote accessibility through the cloud. Further, the pandemic accelerated the use of personal devices and online platforms to support remote learning.
This widespread adoption of cloud services has created vulnerabilities, attracting cyber attackers seeking sensitive personal and confidential research data. Safeguarding operations, information exchange, and the well-being of students and staff pose significant challenges, evident in the escalating number of attacks, particularly by ransomware groups. Limited resources, funding constraints, and the use of outdated systems further empower attackers, enabling them to disrupt daily functions and pilfer valuable information for ransom.
To overcome this issue, Securin is working with schools to help them gain resilience against evolving threats.
Here are the results of an assessment that Securin conducted for a US state’s educational department. We investigated 931 public schools across 188 district and charter schools for the state serving approximately 322,685 students and employing 21,220 teachers.
The scan brought up 9,126 assets that include URLs, hosts, SSL certificates, domains and netblocks. Overall, these gave rise to 52,855 exposures that include unpatched vulnerabilities, open ports, misconfigurations and other such instances that could potentially be used by threat actors to wage an attack.
Of the identified exposures, our analysts flagged almost 15% as a weak spot or potential vulnerability, and 5% as potentially exploitable implying a high chance of compromise due to the presence of a definite path to exploitation if left unaddressed. Securin’s researchers analyzed the exposures in detail and prioritized the ones most dangerous to the institutions.
Vulnerabilities: We identified 7,881 vulnerabilities across 450 assets. Out of those, 483 are distinct vulnerabilities that could be exploited by attackers to enter into and penetrate deeper into vulnerable networks. A portion of these vulnerabilities have known exploits, indicating the existence of readily available codes for a threat actor to use in attacking assets with minimum effort.
Ransomware Threats: The exposures include 628 instances with known ransomware exploitation. Of these, our experts call out CVE 2019-11043, a PHP vulnerability with NextCry ransomware. Ransomware exposures are of the highest order of danger to schools as they can give rise to ransomware attacks causing users to be locked out of their systems, subjected to ransom payouts, and even result in data encryption or data loss.
Cloud-related Exposures: Over 1.2K assets on the cloud are connected to the internet and can be easily accessed by attackers. Together, this gives rise to 2,616 cloud-related exposures. Our experts also gathered 13,612 email addresses that were exposed, leaving them susceptible to social engineering attacks.
As a result of Securin’s asset scan and exposure prioritization, institutions were able to get a holistic view of their attack surface, understanding exposures they were not aware of. Many of the schools performed remediation on open exposures and improved their security posture.
Four Overlooked Exposures That Schools Should Look For
A cyberattack can result from multiple exposures introduced into organizational attack surfaces. However, these can easily be discovered if you know how to search. Here are some possible attack methods utilized in recent years.
Unpatched Vulnerabilities: The Pysa and Sabbath ransomware groups exploited unpatched vulnerabilities in school networks to seize their systems.
Connected Devices: Malicious actors take advantage of connected devices to deploy botnets and malware for stealthy network invasions.
Exposures in Third-Party Software: This is probably one of the most overlooked dangers that can compromise school networks. A vulnerability in a third-party application used by schools can lead to educational institutions being caught unawares when exploited. Here are a few examples of how these can be used against organizations.
- CVE-2022-1609, a critical vulnerability was observed in School Management Pro, a WordPress plugin with over 3,40,000 customers—exploitation of which could allow complete control of school websites.
- A breach of Illuminate eduCLIMBER, an academic progress monitoring tool, exposed the personal data of 1,700 students. Earlier, the New York City Department of Education was also impacted by the breach exposing data of 820,000 current and former students and was touted to be the single-largest data breach of student data.
- Approximately 30,000 WordPress-hosted university websites in Ukraine were hacked as part of the Russian-Ukrainian war; nearly 100,000 attacks in 24 hours.
- A ransomware attack on a leading school website services provider disrupted servers and the regular functioning of thousands of schools using the SaaS provider.
- Critical zero-day vulnerabilities were found in Fedena, a now-abandoned software used for school management.
- Personal information of around 500,00 students and 60,000 staff in Chicago Public Schools was stolen in a ransomware attack on the K-12 technology vendor, Battelle for Kids.
Exposures Introduced by Misconfigurations: Mistakes while configuring assets or network-related parameters can be costly, as some schools found out when their databases were compromised.
- Misconfigured certificates in eduroam, a free Wi-Fi network used by many universities, exposed the credentials of multiple users.
