Russian-speaking group of hackers is known for targeting schools and the education sector
By Kiran N. Kumar
Vice Society, a Russian-speaking group of hackers known for targeting schools and the education sector, has made public data stolen during a cyber attack against the Los Angeles Unified School District (LAUSD) after a failed bid to extort money.
The group had set a deadline of Oct 4 to pay the ransom and published the data stating that the US Cybersecurity and Infrastructure Security Agency (CISA), the government agency that  assists schools in responding to the breach, “wasted our time.â€
Read: GoodWill ransomware dons Robinhood hat (June 1, 2022)
The stolen data, posted to Vice Society’s dark web leak site, contains confidential information, including contract and legal documents, financial reports containing bank account details, health information, even Covid-19 test data, previous conviction reports, and psychological assessments of students, according to a TechCrunch report.
Over the past several years, the American schools from kindergarten through 12th grade (K-12) Â have been frequently targeted for ransomware, often disrupting the admissions, examination system and a host of personal information of students and teachers.
Anticipating more attacks in 2022-23, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have formed a Joint Cybersecurity Advisory (CSA) to defend networks using historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs).
What is Vice Society?
Vice Society is involved in intrusion, exfiltration, and extortion activities since summer 2021. Instead of using a ransomware variant of unique origin, Vice Society actors deploy versions of Hello Kitty/Five Hands and Zeppelin ransomware, eventually deploying other variants in the future.
According to CSA advisory, the Vice Society obtains initial network access using compromised credentials by exploiting internet-facing applications and then explores the network thoroughly identifying accesses, and exfiltrating data for double extortion — forcing a victim to pay ransom or face public release of sensitive data.
Vice Society actors have been observed using a variety of tools, including SystemBC, PowerShell Empire, and Cobalt Strike to move laterally. They have also used “living off the land†techniques targeting the legitimate Windows Management Instrumentation (WMI) service and tainting shared content, according to the FBI.
Vice Society actors have been observed in the past to have exploited the ‘PrintNightmare’ vulnerability to escalate privileges and to maintain persistence. They also leverage on scheduled tasks, creating undocumented auto-start Registry keys, and pointing legitimate services to their custom malicious dynamic link libraries (DLLs) through a tactic known as DLL side-loading.
Often, Vice Society actors evade detection masquerading their malware as legitimate files, using process injection, and using other known evasion techniques to defeat automated checks for malware.
Essentially, they escalate privileges, then gain access to domain administrator accounts, and run scripts to change the passwords of victims’ network accounts leaving no room for remedial measures.
Read: How to prepare for unforeseen cyber threats (May 27, 2022)
Mitigations
The FBI, CISA, and the MS-ISAC recommend schools to maintain strong liaison with the FBI Field Office in their region and their regional CISA Cybersecurity Advisor to seek help in identifying vulnerabilities besides recommending the following mitigations to limit potential compromise by Vice Society actors:
- Maintain offline backups of data to ensure the organization is not severely interrupted.
- Ensure all backup data is encrypted, immutable, and covers the entire organization’s data infrastructure.
- Ensure your backup data is not already infected.
- Review the security posture of third-party vendors within the organization and ensure monitoring any suspicious activity.
- Implement secure listing policies for applications and remote access.
- Document and monitor external remote connections and probe immediately if an incident is detected.
- Implement a recovery plan to retrieve sensitive or proprietary data and servers in a physically separate, segmented, and secure location or cloud.
Password management
- Ensure all accounts with password logins comply with National Institute of Standards and Technology (NIST) standards.
- Use longer passwords consisting of at least 8 characters and no more than 64 characters in length.
- Store passwords in hashed format using industry-recognized password managers.
- Add password user “salts†to shared login credentials.
- Avoid reusing passwords.
- Implement multiple failed login attempt account lockouts.
- Disable password “hintsâ€.
- Refrain from requiring password changes more frequently.
- NIST guidance suggests favoring longer passwords instead of frequent password resets as frequent resets result in developing password “patterns†easier for cyber criminals to easily decipher.
- Require administrator credentials to install software.
- Require phishing-resistant multifactor authentication, particularly for web mail, virtual private networks, and accounts that access critical systems.
- Review domain controllers, servers, workstations, and active directories for unrecognized accounts.
- Audit user accounts with administrative privileges and configure access controls.
- Implement time-based access for accounts set at the admin level. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model).
In addition, CSA has also advised organizations to keep all operating systems, software, and firmware up to date and disable unused ports, hyperlinks in emails, command-line and scripting activities and permissions.
Also, follow Restrict Server Message Block (SMB) Protocol within the network and remove outdated versions as threat actors use SMB to propagate malware across organizations, said the advisory.
Read: Hackers leak 500GB trove of data stolen during LAUSD ransomware attack (October 3, 2022)
As the latest LA School District data has been made public, the FBI is seeking information showing communication to and from foreign IP addresses, a sample ransom note, communications with Vice Society actors, Bitcoin wallet information, decryptor files, or a benign sample of an encrypted file from the public.
Further, the FBI, CISA, and the MS-ISAC strongly advise against paying ransom as it may embolden other adversaries to target additional organizations for ransom and report any incident to a local FBI Field Office, or to CISA at report@cisa.gov or (888) 282-0870.