Important Cybersecurity Alert (April 2016)
It’s become apparent that the threat of this current age is ransomware and that it’s become a very large and lucrative business for criminals. No one is safe from this type of criminal activity and no one is under the radar. Several of the members from the Texas A&M University System have been targeted of late with the “locky” ramsonware.
Ransomware is a type of malware that infects a computer and restricts a user’s access to the infected computer. This type of malware, which has now been observed for several years, attempts to extort money from victims by displaying an on-screen alert. These alerts often state that their computer has been locked or that all of their files have been encrypted, and demand that a ransom is paid to restore access. This ransom is typically in the range of $100–$300 dollars, and is sometimes demanded in virtual currency, such as Bitcoin.
Ransomware is typically spread through phishing emails that contain malicious attachments and drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and malware is downloaded and installed without their knowledge. Crypto ransomware, a variant that encrypts files, is typically spread through similar methods, and has been spread through Web-based instant messaging applications.
In a recent draft of a DHS report on the matter regarding the targeting of higher-education institutions, they concluded that the primary threat to U.S. universities and college networks was cybercrime in the form of being “unwitting hosting of malicious activity, likely because the regular turnover of student network users and requirements for accessiblity to the networks make the networks difficult to monitor and secure.” While we can certainly agree that this is a current situation that we find ourselves, it doesn’t speak to the whole of threat continuum. An important distinction on that point is their further point that they also believe that malicious cybercriminals are targeting intellectual property and research as well. For the Texas A&M System and their members, this too is of importance and we have proof that we have been targeted for that reason.
Here are a couple of examples where this kind of criminal activity has been done at U.S. universities and colleges:
- In February 2014, unknown cyber actors targeted departments at an identified US university with phishing messages containing malicious links, according to FBI reporting. Computers of recipients that responded were infected with ransomware requiring victims to pay between $50 and $500 to decrypt their computers, according to FBI reporting.
- In early 2014, malicious cyber actors successfully executed an e-mail phishing attack against 166 employees at an identified US university. The phishing message was embedded with a malicious link to a fraudulent university website that, when accessed, prompted employees to provide PII associated with their financial accounts. The actors successfully compromised the financial accounts of two employees, changing their direct deposit information so that money was delivered to an unspecified US bank, resulting in financial losses for the employees, according to an FBI contact with excellent access.
The cybersecurity function here at The Texas A&M University System is focused on the following areas of cybersecurity:
- State & Federal Requirements (security + breach) – Texas Bus & Comm code ¶ 521.053, TAC 202, TAC 206, FERPA, FISMA, etc.
- Security through a shared-service model or Security Operations Center (SOC)
- Monitoring our networks and the state of our network
- International Requirements (TAMUS overseas)
- Legal matters when there is an investigation or forensic review
- Privacy issues
- Business issues (PCI, research granting, private donations, etc.)
- Intellectual Property (identification, valuation, security)
- Key personnel security (fraud, blackmail, extortion)
- Student information security
- Third Parties
- Physical Security
In many ways though, even as we find ourselves improving and hardening our infrastructure to withstand the attacks of known and unknown entities, the common thread which consistently exposes important information is our own people. We must continue to build our monitoring and defensive capabilities at the members and at the newly-formed Security Operations Center (SOC) to provide good and complete security over our information assets while also providing an environment that fosters collaboration and collegial relationships between genuine research and learning partners.
Threatpost | The first stop for security news
The First Stop For Security News