- A data leak due to incorrect access configuration allowed access to a Google drive containing the private information of 3,000 students and 100 department employees across New York City.
Time Period |
School |
Region |
Incident |
Impact |
January 2024 |
Freehold Township school district |
New Jersey |
School shutdown and classes canceled for short while |
|
September 2023 |
Debenham High School |
Debenham |
Computer facilities taken offline |
|
August 2023 |
Prince George’s County Public Schools |
Maryland |
4,500 district user accounts out of 180,000 affected |
|
August 2023 |
Chambersburg Area School District |
Pennsylvania |
Unknown |
|
May 2023 |
New Haven Public Schools |
Connecticut |
Over $6million stolen |
|
September 2022 |
LAUSD |
Los Angeles |
Vice Society, a ransomware group, claimed to have stolen files from compromised LAUSD systems before encrypting them with ransomware. |
|
July 2022 |
Cedar Rapids Schools |
Iowa |
Cedar Rapids had to pay a huge ransom to keep the personal data of staff and students from being exposed. |
|
June 2022 |
Tenafly Public Schools |
New Jersey |
NJ district public schools canceled all final exams after their systems were encrypted by malicious agents. |
|
December 2021 |
Chicago Public Schools |
Chicago |
Personal information of around 500,00 students and 60000 staff stolen |
|
November 2021 |
Broward County Public Schools |
Broward |
Personal information exposed, approximately 50,000 people affected |
|
October 2021 |
A US School district |
– |
Multi-million dollar ransom demanded along with triple extortion |
|
September 2021 |
Lufkin Independent School District |
Texas |
Several systems shut down, disrupting services |
|
September 2021 |
Dallas Independent School District |
Texas |
Sensitive personal data of students exposed |
|
August 2021 |
K-12 schools |
Various | Eight schools hit |
|
July 2021 |
Public Schools |
Monroe |
Unknown |
|
June 2021 |
Judson Independent School District |
Texas |
Computer and communication systems were paralyzed |
A look at the attacks listed shows that over 50% of the incidents spiraled quickly into full-fledged ransomware attacks. The result was a complete shutdown of operations for a couple of days with delayed recovery, not to mention dire financial consequences, reputational damage and data breaches that lead to the exposure of confidential information about students, leading to identity theft.
Research shows that in the US alone, a total of 88 education sector organizations were impacted by ransomware in 2021: 62 school districts and the campuses of 26 colleges and universities. The attacks disrupted learning at 1,043 individual schools. While the common notion is that it is more economical to pay $1 million on ransom than potentially $10 million to retrieve the data in the event of a ransomware attack. However, a single payment cannot guarantee complete data recovery or prevent future attacks.
The APT Angle
Apart from ransomware, our research also notes that two threat actors APT1 and Titled Temple are targeting the education sector, primarily in the US. APT actors are well-funded and generally government supported. They adopt sophisticated techniques to invade networks and stealthily creep through, evading detection for months on end, and thus planning successfully, highly damaging attacks. They primarily operate for financial gain or to steal sensitive information.
APT 1, also known as Comment Crew, BrownFox, Group 3 | Byzantine Hades | Byzantine Candor, Shanghai Group among other aliases, is a China-based cyber-espionage group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department. Having originated in 2006, the group is known for Information theft and espionage across Asia, America, Africa, and even Europe.
Tilted Temple primarily targets the US using tools such as Godzilla, SockDetour and NGLite. The group is known to target a variety of sectors including Defense, Education, Energy, Financial, Healthcare and Technology.
How Schools Can Safeguard Themselves
Despite numerous cyber attacks targeting schools and serving as examples, there is a notable absence of a proper response from decision-makers. It is high time authorities stepped up and took measures to curb attacks and the consequential impact to millions of students and faculty.
Schools are an easy target for cybercriminals as they have abundant sensitive information (social security numbers, medical files, family information, and academic records) left open to the internet, not enough network defenses to safeguard data and no periodic checks to discover vulnerabilities.
Here are five things that schools can do to safeguard themselves.
- Keep up to date with the K-12 Cybersecurity Act and other advisories.
- Implement CISA KEV and advisory patch recommendations sooner rather than later.
- Deploy adequate resources to monitor the security situation of schools regularly.
- Perform routine checks and apply remediation measures immediately. If possible, automate this process.
- Have a contingency plan for when your systems are under attack.