Reading Time: 2 minutes

Russian crooks are selling network credentials and VPN access to a number of students of US universities and colleges on criminal marketplaces, as per the FBI’s report.

A warning was issued on Thursday, it reported that the stolen credentials have been sold for thousands of dollars on public internet forums and the dark web. As a result, it may lead to cyberattacks against individual employees or the schools even.

According to the alert issued by the Feds:

“The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services”.

The bureau stated that in May 2021, more than 36,000 email and password combinations of email accounts ending with “.edu” were listed for sale on a “publicly available instant messaging platform”. Although, there were a few duplicates among those accounts.

The FBI referenced the cyberattacks in 2017, in which the cybercriminals made a ditto copy of university login pages and emailed such links in phishing emails that targeted personal details of people unbeknownst to them.

The alert further stated:

“Such tactics have continued to prevail and ramped up with COVID-themed phishing attacks to steal university login credentials, according to security researchers from a US-based company in December 2021″.

The FBI warning also came as a number of US colleges and universities have been facing an increase in ransomware attacks.

Apparently, in 2021 cybercriminals attacked 26 colleges and universities with ransomware. Whereas in 2022 as of now, the number is all set to exceed. So far, at least, 15 higher-ed schools have had to deal with ransomware. As per Brett Callow, a threat analyst at Emsisoft.

A customer success manager at penetration testing firm Horizon3ai, Brad Hong said:

“The education sector continues to make for attractive targets as it’s very rare that a university focuses on its cyber security stack as its No. 1 priority”.

He further stated:

“As the majority of colleges in the US, especially ones who are not focused on protecting the intellectual property of their research institutes, have neither the staff nor the budget to implement next-generation cyber tools to combat next generation cyber-attacks, the effort to payoff is several tiers lower than any other industry as a whole”, while citing a Sophos study that found the education sector ties for retail with the most ransomware attacks across various industries.

Security Recommendations from the FBI

The FBI recommends that colleges, universities, and all academic institutions should establish a strong cybersecurity hold to counterattack any sort of cyberattacks. They suggested that the following mitigation strategies be adopted to reduce risks:

  • Keep every operating system and software up-to-date. Carry out regular checks for software updates and EOL notifications. Automate software scanning and testing if possible so you don’t have to do everything manually.
  • Implement monthly user training programs so that students and faculty alike can be made aware of the hazardous risks of visiting suspicious websites and to avoid phishing emails.
  • Make the use of strong and unique passwords a must. Lock out a user after a certain number of incorrect password attempts. Avoid reusing the same password across multiple accounts.
  • Implement multi-factor authentication (MFA) to make user accounts resistant to phishing. Specifically, when using webmail, VPNs, and managing backups.
  • The network should be monitored for abnormal activities and appropriate measures should be taken to ensure the activity hasn’t harmed the network in any way. Plenty of network-monitoring tools out there which would be more than helpful.
  • Secure and closely monitor remote desktop protocol use.

All in all, unless colleges and universities take it upon themselves to ensure proper cybersecurity is implemented, cybercriminals will continue to lure unsuspecting students to divulge personal information.