A ransomware attack that knocked the Baltimore County Public Schools (BCPS) system offline for several days last week focused attention on the heightened threat activity directed at school networks since the pandemic forced a mass shift to distance learning this year.
A new report from Armis this week suggests that many schools may be making it easier for threat actors to execute such attacks by allowing numerous devices to connect to their network in an insecure and unmanaged fashion.
Armis' report is based on recent engagements with multiple K–12 school districts around the country. In many instances, the vendor found a larger-than-expected and more-varied collection of unmanaged devices connected to the school networks.
One Arizona K–12 school district, for instance, had at least 47 videogame consoles, five Wi-Fi Pineapple devices — often used by pentesting teams — and three rogue access points on its network. Armis discovered many of the consoles were exposing the school district's network to the gaming community. The devices belonged to both students and faculty and presented a major risk because they're relatively easily exploitable if the Universal Plug and Play protocol is enabled on the gaming console, says Curtis Simpson, CISO at Armis.
The Wi-Fi Pineapples and other devices on the network similarly exposed the school district to a wide variety of external threats.
In another school district, Armis discovered as many as 239 connected building automation systems that all had a set of vulnerabilities, collectively referred to as URGENT/11, in them. The remotely exploitable vulnerabilities, which Armis discovered last year, exist in millions of devices running VxWorks and several other real-time operating systems. According to Armis, the school district's security team wasn't aware of the vulnerabilities and the fact that it had so many exploitable devices on its network.
Simpson says it's likely that such building automation system devices were present on school networks before the pandemic began. But the fact that many are left unmonitored presents a risk, especially with the heightened attention that attackers ae paying to school networks. "Attackers will often look to exploit such services or devices within this type of environment, knowing that they are rarely monitored in such a manner that would allow the school system or any other target to identify the compromise," Simpson notes. One school district in Florida had multiple smartphones serving as point-of-sale devices on its network.
Simpson says the biggest difference between school networks before the pandemic began and now is the sheer number of devices that are connected to them. "In many cases, personal devices — versus those issued by the school system — are also being used to access school system networks and services," Simpson says. "These devices are not being managed by the school system and are often missing standard controls — such as modern antivirus — to safeguard against such attacks."
Attacks on school networks such as the one on BCPS last week have surged since the pandemic forced a shift to remote learning at many school districts around the country this year. According to Microsoft, some 63% of the malware attacks that it encountered over the past 30 days have involved devices at educational institutions. A report in April by Armor showed schools and colleges being targeted much more heavily in cyberattacks this year compared with organizations in any other sector.
Security researchers have pointed to several reasons for the surge in attacker interest in school networks. Among them is the fact that school networks remain relatively easy to break into compared with other networks. In a distance-learning environment, attackers have also discovered that schools are likely to more readily accede to ransomware demands that organizations in other sectors.