Research

Education Top Target for Adware and Trojans

• By Dian Schaffhauser
• 08/14/19

Education's greatest cybersecurity threat is the openness of its networks, according to a company that produces anti-malware software. According to a new analysis of its customer data, Malwarebytes has found that the education sector was the largest target for adware and trojans, and second among verticals for being hit with ransomware. Forty-three percent of threats on education devices were identified as adware, 25 percent as trojans and 3 percent as backdoors.

The analysis was done between January and June 2019 on devices identified as being in education settings around the world and running Malwarebytes' on-premise programs and cloud services. While the focus was on findings for the first half of 2019, the company also examined data collected in 2018 to understand the threat landscape of the 2018-2019 school year.

In the area of adware, the most common adware families detected were SearchEncrypt, Spigot and IronCore. Together these comprised about 15 percent of the threats detected. The company considered the first two of those "relatively minor compromises."

The bigger concern was trojans. And according to the analysis, more than one in three compromises were detected on devices plugging in as a guest on the network. Trojans across all industries were on the rise last year, up 132 percent from the previous year. In education specifically, trojans represented nearly 30 percent of all detections in devices owned by schools. Also, the company reported, 33 percent of non-institution-owned devices carried trojans; in the United States specifically the share was 27 percent.

The most common trojans detected were Emotet, TrickBot and Trace, making up more than 11 percent of all compromises.

Emotet appeared to be even more pervasive among non-institution-owned devices (14 percent) than those owned by the institution (5 percent).

TrickBot for its part uses EternalBlue, one of the SMB vulnerabilities leaked by the ShadowBrokers Group last year, to exploit unpatched systems. Infected machines attempt to spread TrickBot laterally via brute force of domain credentials." TrickBot, which represented almost 6 percent of all identified compromises in education, was described by Malwarebytes as a "nasty information stealer that can download components for specific malicious operations, such as keylogging and lateral movement within a network."

The company warned that these two trojans "may be even more pervasive than the metrics indicate." If its own technology didn't stop certain activities in their tracks, the counts could be doubled. Those include flagging malicious PDF or Office documents containing hidden scripts that have been opened or a manual script such as PowerShell that has been activated. "If these detections were, indeed, the result of further attempts at spreading Emotet or TrickBot, then Trojan detections may actually represent up to 40 percent of all detections in the industry," the company noted.

"Because of their network-hopping use of brute force attacks and use of exploits, education is particularly vulnerable to these particular attacks, due to the huge volume of guest devices connecting to their networks," the company concluded.

More detail is available on Malwarebyte's blog.