The network credentials and VPN access information were mainly acquired through ransomware, spear-phishing, and other cyberattacks.
According to the US Federal Bureau of Investigation (FBI), hackers are selling virtual private network (VPN) access and network credentials used by employees of a “multitude” of colleges and universities in the US. The stolen data is sold on Russian underground cybercrime platforms.
The FBI noted that in May 2021, they discovered over 36,000 email/password combinations for addresses ending with .edu. These addresses were available publicly on instant messaging platforms commonly used by cybercriminals.
“As of January 2022, Russian cybercriminal forums offered for sale or posted for public access the network credentials and virtual private network accesses to a multitude of identified US-based universities and colleges across the country, some of which included screenshots as proof of access.”
According to the FBI’s Private Industry Notification [PDF], most of the credentials part of the data up for sale on Russian hacker platforms were obtained through ransomware attacks and spear-phishing campaigns launched against US educational institutions over the years.
The institutions targeted in ransomware attacks in the last couple of years include:
- Ohlone College
- Centralia College
- Stratford University
- The Yeshiva University
- Stony Brook University
- The University of Miami
- Savannah State University
- National University College
- The University of Maryland
- North Carolina A&T University
- The University of Detroit Mercy
- Florida International University
- The University of Colorado Boulder
- The University of California, Merced
- Phillips Community College of Arkansas
It is worth noting that some of the universities mentioned in the list were targeted by the cl0p ransomware gang, while some were targeted by Iranian hackers. Nevertheless, currently, the stolen data is up for sale for several thousand dollars, depending on the nature of the information.
What are the Consequences
The FBI stated that such sensitive data and network access information, particularly privileged accounts, can enable threat actors to launch more cyberattacks against the organization and the user.
“Such tactics have continued to prevail and ramped up with COVID-themed phishing attacks to steal university login credentials, according to security researchers from a US-based company in December 2021.”
The credentials may be sold to other hackers, or the seller may ask for donations to offer full access to the data. They can use the credentials to brute-force credential stuffing attacks, drain the account of “stored value,” and leverage/resell credit card numbers and other personally identifiable information. They can also submit fake transactions and launch malicious scams against the account holder or the affiliated entity.
More FBI Alerts
- FBI – Malicious QR codes stealing login and financial data
- FBI issues flash alert after APT groups exploited VPN flaws
- FBI warns of hackers mailing malicious USB drives to spread ransomware
- 52 Critical Infrastructure Orgs Hit by Ragnar Locker Ransomware Gang – FBI
- Targeting Satellite? CISA, FBI Warns of Attacks on SATCOM Network Providers