May 28, 2022 15:00:00

FBI warns that 'university-related credentials are on sale at the Russian crime forum'

The

Federal Bureau of Investigation (FBI), one of the US police agencies, has warned that thousands of credentials related to American universities are being sold on Russia and other online crime forums. It has been pointed out that this could lead to ransomware being installed on the university network and data being stolen from the network.

Compromised US Academic Credentials Identified Across Various Public and Dark Web Forums
(PDF file) https://www.ic3.gov/Media/News/2022/220526.pdf

US college VPN credentials for sale on Russian crime forums, FBI says | Ars Technica
https://arstechnica.com/information-technology/2022/05/us-college-vpn-credentials-for-sale-on-russian-crime-forums-fbi-says/

The FBI issued a warning to the privacy industry on May 26, 2022, stating that 'crime forums that exist online and publicly accessible forums, such as credentials related to American universities, will be sold. We have confirmed that we are, so we are notifying our academic partners. '

'If such sensitive credentials and network access information, especially privileged user accounts, are leaked, it could lead to subsequent cyber attacks on individual users and related organizations,' the FBI said. It suggests that it may lead to further cyber attacks.

Among the authentication information sold on the crime forum, it seems that login names and passwords are collected by phishing attacks that are performed on a daily basis. This phishing scam is said to have been carried out from account infringement and spoofed emails for the new coronavirus infection (COVID-19).

In many cases, threat actors who collect user credentials for phishing scams appear to be selling data on crime forums. He also pointed out that threat actors are using the collected credentials to conduct ransomware attacks, cryptojacking , espionage, etc., and eventually aim to collect more information from university servers. It has been.

According to the FBI, in 2017, it detected threat actors who hacked accounts targeting universities by 'duplicate the university login page and embed a link to threat actors that collect credentials in phishing emails.' It seems that the attacker was planning to steal the credentials directly from the university server.

In addition, the following cases are mentioned in this FBI report.

・ Case of January 2022
Network credentials and VPN access rights for some US universities were sold or made publicly available at the Russian Cybercriminals Forum. Sites that sell credentials usually sell information for a few dollars (hundreds of yen) to thousands of dollars (hundreds of thousands of yen).

・ Case of May 2021
Over 36,000 email address and password combinations (possibly duplicated) have been identified on publicly available instant messaging platforms, including email accounts ending in '.edu'. .. The group posting the leaked data appears to have been involved in transactions of stolen login credentials and other cybercriminal acts.

・ Case of the latter half of 2020
We found on the dark web that usernames and passwords for accounts of American universities with '.edu' domains were for sale. The seller posted about 2000 user name and password combinations and requested donations to the Bitcoin wallet. As of the beginning of 2022, the site containing the authentication information cannot be accessed.

In addition, the FBI and independent security researchers recommend that IT personnel at universities and other organizations 'build and maintain strong ties with the FBI's bureaus in each region.' This facilitates communication with stakeholders in the event of an emergency.