The Second Largest School District in the U.S. Falls Victim to Cyberattack

DESCRIPTION

The second largest school district in the U.S. experienced a cyberattack over the Labor Day weekend. The Los Angeles Unified School District (LAUSD) has more than 1,000 schools, 26,000 teachers and 600,000+ students. The attack is credited to a Russian ransomware group called themselves the Vice Society. The group is known for double-extortion ransomware attacks that exploit the Windows PrintNightmare vulnerability.

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have published an advisory warning that Vice Society was targeting K-12 districts. Shortly after the attack, LAUSD was sent a ransom demand by the Russian gang. While the amount of the requested ransom remains undisclosed, it is reportedly a large amount. When LAUSD did not succumb to the Vice Societies payment demands, the group released 500 gigabytes of files on their leak site as proof that they were able to exfiltrate school system data. LAUSD Superintendent Alberto Carvalho stated that most of the exposed student data was composed of names, personal addresses, and academic information over a 3-year period. Thus far, it is not believed that the attackers were in possession of social security numbers (SSNs), payroll, health information or other highly sensitive data types. Despite experiencing some system disruptions from the attack, LAUSD has managed to keep all its schools open without interruption.

IDENTIFY INDICATORS OF COMPROMISE (IOC)

A spokesperson for the school district said that their IT department detected unusual activity on its network over the Labor Day weekend. By Saturday evening, it was confirmed that the activity was from an external cyberattack, at which point all computer systems were shut down. Since then, the school district has been in contact with the Russian perpetrators. School administrators indicated that students and teachers could potentially experience outages with email service and personal storage devices. They did not elaborate on what other services were impacted. On September 8th LAUSD reported that they were making great progress toward full operational stability. The means of the initial intrusion to the LAUSD network by the Vice Society has not been released. However, this is not the first known compromise of the LAUSD network.

CONTAINMENT (If IoCs are identified)

Due to the size and importance of LAUSD, the district has received assistance from several government agencies including the US Department of Education, the FBI, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). The White House has also been in touch with school officials since the attack. LAUSD leadership have notified all students and staff that they must reset their passwords to their school accounts while physically on campus. A multifactor authentication (MFA) system was implemented by the LAUSD within two weeks following the attack. All employees and contractors are now required to use MFA as part of the logon authentication process. The superintendent has put together an independent IT task force to review all previous network audits and reports, including a cybersecurity assessment and external penetration assessment conducted by the Inspector General in 2021.

PREVENTION

As mentioned, the Russian ransomware group often exploits the Windows PrintNightmare Vulnerability that allows attackers to obtain local system privileges to a machine to further an attack. This vulnerability dates to the summer of 2021. A patch has been released by Microsoft to protect against the PrintNightmare vulnerability. Unpatched systems are highly susceptible to cyberattacks which is why organizations must be vigilant in their patching and updating efforts. The PrintNightmare is a classic example of exploitation of unnecessary or elevated user privileges. The principle of least privilege (PoLP) applies. Users should be restricted to the minimum privileges required to do their jobs. While it is convenient to assign local admin rights and elevated privileges to regular users at large, these practices go against best practices. When a privileged account is compromised by an external threat actor, the perpetrator then has access to the same rights and privileges of the user being targeted. Ensuring that users have only the privileges necessary to perform the functions of their jobs will reduce the opportunity that the organization will be compromised. While the fix that Microsoft has released makes it less convenient for standard users to install a printer, that extra effort is more than off-set by the increased security that it provides.

You can proactively strengthen your Incident Response Readiness (IRR) in preparation of cybersecurity events by conducting a security risk assessment. Risk Assessments help identify areas of risk and point out opportunities for improvement to prevent or limit the impact of malware attacks.

HALOCK Security Briefing Archives: Updates on cybersecurity trends, threats, legislation, reasonable security, duty of care, key acts and laws, and more that impact your risk management program.