Lucene search

K
talosblogJon Munshaw ([email protected])TALOSBLOG:8702885301AC5E41DC818B2EF245CC29
HistorySep 15, 2022 - 6:00 p.m.

Threat Source newsletter (Sept. 15, 2022) — Teachers have to be IT admins now, too

2022-09-1518:00:00
Jon Munshaw ([email protected])
blog.talosintelligence.com
11

_By Jon Munshaw. _

Welcome to this week’s edition of the Threat Source newsletter.

Public schools in the United States already rely on our teachers for so much — they have to be educators, occasional parental figures, nurses, safety officers, law enforcement and much more. Slowly, they’re having to add “IT admin” to their list of roles.

Educational institutions have increasingly become a target for ransomware attacks, an issue already highlighted this year by a major cyber attack on the combined Los Angeles school district in California that schools are still recovering from.

Teachers there reported that during the week of the attack, they couldn’t enter attendance, lost lesson plans and presentations, and had to scrap homework plans. Technology has become ever-present in classrooms, so any minimal disruption in a school’s network or software can throw pretty much everything off.

The last thing teachers need to worry about now is defending against a well-funded threat actor who may live thousands of miles away — but we’re not making it easy on them.

I asked my mom about this, who is a paraeducator for kindergarten students, and she told me each of her students (keep in mind these are mostly 5- and 6-year-olds) has their own Chromebooks that they bring to and from home and use for homework assignments. The elementary school she works at has more than 500 students enrolled across six grades, and yet there’s only one person for the whole school who acts as their overall IT and network administrator. That’s one person to manage 500-plus laptops and even more devices like iPads and smartboards as you get into the older grades. Many working adults still need to be educated about the dangers of cyber attacks or how to spot a spam text, how can we have the same expectations from kindergarteners?

I’m not saying this is a simple issue to fix — it would cost millions of dollars to invest in security infrastructure at schools across the U.S. and hire the necessary staff to manage these devices. But I do wonder if it’s a bridge too far for the burden we’re already placing on teachers.

Many of my friends who are educators are great teachers but would be far from computer experts, and I’m confident they’ve never thought about how secure the passwords that their students need to log into their laptops are.

The FBI released a warning last week that the Vice Society ransomware group has increasingly been targeting schools across the U.S. and expects those attacks to continue as the school year ramps up. In the advisory, they said, “School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable.” If that’s the case, what happens if one of these underfunded districts is hit by a cyber attack? Rather than spending the year trying to beef up their security or implement new policies, they’ll instead just have to use up all their time and resources recovering from the attack and returning to square one.

The teachers, IT admins and school leaders who are already stretched too thin will only be stretched further in the event of a cyber attack. So, before we start investing more money into getting technology into students’ hands in the classroom, it may be worth considering how those devices are meant to be protected and who will oversee protecting them.

The one big thing

>

> Continuing our research into the well-known Lazarus Group, we have new details on a malware campaign with three different trojans targeting energy providers in the U.S., Canada and Japan. The newest malware is MagicRAT, which is deployed alongside two other RATs the Lazarus Group is known for. All three malware tools are being delivered via a targeted campaign that starts with the exploitation of the Log4j vulnerability in VMware Horizon.

> ### Why do I care?
>
> As we outlined in the newsletter last week, anything the Lazarus Group does is not to be taken lightly. And it’s particularly notable since they are targeting energy suppliers, highlighting the dangers that critical infrastructure faces from state-sponsored threat actors. Our research also shows the Lazarus Group is continually updating its malware and finding new ways to avoid detection.
>
> ### So now what?
>
> We’ve said this a thousand times already, but patch for Log4j in all software if you haven’t already since this is the primary infection method used in this campaign. Talos also released several new solutions for Cisco Secure to detect and prevent the malware used in these attacks.
>
>

Top security headlines from the week

Twitter’s former head of security warned Congress about several potentially dangerous security practices at the social media giant. Peiter “Mudge” Zatko, one of the first “hackers” to enter mainstream culture, said in testimony that about 50 percent of Twitter’s employees could have access to sensitive user information, something he says he tried to prevent during his time at the company but was stopped. Zatko went as far to directly tell U.S. Senators that their personal data could be at risk because of these practices, adding that the company is “misleading the public, lawmakers, regulators, and even its own board of directors.” The testimony came under additional scrutiny because of its potential influence on the ongoing battle regarding Elon Musk’s failed offer to buy Twitter. (Vox, Politico)

Montenegro’s government continues to grapple with a massive cyber attack, forcing many services offline at government offices and putting the country’s essential infrastructure, including banking, water and electrical power systems at risk. Government officials stated that the attack resembles others from well-known Russian state-sponsored actors. The FBI even deployed a special cybersecurity team to the country to help with the recovery and remediation process. The Cuba ransomware group claimed responsibility for the attack, going as far as to say they created a special malware just for this campaign. Recent cyber attacks against NATO nations like Montenegro and Albania have raised questions around NATO’s Article 5 could be triggered over offensive cyber attacks. (Associated Press, NPR)

Apple released security updates for its mobile and desktop operating systems this week to patch zero-day vulnerabilities that attackers have actively exploited in the wild. CVE-2022-32917, according to Apple, could allow an attacker to execute arbitrary code with kernel privileges. This is the eighth zero-day vulnerability Apple disclosed this year. When updating iOS, users can upgrade to iOS 16, which also comes with several new security features. The new operating system includes a centralized privacy dashboard, safety checks for users who could be at risk of having their devices infected with spyware, and password-free logins on some sites. (9to5Mac, New York Times Wirecutter)

Can’t get enough Talos?

Upcoming events where you can find Talos

Cisco Security Solution Expert Sessions (Oct. 11 & 13)

Virtual

Most prevalent malware files from Talos telemetry over the past week


SHA 256:e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c

**MD5:**a087b2e6ec57b08c0d0750c60f96a74c

**Typical Filename:**AAct.exe

**Claimed Product:N/A **

**Detection Name:**PUA.Win.Tool.Kmsauto::1201


SHA 256:e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934** ****MD5:**93fefc3e88ffb78abb36365fa5cf857c ** ****Typical Filename:**Wextract
**Claimed Product:**Internet Explorer
**Detection Name:**PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256:c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0

MD5: 8c69830a50fb85d8a794fa46643493b2

**Typical Filename:AAct.exe **

**Claimed Product:**N/A

**Detection Name:PUA.Win.Dropper.Generic::1201 **


SHA 256:58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681** **

**MD5:**f1fe671bcefd4630e5ed8b87c9283534

**Typical Filename:KMSAuto Net.exe **

**Claimed Product:**KMSAuto Net

**Detection Name:**PUA.Win.Tool.Hackkms::1201


SHA 256:8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7

**MD5:0e4c49327e3be816022a233f844a5731 **

**Typical Filename:aact.exe **

**Claimed Product:**AAct x86

**Detection Name:PUA.Win.Tool.Kmsauto::in03.talos **