FBI Alert: U.S. Academic Credentials Being Sold On Various Public and Dark Web Forums

An alert issued by the FBI Thursday warns higher education institutions that cybersecurity agents have identified U.S. college and university credentials are being advertised for sale on “dark web” criminal marketplaces and on publicly accessible internet forums.

“As of January 2022, Russian cyber criminal forums offered for sale or posted for public access the network credentials and virtual private network accesses to a multitude of identified U.S.-based universities and colleges across the country, some of which included screenshots as proof of access,” the alert states. “Sites posting credentials for sale typically listed prices varying from a few to multiple thousands of U.S. dollars.”

The agency warned that exposure of usernames and passwords — even if only a portion of the passwords are still accurate — significantly increases the risk to an institution of a brute force credential-stuffing network attack; the FBI also said since users commonly re-use the same credentials across multiple accounts, websites, and services, individual users among the stolen credentials are at greater risk of identity theft and financial losses.

“This exposure of sensitive credential and network access information, especially privileged (or administrative) user accounts, could lead to subsequent cyber attacks against individual users or affiliated organizations,” the FBI alert said.

Another example listed by the agency is an incident from a year ago where 36,000 credentials for email accounts ending in .edu were found on a publicly accessible instant messaging platform, which was not named by the FBI.

Cybersecurity experts at Proofpoint in December said they’d identified a dramatic increase in email threats targeting mostly North American universities attempting to steal university login credentials, many of which leverage COVID-19 themes including testing information and the then-new Omicron variant.

In a Proofpoint blog post published Dec. 7, 2021, cybersecurity analysts at the company explained that credential-theft campaigns targeting universities and exploiting COVID-19 themes had ramped up consistently since October 2021. The threats specifically targeting universities went to greath lengths to mimic universities’ legitimate login portals, the cybersecurity firm said. “It is likely this activity will increase in the next two months as colleges and universities provide and require testing for students, faculty, and other workers traveling to and from campus during and after the holiday season, and as the Omicron variant emerges more widely,” Proofpoint experts said.

Preventative Measures the FBI Recommends for Higher Ed Institutions

In its alert, the FBI recommended that all academic entities establish “strong liaison relationships” with their local FBI Field Office, who “can assist with identifying vulnerabilities to academia and mitigating potential threat activity.”

The agency also recommended that academic entities “review and, if needed, update incident response and communication plans that list actions ... if impacted by a cyber incident.”

Additional recommendations listed in the FBI alert included the following, verbatim from the notice:

  • Keep all operating systems and software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Regularly check for software updates and end-of-life notifications, and prioritize patching known exploited vulnerabilities.
  • Automate software security scanning and testing when possible. 
  • Implement user training programs and phishing exercises for students and faculty to raise awareness about the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments.
  • Require strong, unique passwords for all accounts with password logins and establish lock-out rules for incorrect password attempts. Avoid password reuse across multiple accounts or stored on the system where an adversary may gain access.
  • Require multi-factor authentication, preferably using phishing-resistant authenticators, for as many services as possible — particularly for accounts with access to critical systems, webmail, VPNs, and privileged accounts that manage backups.
  • Reduce credential exposure and enforce credential protection by restricting where accounts and credentials can be used and by using local device credential protection features. 
  • Segment networks to help prevent unauthorized access by malicious actors or the spread of malware.
  • Identify, detect, and investigate abnormal activity with network-monitoring tools that log and report all network traffic, including lateral movement on a network. 
  • Use anomaly detection tools that identify an unusual increase in traffic and failed authentication attempts.
  • Enforce the principle of least privilege through authorization policies. Account privileges should be clearly defined, narrowly scoped, and regularly audited against usage patterns. 
  • Secure and closely monitor remote desktop protocol (RDP) use.
  • Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. If RDP is deemed operationally necessary, restrict the originating sources and require MFA to mitigate credential theft and reuse. If RDP must be available externally, use a VPN, virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices.
  • Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block brute force campaigns, log RDP login attempts, and disable unused remote access/RDP ports.
  • Ensure devices are properly configured and that security features are enabled. Disable ports and protocols that are not being used for a business purpose (e.g., RDP Transmission Control Protocol Port 3389).
  • Restrict Server Message Block (SMB) Protocol within the network to only access servers that are necessary, and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.
  • Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.
  • Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy.
  • Document external remote connections. Organizations should document approved solutions for remote management and maintenance, and immediately investigate if an unapproved solution is installed on a workstation.

Featured