OP 25 October, 2022 - 03:45 PM
The breach of LA Unified School District (LAUSD) highlights the prevalence of password vulnerabilities, as criminal hackers continue to use breached credentials in increasingly frequent ransomware attacks on education.
The Labor Day weekend breach of LAUSD brought significant districtwide disruptions to access to email, computers, and applications. It's unclear what student or employee data the attackers exfiltrated.
There is a significant trend in ransomware breaches in education, a highly vulnerable sector. The transitory nature of students leaves accounts and passwords vulnerable. The open environments schools create to foster student exploration and the relative naivete in the sector regarding cybersecurity invite attacks.
The breach at LAUSD and what happened afterwardFour days post-breach, reports came that criminals had offered credentials for accounts inside the school district's network for sale on the dark web months before the attack. The stolen credentials included email addresses with the suffix @lausd.net as the usernames and breached passwords.
LAUSD responded in its update that "compromised email credentials reportedly found on nefarious websites were unrelated to this attack, as attested by federal investigative agencies." The LAUSD breach report confirmed the FBI and CISA as investigators.
The FBI and CISA and facts surrounding the breach confirm that the threat actors likely used compromised credentials to gain initial access to the LAUSD network to assert control over increasingly privileged passwords.
The FBI and CISA had observed the Vice Society ransomware group, which took credit for the attack, using TTPs including "escalating privileges, then gaining access to domain administrator accounts." The ransomware group used scripts to change network account passwords to prevent the victim organization from remediating the breach.
Escalating privileges assumes attackers had privileges to escalate, meaning they already had access and compromised passwords at the outset of the attack.
As the FBI and CISA advisory explained, "Vice Society actors likely obtain initial network access through compromised credentials by exploiting internet-facing applications."
The LAUSD website advises account holders to access its MyData application at https://mydata.lausd.net, using their "Single Sign-On credentials (i.e., LAUSD email username and password). One way to make sure your Single Sign-On is working is to log on to "Inside LAUSD" on the LAUSD homepage www.lausd.net."
https://thehackernews.com/2022/10/why-ra...e-and.html
The Labor Day weekend breach of LAUSD brought significant districtwide disruptions to access to email, computers, and applications. It's unclear what student or employee data the attackers exfiltrated.
There is a significant trend in ransomware breaches in education, a highly vulnerable sector. The transitory nature of students leaves accounts and passwords vulnerable. The open environments schools create to foster student exploration and the relative naivete in the sector regarding cybersecurity invite attacks.
The breach at LAUSD and what happened afterwardFour days post-breach, reports came that criminals had offered credentials for accounts inside the school district's network for sale on the dark web months before the attack. The stolen credentials included email addresses with the suffix @lausd.net as the usernames and breached passwords.
LAUSD responded in its update that "compromised email credentials reportedly found on nefarious websites were unrelated to this attack, as attested by federal investigative agencies." The LAUSD breach report confirmed the FBI and CISA as investigators.
The FBI and CISA and facts surrounding the breach confirm that the threat actors likely used compromised credentials to gain initial access to the LAUSD network to assert control over increasingly privileged passwords.
The FBI and CISA had observed the Vice Society ransomware group, which took credit for the attack, using TTPs including "escalating privileges, then gaining access to domain administrator accounts." The ransomware group used scripts to change network account passwords to prevent the victim organization from remediating the breach.
Escalating privileges assumes attackers had privileges to escalate, meaning they already had access and compromised passwords at the outset of the attack.
As the FBI and CISA advisory explained, "Vice Society actors likely obtain initial network access through compromised credentials by exploiting internet-facing applications."
The LAUSD website advises account holders to access its MyData application at https://mydata.lausd.net, using their "Single Sign-On credentials (i.e., LAUSD email username and password). One way to make sure your Single Sign-On is working is to log on to "Inside LAUSD" on the LAUSD homepage www.lausd.net."
https://thehackernews.com/2022/10/why-ra...e-and.html
