By 
K-12 education institutions in the U.S. are being exploited for extortion, data theft, and general disruption of routine operation by malicious actors. The phenomenon will continue through the academic year 2020/2021.
The warning is issued by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), based on evidence of cyberattacks from K-12 institutions.
Schools throughout the county have been the target of ransomware attacks that lock computers until a ransom is paid, and after the pandemic they switched to remote classes. According to guidance from the FBI, the Department of Homeland Security and the Multi-State Information Sharing Analysis Center, hackers have also stolen and threatened to release sensitive student data unless institutions pay a ransom.
In order to launch attacks, hackers are expected to continue attempting to exploit remote learning, authorities said.
Ryuk, Maze, Nefilim, AKO, and REvil were the most prevalent ransomware families impacting K-12 institutions between January and September, based on data aggregated from both open-source and third party incident reports.
Multiple malware strains were delivered by non-targeted attacks against this sector, the most common being Shalyer, ZeuS, Agent Tesla, NanoCore, and cryptocurrency miners.
The advisory also warns that schools have been targeted by distributed denial-of-service (DDoS) attacks that can overwhelm a traffic network and force it to slow down or go completely offline. “The availability of DDoS-for-hire services provides opportunities for any motivated malicious cyber-actor to conduct disruptive attacks regardless of experience level,” officials said in the advisory.
The FBI, CISA, and MS-ISAC also highlight risks related to social engineering carried through phishing, domain typosquatting, against students, parents, faculty, IT personnel, or other people involved in distance learning.
It is also a cause for concern that uninvited visitors crash video classes, known as “zoombombing,” According to the advisory, the FBI and DHS received reports of outsiders crashing remote learning calls and “verbally harassing students and teachers, displaying pornography and/or violent images, and doxing meeting attendees.” Doxing involves posting someone’s personal information on the internet maliciously.
The government alert provides a detailed set of actions to be taken by K-12 educational institutions, along with Snort signatures created by CISA to detect and protect against detected malware attacks; other security measures should be accompanied by the rules.
