The School Bell Rings for Cyber Attackers Too

It’s Back to School time again for students, faculty and administrators… and apparently for Iranian cyber attackers too. Kelly Sheridan at Dark Reading reports that COBALT DICKENS, a threat group linked to Iran’s government, is targeting universities around the world with a large-scale credential theft campaign. This should serve as a reminder to IT security professionals that having more students and faculty on campus working on desktops and laptops attached to their schools’ networks increases the cyber attack surface.

Sheridan reports that researchers discovered the COBALT DICKENS attacks after spotting a URL spoofing a university login page. A close analysis of the IP address hosting the page revealed a huge attack involving 16 domains with more than 300 spoofed websites and login pages for 76 universities across 14 countries, including the U.S. and Israel.

After entering their credentials on a fake login page, victims were redirected to the school’s legitimate website, where they were either logged into a valid browsing session or prompted to enter their username and password again. Several domains referred to the target institution’s online library systems, which Sheridan writes is a sign that attackers trying to access academic resources.

This is not even the first time this year that Iranian hackers have been caught trying to steal data from schools. The U.S. government in March charged nine Iranian hackers also associated with COBALT DICKENS for stealing 31 terabytes of information worth more than $3 billion from over 300 American and foreign universities. The hackers used spear-phishing attacks to hack 8,000 accounts, including 3,768 at U.S. schools.

It’s impossible to prevent employees or students from occasionally making innocent mistakes and falling victim to phishing attacks, and no security solution can guarantee it will thwart 100% of attacks. However, that does not mean you have to rip-and-replace your existing security solutions.

Although antivirus (including so-called next-gen AV) has proven incapable of reliably identifying and blocking advanced ransomware and zero-day malware, it is still effective for thwarting known threats and variants of those threats. That’s because it follows what I call the “enumeration of badness approach”.

The trouble is, that traditional approach is no longer effective against unknown and fileless threats.

You need to strike a balance between that Negative Security approach and Positive Security to create a much stronger posture that forces a perpetrator to try to mimic two different types of behaviors that are diametrically opposed.

That’s exactly what Muli Tzafrir, Head of Computing & Information Systems Division at the University of Haifa in Israel, decided to do after realizing that attacks like WannaCry and the Spectre and Meltdown vulnerabilities proved that it’s unrealistic to detect all future “badness” based on the past.

“As the person in charge of thousands of systems and developers, I can estimate where new attacks will come from and how they’ll look, but that’s yesterday’s challenge,” said Tzafrir. “The challenge of today and tomorrow is the greatest of all: how to protect an organization from a completely new attack prior to having explicit knowledge about it.”

The university is experiencing a digital revolution in all areas of instruction and research, making this one of its most exciting, and challenging, periods. It is currently updating its technological infrastructure and developing a digital infrastructure to leverage in teaching and research.

“In my estimation, the future of data security isn’t in adding protective layers, each of which addresses a specific vector or type of attack,” added Tzafrir. “Nor is it in endless acquisitions of products for each type of attack. Instead of putting up more firewalls, we went with significantly reinforcing our ‘bottom line,’ which is also considered the weakest link in the chain: a user’s endpoint.”

Follow this link to the read the full Haifa University – Nyotron case study. And to learn more about how PARANOID enables you to create a multi-layered defense that strikes a balance between Negative and Positive Security, visit our website and connect with us on LinkedIn and Twitter.

Ad
Join over 500,000 cybersecurity professionals in our LinkedIn group "Information Security Community"!
Rene Kolga
Rene Kolga is Senior Director of Product and Marketing at Nyotron, the developer of PARANOID, the industry’s first OS-Centric Positive Security solution to strengthen your AV or NGAV protection. By mapping legitimate operating system behavior, PARANOID understands all the normative ways that may lead to damage and is completely agnostic to threats and attack vectors. When an attack attempts to delete, exfiltrate or encrypt files (among other things), PARANOID blocks them in real-time.

No posts to display