LA School District Accounts Appear on Dark Web Before AttackHacked Accounts May Have Made District an Easy Ransomware Target
The Labor Day weekend ransomware incident at Los Angeles Unified School District is drawing serious attention from the U.S. government, a move that signals growing concern with mostly Russia-based cybercriminals striking soft targets with file-encrypting malware.
See Also: 2022 Unit 42 Incident Response Report
Six FBI special agents and other agencies are helping LAUSB deal with the incident, says Superintendent Alberto Carvalho in a news release on Tuesday. The district says it called on the U.S. government after the attack, and the White House dispatched agencies to help with incident response.
In addition to the FBI, the other agencies include the Department of Education and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. Local law enforcement is also helping, the district said.
Officials have not said what led to the ransomware attack, but Information Security Media Group has learned that in the months leading up to the attack, login credentials for accounts within the school district's network were offered on the dark web.
At least 23 sets of login credentials belonging to people working for and with the district were exposed, according to a source who wished to remain anonymous. The information included usernames - which were email addresses with the suffix "@lausd.net" - and passwords. Many of the passwords were simple, such as "frenchfries" plus a number.
At least one set of credentials unlocked an account for the district's virtual private network service. VPNs are often used to secure access to network resources, but those VPN accounts can be vulnerable to takeover. Ransomware actors often seek access to VPNs as a step to navigating to other key network resources and eventually install ransomware.
LAUSD officials said they had no comment.
There are indications that some LAUSD users have multifactor authentication on their accounts. MFA usually involves entering a time-sensitive code in addition to a login and password. It's a good way to stop cybercriminals who have managed to capture usernames and passwords.
LAUSD was in the process of a large-scale MFA rollout. It plans to make MFA mandatory starting on Sept. 12 for some access scenarios. The requirement would apply to employees and contractors accessing its systems from external networks, such as home or public wi-fi.
Users could either use Microsoft Authenticator app to get the code, or obtain the code via SMS message or a phone call, according to a document on its website. The district recommends using the mobile Microsoft Authenticator mobile app, which will send a push notification to a user’s device that the user can tap to approve the login. That’s a more secure way to receive the code rather than over SMS.
But MFA may not have protected the district in this case. It is possible that the district computers where the compromised accounts were used are infected with malware or botnet code that was missed by security software. That means the cybercriminals already have persistent access to machines on the network regardless if MFA is enabled with login credentials.
Districtwide Password Reset
On Tuesday, the district said it had launched a networkwide password reset. The reset had some initial hiccups, and the district tried to manage the resets in stages throughout Tuesday morning. Carvalho said by late Tuesday that the difficulties had been overcome and more than 53,000 student and employee passwords had been reset. Microsoft was helping, Carvalho said.
The district, which is the second largest in the United States, says it swiftly moved to mitigate disruptions to email, computer systems and applications. It also says that critical business systems, including employee healthcare and payroll, were not affected, nor were school safety or emergency mechanisms.
Carvalho tweeted that the district's IT department was able to get the My Integrated Student Information System, or MiSiS, running in just two hours.
MiSiS is a critical software system, tracking student attendance, enrollment, grades, scheduling, transportation and testing among many other functions. The software evolved over many years but took shape under its current name around 2012, according to the district's website. LAUSD describes MiSiS as "the largest and most complex student data system in the United States."
The restoration of that system in just two hours means the district probably has a good backup and restoration regime, which would be critical to bouncing back after a ransomware attack.
.@LASchools ITD restored MiSiS in 2 hours and our systems are now supporting digital attendance reporting. Our teams are working quickly to normalize all functions Districtwide. pic.twitter.com/NFFdDp4vWD— Alberto M. Carvalho (@LAUSDSup) September 6, 2022
Attack Group: Vice Society?
No information was released about which ransomware group struck the district. But CISA issued an advisory on Tuesday about the Vice Society ransomware gang.
"Vice Society uses ransomware attacks against the education sector to gain access to, and threaten exposure of, sensitive personal information regarding students and staff for financial gain," according to the advisory, issued by CISA, the FBI and the Multi-State Information Sharing and Analysis Center.
The ransomware group's demand is unclear. District officials have not yet commented on whether the group has stolen the personal information of students.
Ransomware groups often steal sensitive data prior to launching their encrypting malware. That way, they have two levers with which to demand a ransom: hampering access to data and threatening to release personal data publicly. The technique is known as double extortion.
Some parents already were expressing concern that the data of their children might be at risk. One parent wrote on Facebook that her son's high school had requested his birth certificate and her identification upon enrollment.
"We all deserve to know what info these hackers now have," she wrote.