Also: Vice Society Ransomware Gang Claims Credit for Attack Jeremy Kirk (jeremy_kirk) • September 9, 2022 Los Angeles Unified School District Superintendent Alberto Carvalho speaks on Tuesday about the district’s recovery from a ransomware attack. (Source: LAUSD via Twitter)
Perhaps the only surprising aspect of the ransomware attack against Los Angeles Unified School District is that it didn’t happen sooner.
A cyber intelligence consultancy says it warned the district through an intermediary that its network was thoroughly compromised by cybercriminals in February 2021. Also, an Inspector General cybersecurity assessment conducted in September 2020 found increased cybersecurity risks around password controls, software patching and database credentials.
The district, which is the second-largest in the country with more than 600,000 students, discovered it had been struck by a ransomware group around Sept. 3. Early Friday Sydney time, a representative of the Vice Society ransomware group claimed credit for the attack. The gang often strikes the education sector, according to a recent U.S. government advisory.
The attack affected email and other applications. But despite it, the district held classes on Tuesday, the first school day after the attack and the long Labor Day weekend.
But what remains unknown is if the ransomware attackers stole the personal data of students. Ransomware group usually rummage through networks and steal sensitive data before launching their file-encrypting malware. That way, if victims don’t pay for a decryption key, they can be threatened with the release of those files.
District Superintendent Albert Carvalho said the attackers did reach “the student management system,” according to the Los Angeles Times on Wednesday. Carvalho said the district was trying to figure out what may have been accessed.
When asked, the Vice Society representative did not directly answer if the personal data of minors was stolen, but sent a link to the website where it publishes stolen data. So far, LAUSD has not appeared on that page. If it happens, it could be extraordinary: the district says it has more than 600,000 kindergarten through high school students.
LAUSD is just the latest in a wave of victims across the U.S. education sector this year, says Doug Levin, national director for the K12 Security Information Exchange, which helps schools improve their cybersecurity. The organization also tracks attacks with its Cyber Incident Map.
Levin says the cybersecurity weaknesses affecting school districts represent “a systemic failure” that is being capitalized on by cybercriminals and will require deep investments in new controls.
“Lack of investment in IT [information technology] – you can only do that for so long before the wheels start to fall off,” Levin says.
District Warned of Trickbot
The district may have just barely avoided a ransomware attack last year. Hold Security, which is a cyber intelligence consultancy based in Milwaukee, warned LAUSD in February 2021 via an intermediary.
At the time, a school psychologist’s machine was infected with the Trickbot malware, says Alex Holden, CISO and founder of Hold Security. Trickbot is a notorious type of malware used for harvesting credentials, and it’s often a precursor to a ransomware attack.
The intruders used Trickbot to crawl and map out the district’s Active Directory domain controllers, which are the systems that broker authentication when employees and students log onto systems. At that point, it’s usually game over for the victim.
Cybercriminals had compromised LAUSD’s network by early 2021.
Ransomware deployment usually follows, and it’s a mess since the threat actors are so deeply burrowed in the systems. But luckily for the district, that didn’t happen.
Holden says his analysts had full access to Trickbot’s backend infrastructure. When they spotted the risk to the district, they warned the district through an intermediary. “This was just an example of defensive steps that we took to help the [Trickbot] victims,” he says.
The infection appeared to be remediated after the warning. What happened after that though is unknown. The district may have conducted deeper incident response and remediated other infections. But it foreshadowed what was to come this year.
Penetration Test: Cybersecurity Weaknesses
The Trickbot warning came just a month after the district received a cybersecurity assessment and audit outlining a number of weaknesses in its information security practices.
The district’s Chief Information Officer, Soheil Katal, received a report in January 2021, which was published by the Office of the Inspector General and titled “Information Security Audit, Cyber Security Assessment and Internal and External Penetration Assessment.”
The consultancy Crowe LLP conducted internal and external penetration tests. The full report with technical detail was not released due to security reasons, but a redacted version was made public that highlighted high-level issues.
LAUSD has a large, complex network. According to the report, the internal network is comprised of 259,200 services, 85,241 web services, 57,765 other services and 116,219 miscellaneous services, including SSH, POP3 and NTP. Externally, there were 109 externally exposed services: 77 web services, 8 VOIP, 24 misc. LAUSD hosted all of those.
Crowe LLP ran its internal network test as if it was an unauthenticated user connected to a restricted network. There was a bit of good news: Crowe found major applications in the data center “were properly segmented from the basic user network.”
But “significant risks” were found around password controls, detection and alerting on malicious activity, software patching, “guessable SQL” database credentials, internal email spoofing issues, social engineering and anonymous access to file servers.
The report also says that the district – at least at the time – did not have processes to validate control compliance, did not have an IT risk assessment process and did not do incident response training. However, those processes may have been implemented since the report was completed. After the test was done, a confidential report was sent CIO Katal with 38 findings.
“Those findings include significant risks around passwords and credentials,” it says.
The cybersecurity assessment found key areas where LAUSD needed to improve.
On Thursday, LAUSD issued a news release saying it will “convene an Independent Information Technology Task Force to review all previous network audits and reports including the Inspector General’s report.”
“I want our new taskforce to take a deep dive into the recommendations and implementation progress of this security audit,” Carvalho says in the news release. “This incident has been a firm reminder that cybersecurity threats pose a real risk for our district – and districts across the nation. Los Angeles Unified’s task force will examine the viability and validity of the audit and report back with additional enhancements outlined in a final 90 day report.”
Information Security Media Group reported on Wednesday that at least 23 employee or contractor accounts were available on the Dark Web. The information included usernames – which were email addresses with the suffix “@lausd.net” – and passwords.
Many of the passwords were simple, such as “frenchfries” plus a number. At least one set of credentials unlocked an account for the district’s virtual private network service (see LA School District Accounts Appear on Dark Web Before Attack).
Ransomware actors often purchase stolen account credentials from other cybercriminals known as initial access brokers. Ransomware gangs can then use that access to begin probing a victim’s network, steal data and then eventually launch file-encrypting malware.
Levin says that compromised login credentials represent a large problem for school districts. “That is one of the top ways we see school districts compromised,” he says.
Also on Thursday, the district denied that those credentials led to the ransomware attack, but it didn’t specify what did. A district spokeswoman declined to answer further questions.
“As a point of clarification, compromised email credentials reportedly found on nefarious websites were unrelated to this attack, as attested by federal investigative agencies,” the district’s news release says. “All compromised credentials have been fully deactivated to protect network integrity.”
Like many organizations, LAUSD was relentlessly targeted by phishing campaigns. These email and text message campaigns sought to trick people into divulging their login credentials. The targeting became particularly heavy around May, when the CIO, Katal, tweeted a warning.
— LausdCIO (@LAUSDCIO) May 25, 2022
Such warnings are not unusual from companies and organizations trying to keep their users from being tricked and putting their networks at risk. The district also published examples. Many are the usual garbage: work-from-home schemes and fake overdue payment warnings. But some were quite good, such as this one below.
An example of a fairly well crafted phishing message that targeted LAUSD users.