Blog Post April 13, 2023

Schools are Prime Targets for Cybercriminals: What Can They Do?

By: Brittany Demendi, Corporate Communications Manager

The U.S Government Accountability Office has warned K-12 and higher education school districts that they are considered an increasingly popular target for cybercriminals. The industry remains a prime target for reasons that range from the wealth of student and employee personal data to lagging cybersecurity processes and measures.  

Last year, Infrastructure Investment and Jobs Act allocated $1 billion in federal grants to improve state and local government security between 2022 and 2025. States must match a certain amount of grants. Still, to secure funds, they must submit their plan to the Cybersecurity and Infrastructure Security Agency (CISA) with a statewide planning committee. This level of government involvement shows the risks the education industry is under while cyber attacks are still increasing.  

Just last month, Alabama’s third-largest school system’s network was shut down after a ransomware attack, and as of recently, there is no sure timeline for when normalcy is returning. Teachers are back to grading with pen and paper, and the school has no internet. This recent attack is not an isolated incident. Adlumin’s Managed Detection and Response (MDR) Team also sees multiple attacks within the education industry and has remediated any threats and intrusions to get schools back to normal.   

Recent Cyberattacks on the Education Industry 

Adlumin’s Managed Detection and Response Team received three high-severity alerts for logins from a foreign country. The detections were immediately escalated for an investigation to determine why one of the three accounts was experiencing a high volume of failed access events. This could’ve indicated a brute-force attack, authentication malfunctions, or an account malfunction.  

Additionally, the other two accounts were accessed from a first-try logon. Within one minute after successful access, lateral movement began. This means that the attacker already had access to the accounts. Adlumin’s Managed Detection and Response Team implemented a network block on the IP address and isolated the known compromised host. To further their investigation, the team conducted a 30-day search for the techniques and indicators of compromise (IOCs).  

This was not seen as an isolated incident as the education industry is being targeted nationally, hence why there is government involvement in enhanced cybersecurity plans.  

Trending Lateral Movement in the Education Industry 

The most alarming aspect of the recent attack was that the cybercriminal already had account access and could log in within one try. The cybercriminal began lateral movement within one minute of access, a trend the team has been seeing within this industry.  

To further understand the severity of this attack, we are breaking down lateral movement:  

What is Lateral Movement? 

Lateral movement is a technique adversaries use after compromising an account or endpoint. It extends access to other applications or hosts in an organization. This technique helps cybercriminals maintain persistence within a network, moving closer to the golden nuggets they are truly after. In severe cases, it can also allow cyber criminals to gain control of an administrator’s account and its associated data and privileges. 

A cybercriminal’s main goal is to remain undetected within an environment for as long as possible while moving toward sensitive or valuable data to exfiltrate or destroy it. After the initial break-in, the cybercriminal can easily learn the network anatomy, move laterally by accessing sensitive data through different systems and steal credentials.

Lateral movement is ideal for cybercriminals who want to stay under the radar, which is why this technique is chosen over malware or other exploits that will trigger an alarm. Detecting lateral movement is extremely difficult via prevention controls to block automatically. The more time passes, the more damage is done, resulting in greater recovery costs and investigation.

Stopping Attacks with Managed Detection and Response Services 

Managed Detection and Response Services paired with a Security Operations Platform are uniquely designed to identify attackers accurately and quickly as they move through an organization’s compromised network. With these services, detections developed by threat research and data science spot emerging attacker tactics, with machine learning, it catches anomalous behavior unique to any environment. 

In this particular incident, Adlumin’s Managed Detection and Response team blocked the threats on the education organizations quickly due to escalated alerts. In addition, working with the organization, they documented and provided step-by-step investigation details, offering 100% visibility. 

Stopping Lateral Movement with Adlumin’s Managed Detection and Response Services 

Adlumin’s Managed Detection and Response Services provide the premier command center for security operations to stop cyber threats, eliminate vulnerabilities and take command of sprawling IT operations. The education industry relies on Adlumin for solutions before cybercriminals disrupt classrooms and academic programs shutting down operations for weeks. Adlumin enables you to extend defensive capabilities beyond firewalls and security devices while gaining comprehensive visibility into your network.  

Learn more about how Adlumin’s Managed Detection and Response Services and Security Operations Platform can empower your team to illuminate threats, eliminate cyber risk, and command authority. Contact us today, schedule a demo, or sign-up for a free trial.