Safeguarding Our Schools: The Case for Prioritizing Cybersecurity

Digital transformation is instrumental in shaping how organizations function and the education sector is no different. With increased expectations from students and stakeholders alike, educational institutions have overhauled their systems and operations to enable remote accessibility through the cloud. Further, the pandemic accelerated the use of personal devices and online platforms to support remote learning.

This widespread adoption of cloud services has created vulnerabilities, attracting cyber attackers seeking sensitive personal and confidential research data. Safeguarding operations, information exchange, and the well-being of students and staff pose significant challenges, evident in the escalating number of attacks, particularly by ransomware groups. Limited resources, funding constraints, and the use of outdated systems further empower attackers, enabling them to disrupt daily functions and pilfer valuable information for ransom.

To overcome this issue, Securin is working with schools to help them gain resilience against evolving threats.

Here are the results of an assessment that Securin conducted for a US state’s educational department. We investigated 931 public schools across 188 district and charter schools for the state serving approximately 322,685 students and employing 21,220 teachers.

The scan brought up 9,126 assets that include URLs, hosts, SSL certificates, domains and netblocks. Overall, these gave rise to 52,855 exposures that include unpatched vulnerabilities, open ports, misconfigurations and other such instances that could potentially be used by threat actors to wage an attack.

Of the identified exposures, our analysts flagged almost 15% as a weak spot or potential vulnerability, and 5% as potentially exploitable implying a high chance of compromise due to the presence of a definite path to exploitation if left unaddressed. Securin’s researchers analyzed the exposures in detail and prioritized the ones most dangerous to the institutions.

Vulnerabilities: We identified 7,881 vulnerabilities across 450 assets. Out of those, 483 are distinct vulnerabilities that could be exploited by attackers to enter into and penetrate deeper into vulnerable networks. A portion of these vulnerabilities have known exploits, indicating the existence of readily available codes for a threat actor to use in attacking assets with minimum effort.

Ransomware Threats: The exposures include 628 instances with known ransomware exploitation. Of these, our experts call out CVE 2019-11043, a PHP vulnerability with NextCry ransomware. Ransomware exposures are of the highest order of danger to schools as they can give rise to ransomware attacks causing users to be locked out of their systems, subjected to ransom payouts, and even result in data encryption or data loss.

Cloud-related Exposures: Over 1.2K assets on the cloud are connected to the internet and can be easily accessed by attackers. Together, this gives rise to 2,616 cloud-related exposures. Our experts also gathered 13,612 email addresses that were exposed, leaving them susceptible to social engineering attacks.

As a result of Securin’s asset scan and exposure prioritization, institutions were able to get a holistic view of their attack surface, understanding exposures they were not aware of. Many of the schools performed remediation on open exposures and improved their security posture.

Four Overlooked Exposures That Schools Should Look For

A cyberattack can result from multiple exposures introduced into organizational attack surfaces. However, these can easily be discovered if you know how to search. Here are some possible attack methods utilized in recent years.

Unpatched Vulnerabilities: The Pysa and Sabbath ransomware groups exploited unpatched vulnerabilities in school networks to seize their systems.

Connected Devices: Malicious actors take advantage of connected devices to deploy botnets and malware for stealthy network invasions.

Devices were exposed to an SSH server targeted by FritzFrog in a P2P botnet attack.

Exposures in Third-Party Software: This is probably one of the most overlooked dangers that can compromise school networks. A vulnerability in a third-party application used by schools can lead to educational institutions being caught unawares when exploited. Here are a few examples of how these can be used against organizations.

CVE-2022-1609, a critical vulnerability was observed in School Management Pro, a WordPress plugin with over 3,40,000 customers—exploitation of which could allow complete control of school websites.

Exposures Introduced by Misconfigurations: Mistakes while configuring assets or network-related parameters can be costly, as some schools found out when their databases were compromised.

Misconfigured certificates in eduroam, a free Wi-Fi network used by many universities, exposed the credentials of multiple users.

