Ransomware Targets School Districts, Phishing-as-a-Service, & Cisco Vulnerability

Vice Society ransomware group targets education sector during back-to-school, phishing gets easier, and Cisco announces a vulnerability in routers.

Latest Threat Intel News:

FBI Warns of Ransomware Group Targeting School Districts

The FBI warned that the Vice Society ransomware gang is doubling down on attacks against the education sector. This comes on the heels of an incident involving the nation’s second largest school district in Los Angeles for which Vice Society has claimed responsibility. The Vice Society ransomware gang has been around since the summer of 2021 and most often exploits vulnerabilities in externally-facing devices to gain network access. So far this year there have been at least 50 ransomware attacks on the education sector, with a total of 88 in 2021 encompassing 62 school districts. 

Why This Matters

Vice Society may have identified something in the education sector which they think will increase their profits. This could be purely opportunistic as school districts struggle with cybersecurity resources to keep their vulnerable systems up to date. It could also be that attackers have identified more consistent payouts by victimizing a vulnerable population — school children. Perhaps organizations are more apt to pay a ransom demand to keep sensitive student data hidden. In any case, schools can implement the same protections Corvus recommends to mitigate attacks: a regular patching cadence, phishing-resistant MFA, and backups.

Additional Information:

• The State of Ransomware in the US: Report and Statistics 2021 (Emsisoft)

• Vice Society ramping up ransomware in US education sector (The Register)

• Vice Society claims LAUSD ransomware attack, theft of 500GB of data (BleepingComputer)

Phishing-as-a-Service with MFA Bypass

Cybercriminals continue to automate and scale their operations. One recent example was uncovered by researchers from Resecurity who discovered a new Phishing-as-a-Service (PhaaS) operation called EvilProxy advertised on the Dark Web. The tool is subscription-based and lowers the barrier to entry for would-be cybercriminals. This advanced phishing kit includes automated methods for bypassing MFA including reverse proxy and cookie injection. The tool even comes with video tutorials for operation. Phishing kits have long been available for purchase, but this represents a worrying development that automates MFA bypass and includes built-in modules for evading detection.

Why This Matters

Threat actors continue productizing their operations. While MFA bypass might have been a novel method for more skilled attackers in the past, self-contained kits like these allow would-be hackers without technical skills to bypass MFA in an affordable and scalable manner. Businesses need to stay one step ahead by migrating to phishing-resistant MFA.

Additional Information:

• EvilProxy Phishing-as-a-Service with MFA Bypass Emerged in Dark Web (Resecurity)

It Might be Time for a New Router: Cisco Won’t Patch Authentication Bypass (CVE-2022-20923) Vulnerability in Routers

Cisco has confirmed that a new authentication bypass vulnerability (CVE-2022-20923) affecting small business VPN routers will not receive a patch. The vulnerability is based on improper password validation and a successful exploit could allow an attacker to bypass authentication to access the IPSec VPN network. The affected devices have reached end-of-life (EoL) and Cisco recommends customers still using RV110W, RV130, RV130W, and RV215W routers affected by this vulnerability to upgrade to new devices. According to BleepingComputer, this isn’t the first serious vulnerability that Cisco has left unpatched on these aging RV routers. In August 2021, Cisco informed customers they wouldn’t be patching (CVE-2021-34730), a vulnerability enabling unauthenticated users to execute arbitrary code In June 2022 (CVE-2022-20825) the company did the same for another new remote code execution vulnerability.

Why This Matters

Keeping up on vulnerabilities and patches is important, but EoL schedules is another important dimension to consider as well. CVE-2022-20923 is just another of several vulnerabilities that will go unpatched. These devices may be more of a liability than an asset for those who persist in using them.

Additional Information:

• Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers IPSec VPN Server Authentication Bypass Vulnerability

• Cisco won’t fix authentication bypass zero-day in EoL routers (BleepingComputer)

This blog post and its contents are intended for general guidance and informational purposes only. This blog post is under no circumstances intended to be used or considered as specific insurance or information security advice.