Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11/30/2020
05:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Baltimore County Public Schools Closed Due to Ransomware Attack

The incident struck the day before Thanksgiving and interfered with online classes for some 115,000 students, officials report.

Schools in the Baltimore County Public Schools (BCPS) system are closed Nov. 30 and Dec. 1 as officials investigate and remediate a ransomware attack that hit its network systems the day before Thanksgiving, pausing classes for some 115,000 students attending school online due to the pandemic.

Related Content:

How Ransomware Defense Is Evolving With Ransomware Attacks

The Changing Face of Threat Intelligence

New on The Edge: 5 Signs Someone Might be Taking Advantage of Your Security Goodness

Officials have not shared many details about how the attack started; however, a Baltimore Sun report indicates a school board meeting video stream was cut short Tuesday evening. Social media posts show teachers began to notice problems while entering grades later that night.

Some teachers said their files have a .ryuk extension on them, the report states, indicating Ryuk ransomware may be involved. Officials have not confirmed the presence of Ryuk, a type of ransomware that has grown prevalent this year and counts hospitals, local governments, and oil and gas facilities among its targets. There has been no confirmation of a ransom demand.

An investigation is underway. BCPS officials are reportedly working with state and federal law enforcement, as well as the Maryland Emergency Management Agency, to address the incident. County police have also communicated with the FBI Baltimore field office.

In the meantime, classes are on hold as the attack reportedly affected the BCPS website, email system, and grading system, officials say. Offices will stay open and staff will receive updates.

"Our focus today and for Monday and Tuesday is identifying and addressing student and staff device needs so that instruction can continue," BCPS officials wrote in a Nov. 29 tweet.

BCPS-issued Chromebooks were not affected in the attack, the officials report; students and staff may safely use these devices and Google accounts. However, officials request they do not use BCPS-issued Windows-based devices (HP Revolves or Probooks) until further notice.

Security Gaps Reported Days Before Attack
Days before the incident, Maryland state auditors found many security holes in the Baltimore County Public Schools' computer network.

The Office of Legislative Audits reports the BCPS internal network had 26 publicly accessible servers and intrusion detection prevention system coverage "did not exist" for untrusted encrypted traffic entering the network. Further, auditors say, BCPS network resources were not protected from improper access from students using wireless and high school computer labs.

"These publicly accessible servers, if compromised, could expose the internal network to attack from external sources," the audit report states. Auditors advise the school system to relocate all publicly accessible servers to a separate protected network zone to limit security exposures.

While it's unclear whether these weaknesses are connected to this incident, it's clear how the audit's findings could put the school system at risk. Several problems identified in the report could be used for initial compromise or for uninterrupted communication after the attacker breaks in.

"The audit found that the school system had no way of detecting or logging the kind of communications typically associated with ransomware [command-and-control] systems, and that servers inside the network had public Internet addresses with insufficient firewall protection," says Sean Gallagher, senior threat researcher with Sophos. These issues could have enabled an attacker to establish a foothold and send commands to spread across the network.

Ransomware Operators Take Aim at Schools
This attack is one of many targeting educational institutions this year as cybercriminals take advantage of the broad shift to remote learning. Millions of students and teachers are logging on to school networks to take classes and complete assignments, and many of them use devices and systems riddled with vulnerabilities that could create an ideal attack vector.

In the past 30 days, the education sector was hit with 62.9% of all reported enterprise malware encounters, Microsoft data shows. This puts education far ahead of the second most popular target industry, business and professional services (9.31%).

Back in April, the FBI's Internet Crime Complaint Center (IC3) warned online education and remote work platforms of an increase in cyberattacks driven by a dependence on virtual tools linked to the COVID-19 pandemic. Over the summer, Louisiana governor John Bel Edwards declared a state of emergency after a series of cyberattacks against school districts in the state. Alabama's Houston County was hit in August; Virginia's Fairfax County was attacked in September.

Schools are especially vulnerable because, in addition to this expanded attack surface, their IT operations are usually underfunded, Gallagher points out. While the lack of resources leaves them exposed, many school districts have cyber insurance that will pay the ransom, increasing the likelihood of an incident.

"The attackers are not necessarily targeting the organizations based on their business model, but based on their vulnerability," he adds.

Security experts believe we'll continue to see ransomware operators target schools continue with remote learning, a shift that has made schools around the county "an even bigger target of opportunity than before as the stakes are higher and worth more money," says LogRhythm CSO James Carder. "If the technology is taken down, the business is completely stopped."

Carder strongly advises school districts to adopt a proactive approach to cybersecurity and enable network infrastructure to block malicious access attempts. Security pros also suggest creating a crisis plan and integrating cybersecurity and data protection protocols as a way to simplify the process of detecting attacks and recovering systems and data if they're infected.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21574
PUBLISHED: 2021-06-24
Dell BIOSConnect feature contains a buffer overflow vulnerability. An authenticated malicious admin user with local access to the system may potentially exploit this vulnerability to run arbitrary code and bypass UEFI restrictions.
CVE-2021-32708
PUBLISHED: 2021-06-24
Flysystem is an open source file storage library for PHP. The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely. The conditions are: A user is allowed to supply the pa...
CVE-2020-18667
PUBLISHED: 2021-06-24
SQL Injection vulnerability in WebPort <=1.19.1 via the new connection, parameter name in type-conn.
CVE-2021-21571
PUBLISHED: 2021-06-24
Dell UEFI BIOS https stack leveraged by the Dell BIOSConnect feature and Dell HTTPS Boot feature contains an improper certificate validation vulnerability. A remote unauthenticated attacker may exploit this vulnerability using a person-in-the-middle attack which may lead to a denial of service and p...
CVE-2021-21572
PUBLISHED: 2021-06-24
Dell BIOSConnect feature contains a buffer overflow vulnerability. An authenticated malicious admin user with local access to the system may potentially exploit this vulnerability to run arbitrary code and bypass UEFI restrictions.