Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11/30/2020
05:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Baltimore County Public Schools Closed Due to Ransomware Attack

The incident struck the day before Thanksgiving and interfered with online classes for some 115,000 students, officials report.

Schools in the Baltimore County Public Schools (BCPS) system are closed Nov. 30 and Dec. 1 as officials investigate and remediate a ransomware attack that hit its network systems the day before Thanksgiving, pausing classes for some 115,000 students attending school online due to the pandemic.

Related Content:

How Ransomware Defense Is Evolving With Ransomware Attacks

The Changing Face of Threat Intelligence

New on The Edge: 5 Signs Someone Might be Taking Advantage of Your Security Goodness

Officials have not shared many details about how the attack started; however, a Baltimore Sun report indicates a school board meeting video stream was cut short Tuesday evening. Social media posts show teachers began to notice problems while entering grades later that night.

Some teachers said their files have a .ryuk extension on them, the report states, indicating Ryuk ransomware may be involved. Officials have not confirmed the presence of Ryuk, a type of ransomware that has grown prevalent this year and counts hospitals, local governments, and oil and gas facilities among its targets. There has been no confirmation of a ransom demand.

An investigation is underway. BCPS officials are reportedly working with state and federal law enforcement, as well as the Maryland Emergency Management Agency, to address the incident. County police have also communicated with the FBI Baltimore field office.

In the meantime, classes are on hold as the attack reportedly affected the BCPS website, email system, and grading system, officials say. Offices will stay open and staff will receive updates.

"Our focus today and for Monday and Tuesday is identifying and addressing student and staff device needs so that instruction can continue," BCPS officials wrote in a Nov. 29 tweet.

BCPS-issued Chromebooks were not affected in the attack, the officials report; students and staff may safely use these devices and Google accounts. However, officials request they do not use BCPS-issued Windows-based devices (HP Revolves or Probooks) until further notice.

Security Gaps Reported Days Before Attack
Days before the incident, Maryland state auditors found many security holes in the Baltimore County Public Schools' computer network.

The Office of Legislative Audits reports the BCPS internal network had 26 publicly accessible servers and intrusion detection prevention system coverage "did not exist" for untrusted encrypted traffic entering the network. Further, auditors say, BCPS network resources were not protected from improper access from students using wireless and high school computer labs.

"These publicly accessible servers, if compromised, could expose the internal network to attack from external sources," the audit report states. Auditors advise the school system to relocate all publicly accessible servers to a separate protected network zone to limit security exposures.

While it's unclear whether these weaknesses are connected to this incident, it's clear how the audit's findings could put the school system at risk. Several problems identified in the report could be used for initial compromise or for uninterrupted communication after the attacker breaks in.

"The audit found that the school system had no way of detecting or logging the kind of communications typically associated with ransomware [command-and-control] systems, and that servers inside the network had public Internet addresses with insufficient firewall protection," says Sean Gallagher, senior threat researcher with Sophos. These issues could have enabled an attacker to establish a foothold and send commands to spread across the network.

Ransomware Operators Take Aim at Schools
This attack is one of many targeting educational institutions this year as cybercriminals take advantage of the broad shift to remote learning. Millions of students and teachers are logging on to school networks to take classes and complete assignments, and many of them use devices and systems riddled with vulnerabilities that could create an ideal attack vector.

In the past 30 days, the education sector was hit with 62.9% of all reported enterprise malware encounters, Microsoft data shows. This puts education far ahead of the second most popular target industry, business and professional services (9.31%).

Back in April, the FBI's Internet Crime Complaint Center (IC3) warned online education and remote work platforms of an increase in cyberattacks driven by a dependence on virtual tools linked to the COVID-19 pandemic. Over the summer, Louisiana governor John Bel Edwards declared a state of emergency after a series of cyberattacks against school districts in the state. Alabama's Houston County was hit in August; Virginia's Fairfax County was attacked in September.

Schools are especially vulnerable because, in addition to this expanded attack surface, their IT operations are usually underfunded, Gallagher points out. While the lack of resources leaves them exposed, many school districts have cyber insurance that will pay the ransom, increasing the likelihood of an incident.

"The attackers are not necessarily targeting the organizations based on their business model, but based on their vulnerability," he adds.

Security experts believe we'll continue to see ransomware operators target schools continue with remote learning, a shift that has made schools around the county "an even bigger target of opportunity than before as the stakes are higher and worth more money," says LogRhythm CSO James Carder. "If the technology is taken down, the business is completely stopped."

Carder strongly advises school districts to adopt a proactive approach to cybersecurity and enable network infrastructure to block malicious access attempts. Security pros also suggest creating a crisis plan and integrating cybersecurity and data protection protocols as a way to simplify the process of detecting attacks and recovering systems and data if they're infected.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: STOP LOOKING IN HERE FOR YOUR PASSWORD!!!
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28488
PUBLISHED: 2021-01-22
This affects all versions of package jquery-ui; all versions of package org.fujion.webjars:jquery-ui. When the "dialog" is injected into an HTML tag more than once, the browser and the application may crash.
CVE-2021-22847
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1's API fail to filter POST request parameters. Remote attackers can inject SQL syntax and execute commands without privilege.
CVE-2021-22849
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1 backend editing function does not filter special characters. Users after log-in can inject JavaScript syntax to perform a stored XSS (Stored Cross-site scripting) attack.
CVE-2020-8567
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
CVE-2020-8568
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...