Current Threats Targeting The Education Sector

Current Threats Targeting The Education Sector

The educational institution networks continue to be a favourite playground for cyber criminals. This is because of the age and interests of  most educational users. These networks tend to incorporate cutting edge technologies and strategies.

At the same time, those students also tend to push hard against network restrictions, looking for workarounds to access data and applications that IT administrators may have restricted. To do that, a disproportionate number of users begin cutting their teeth on things like hacking.

In an effort to help education-industry security professionals in their efforts to protect their environments from malicious intrusions and data breaches, Solista have done their research for you and have provided a quick rundown on nine of the newest, most frequently encountered, and most dangerous threats currently active in the education sector:

ZeroAccess Botnet is Trojan horse malware that affects Microsoft Windows operating systems. It’s used to download other malware into an infected machine using a botnet that previously had been associated with bitcoin mining and click fraud. It’s designed to remain hidden on targeted systems using rootkit techniques.

The Andromeda Botnet, also known as Gamarue, is an HTTP-based botnet first spotted in late 2011, and it has been observed to drop other malware, such as ZeuS, Torpig, and Fareit, into infected systems. As a modular bot, Andromeda simply consists of a loader that downloads modules and updates from its command and control (C&C) server during execution. The loader has both anti-virtual machine and anti-debug features. It injects itself into otherwise trusted processes to hide, and then delete, the original bot. The bot often hibernates for several days to months between communications with its C&C server, making it difficult to detect or to obtain information about what kind of malicious content traffic travels between an infected system and the C&C server.

The new Mirai Botnet looks suspiciously like another Mirai variant. That’s because while the authors of the Mirai botnet were eventually caught, it was not before they made their code public, so we will probably continue to see variants of this attack for the foreseeable future.  This particular malware attacks Huawei network gear and aims to create botnets. It’s interesting that the Mirai malware platform continues to be used for integrating various other malware packages and attack vectors.

The W32/MS04028.fam! exploit is classified as malware using a known Windows XP vulnerability. This particular exploit leverages a buffer overrun in the Graphics Device Interface (GDI) processing library in Windows XP, allowing malicious code execution that appears authorized by the current user of the system. W32/MS04028.fam! should have faded out years ago, but it remains a force to be reckoned with because many educational institutions still use legacy applications that only run on Windows XP,

The W32/StartPage.NIK!tr malware arrives as a .CAB file, which is a Windows format for self-contained installable software such as device drivers or system files. Although this malware is almost three years old, we are still seeing it target educational institutions worldwide.

Riskware/BitCoinMiner93EA malware is used to mine bitcoins by stealing unused CPU cycles from an infected computer. Initially observed on December 10, 2017, bitcoin mining often involves unauthorized appropriation of computer processing, communications, and file resources to perform actions required to maintain the block chain operations needed to maintain the public ledgers of bitcoin transactions. These can consume extreme amounts of computing power and electricity – the computing equivalent of illegally siphoning fuel from a car.

Bash.Function.Definitions.Remote.Code.Execution is another name for the shellshock vulnerability. It allows for remote code execution when exploited. The most likely avenue for this attack involves a user crafting the parameters of an HTTP connection utilizing the HTML Common Gateway Interface (CGI). An attacker could exploit web servers using Bash shell scripts to inject malicious code into computer memory and processing resources.

Apache.Tomcat.Arbitrary.JSP.file.Upload indicates an attack attempt against a code execution vulnerability in the Apache Tomcat Java language support software that is installed on millions of computers. The successful exploitation of this vulnerability could lead to a full system compromise by an attacker.

Apache.Struts.2.Jakarta.Multipart.Parser.Code.Execution is another attack seeking to exploit a remote code execution vulnerability in the Apache Struts application design framework. It should be noted that this is the vulnerability that was notoriously used to compromise Equifax. A remote attacker may be able to exploit this vulnerability to execute arbitrary malicious code within the context of an otherwise trusted application. As with the vulnerability listed in #8, above, this exploit could lead to a full system compromise.

If you would like to find out more on how Solista is working with educational institutions please contact us below.