Time Period	School	Region	Incident	Impact
January 2024	Freehold Township school district	New Jersey	Cyberattack	School shutdown and classes canceled for short while
September 2023	Debenham High School	Debenham	Cyberattack	Computer facilities taken offline
August 2023	Prince George’s County Public Schools	Maryland	Cyberattack	4,500 district user accounts out of 180,000 affected
August 2023	Chambersburg Area School District	Pennsylvania	Ransomware Attack	Unknown
May 2023	New Haven Public Schools	Connecticut	Cyberattack	Over $6million stolen
September 2022	LAUSD	Los Angeles	Ransomware Attack	Vice Society, a ransomware group, claimed to have stolen files from compromised LAUSD systems before encrypting them with ransomware.
July 2022	Cedar Rapids Schools	Iowa	Ransomware Attack	Cedar Rapids had to pay a huge ransom to keep the personal data of staff and students from being exposed.
June 2022	Tenafly Public Schools	New Jersey	Ransomware Attack	NJ district public schools canceled all final exams after their systems were encrypted by malicious agents.
December 2021	Chicago Public Schools	Chicago	Ransomware Attack	Personal information of around 500,00 students and 60000 staff stolen
November 2021	Broward County Public Schools	Broward	Ransomware Attack	Personal information exposed, approximately 50,000 people affected
October 2021	A US School district	–	Sabbath Ransomware Attack	Multi-million dollar ransom demanded along with triple extortion
September 2021	Lufkin Independent School District	Texas	Ransomware Attack	Several systems shut down, disrupting services
September 2021	Dallas Independent School District	Texas	Cyberattack	Sensitive personal data of students exposed
August 2021	K-12 schools	Various	Pysa Ransomware Attack	Eight schools hit
July 2021	Public Schools	Monroe	Ransomware Attack	Unknown
June 2021	Judson Independent School District	Texas	Ransomware Attack	Computer and communication systems were paralyzed

A look at the attacks listed shows that over 50% of the incidents spiraled quickly into full-fledged ransomware attacks. The result was a complete shutdown of operations for a couple of days with delayed recovery, not to mention dire financial consequences, reputational damage and data breaches that lead to the exposure of confidential information about students, leading to identity theft.

Research shows that in the US alone, a total of 88 education sector organizations were impacted by ransomware in 2021: 62 school districts and the campuses of 26 colleges and universities. The attacks disrupted learning at 1,043 individual schools. While the common notion is that it is more economical to pay $1 million on ransom than potentially $10 million to retrieve the data in the event of a ransomware attack. However, a single payment cannot guarantee complete data recovery or prevent future attacks.

The APT Angle

Apart from ransomware, our research also notes that two threat actors APT1 and Titled Temple are targeting the education sector, primarily in the US. APT actors are well-funded and generally government supported. They adopt sophisticated techniques to invade networks and stealthily creep through, evading detection for months on end, and thus planning successfully, highly damaging attacks. They primarily operate for financial gain or to steal sensitive information.

APT 1, also known as Comment Crew, BrownFox, Group 3 | Byzantine Hades | Byzantine Candor, Shanghai Group among other aliases, is a China-based cyber-espionage group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department. Having originated in 2006, the group is known for Information theft and espionage across Asia, America, Africa, and even Europe.

Tilted Temple primarily targets the US using tools such as Godzilla, SockDetour and NGLite. The group is known to target a variety of sectors including Defense, Education, Energy, Financial, Healthcare and Technology.

How Schools Can Safeguard Themselves

Despite numerous cyber attacks targeting schools and serving as examples, there is a notable absence of a proper response from decision-makers. It is high time authorities stepped up and took measures to curb attacks and the consequential impact to millions of students and faculty.

Schools are an easy target for cybercriminals as they have abundant sensitive information (social security numbers, medical files, family information, and academic records) left open to the internet, not enough network defenses to safeguard data and no periodic checks to discover vulnerabilities.

Here are five things that schools can do to safeguard themselves.

Keep up to date with the K-12 Cybersecurity Act and other advisories.
Implement CISA KEV and advisory patch recommendations sooner rather than later.
Deploy adequate resources to monitor the security situation of schools regularly.
Perform routine checks and apply remediation measures immediately. If possible, automate this process.
Have a contingency plan for when your systems are under attack.

Talk with our experts to help fortify your defenses and strengthen your cybersecurity posture.