Cybersecurity for the education industry has always been a unique challenge. Universities often store personal, financial, and even health information of students and staff, as well as the intellectual property that comes with research and curriculum. Threat actors have always focused on the most valuable, most protected data to increase their chances of turning a profit. Be it either through ransomware or through listings on the dark web, data of this nature never fails to sell. This makes higher education institutions a much larger target than other domains for ransomware attacks.
The data that many universities are required to have (and to secure) is extremely valuable to threat actors, and when ransomware strikes a university, the consequences can be devastating. Tetra Defense recognizes these unique challenges, as just last year we were called by a cyber insurance carrier partner to assist in investigating a ransomware attack on a university.
A Known Culprit
For many higher education institutions, the primary worries before classes start are of move-in day logistics, orientation weekend programming, if there are enough free t-shirts for the incoming students, and the like. Those worries drastically changed in this case after a successful ransomware attack took the institution’s network down, bringing much of the operation to a grinding halt.
Tetra was notified of the incident and immediately gathered a team to conduct a scoping call. The primary objectives for the call were: to hear the firsthand account of the incident from the IT director and technical staff, use a series of questions to gauge external vulnerabilities that may be the source of root compromise, identify critical systems and backup configuration, and explain the best next steps to eradicate the threat, preserve evidence, and pursue restoration.
Tetra learned the attack was by a group utilizing a ransomware strain known as “Defray777,” which often targets universities and healthcare institutions. Over the course of just three weeks, the threat actor group was able to take hold of the network including Windows Admin user credentials and backup credentials.
Evidence indicated use of Cobalt Strike: a security tool that is often used, ironically, by attack groups. The tool receives commands via HTTPS and executes them on compromised systems, allowing threat actors to interact with and control the compromised systems. After the scoping call with relevant parties, Tetra collected evidence of critical systems, Windows, and other available logs.
Based on information known about the attack vector, the credentials were likely collected using tools such as MIMIKATZ on systems that were forced to use legacy authentication protocols. By gaining Admin access, the threat actor was able to rapidly spread the Cobalt Strike across the network. The threat actors logged into the server using RDP (Remote Desktop Protocol) with the intent to delete backups in order to increase the chance of collecting a cyber extortion payment. Once the backups were gone, the threat actor deployed the ransomware, which encrypted critical servers and workstations.
Microsoft PowerShell commands were executed via a specially crafted script that was obfuscated to avoid detection of the anti-malware programs existing on these systems. This is commonly referred to as “fileless malware;” the program itself is directly written to memory and leaves little to no traces on the filesystem. In this case, the PowerShell script was designed to deploy Cobalt Strike. The script directly loads the shellcode into memory, it then begins communication with the command and controller server to give it full system control.
“This case was complex in many ways,” says Nathan Little, Vice President of Digital Forensics and Incident Response. “This university had a fantastic internal IT team — one of the best we’ve ever worked with. They were completely capable, professional, and knowledgeable, so it just goes to show how attacks can occur in even the most protected environments.” Internal and external evidence led us to believe that the servers with sensitive information showed no sign of a Cobalt Strike infection and were not encrypted during the attack. A helpful safeguard that these servers had in place is called Object Access Logging, which tracks which users have access files stored on file shares.
Because this university had a great team on hand, once Tetra’s investigation was underway, we were able to work collaboratively with them to best advise how to get their systems back online — all in time for classes. “Our main role was advising and quarterbacking the response effort. We could indicate which systems needed to be reformatted and re-built, and which systems were clean to leave in place, and how to do that most efficiently,” adds Nathan. While rebuilding, we were able to contact the university’s 3rd-party vendors, clearly prioritize their needs, and let them know every step of the way which path was the safest to take in terms of recovery.
Protection safeguards were quickly put in place: usernames and passwords were changed, and the university reduced their potential attack surface by removing Remote Access Tools without multi-factor authentication or other restrictions. All workstations were updated to increase security posture, and an anti-malware defense tool was deployed to all systems to provide further protection.
All discovered attacker actions were simply attempts to destroy backups, infect as many systems as possible, and prepare to deploy the ransomware for the purpose of cyber extortion. Any situation where data was not stolen, and therefore not in the hands of a threat actor, is considered a silver lining. Although the Cobalt Strike software contains the capability to exfiltrate data while leaving very little evidence behind, the timing of the infection suggested that this threat actor did not compromise any data. The threat actor’s only motivation was to encrypt as much as possible to increase the chance that the university would need to pay the ransom.
This attack occurred on the university just three days before classes were meant to begin for that semester. Even though this attack infected the school’s entire network, and despite the unsettling nature of ransomware itself, the collaboration between Tetra’s team and the school’s IT team led them to a solution that did not impact classes. No protection plan is perfect — attacks can and will still happen to the best of the best. In this case, being able to share information, strategically prioritize next steps, and continuously collaborate is what kept school in session.