Life online exposes us to those with malicious intent. However, there are steps that every person can take to minimize the possibility of confronting online dangers. There currently exists a threat to online learning environments of grade schools in the United States. This declaration arrives from Civic Hacker's threat hunting1 and threat modeling2 know-how. Civic Hacker encourages relevant parties to use the enclosed information to develop plans to resist this cyber threat.
Timeline of Notable Events
Civic Hacker monitors numerous data sources, including feeds related to cyber threats. Throughout December 2020, we detected a curious progression of cyber threat-related incidents. Below is a timeline of notable events with descriptions.
November 30, 2020. WAFF48, a Huntsville news station, reported that Huntsville City Schools computer network was infected with ransomware3, a kind-of cyber attack.
December 1, 2020. The U.S. Cybersecurity Emergency Readiness Team (US-CERT) publishes an alert entitled Advanced Persistent Threat Actors Targeting U.S. Think Tanks.
On the same day, WAFF48, publishes a story that Huntsville City Schools would be closed for the remainder of the week, at least.
December 5, 2020. A security researcher published a full disclosure of a Vulnerability that impacted Microsoft Teams, collaboration software in use in many school districts.
December 7, 2020. WAFF48 continues their coverage on the ransomware attack on Huntsville City Schools that includes a statement from school system to informing the public that the incident is still in progress.
December 8, 2020. It was disclosed that via a Supply-Chain attack on the SolarWinds product led to FireEye, a CyberSecurity firm (read: Think Tank), detected a breach that involved exfiltration of their Hacking tools.
December 10, 2020. US-CERT publishes an alert entitled Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data. Their report includes a list of likely malware and techniques used by those targeting virtual learning environments.
December 13, 2020. US-CERT publishes the alert, Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations.
How to Respond to This and Similar Threats
Civic Hacker recommends employing tactics to mitigate the likelihood of compromise. There's always more we can do to protect ourselves online - here's a list to get you started.
- Install software updates on all computers & phones in the household.
- Install anti-virus software on all computers in the household.
- Do not click on social media posts from unfamiliar sources.
- Review links before clicking or sharing. Look closely for misspellings.
- Petition for better funding to improve the network security of schools.
For school administrators:
- Provide offline learning material to minimize disruption in-case of an attack.
- Communicate with parents and students promoting safe browsing.
- Offer Anti-Phishing training to your staff.
- Ask your IT department to audit web sites for vulnerable code.
For vendors of education software or partners to schools:
- Be sure to enforce HTTPS/TLS on all web pages.
- Make sure all company domains load properly to mitigate against domain takeover attacks.
- Have engineers implement Content Security Policies on all web properties.
- Engage in Threat Hunting1 and record findings.
- Create a Security Council with technical & non-technical stakeholders. Meet regularly to review current threats.
- Hold Anti-Phishing training.
Threat Hunting is proactively searching for malware or attackers that are hiding within a network. https://cybersecurity.att.com/blogs/security-essentials/threat-hunting-explained (Jan 02, 2021)↩
Threat Modeling is the process of using hypothetical scenarios, system diagrams, and testing to help secure systems and data. https://www.cisco.com/c/en/us/products/security/what-is-threat-modeling.html (Jan 02, 2021)↩
Ransom malware, or ransomware, is a type of malware that prevents users from accessing their system or personal files and demands ransom payment in order to regain access.↩