The FBI said the credentials may have been obtained via “spear-phishing, ransomware, or other cyber intrusion tactics.” The report, which serves as a warning to U.S. colleges and universities, noted that credential harvesting could lead to cyberattacks on individual users or affiliated organizations down the road. “The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services,” the FBI said.
Credential Harvesting on the Rise
According to the FBI, cyber threat actors are increasingly targeting U.S. colleges and universities with credential harvesting attacks. Hackers are on the hunt for valuable data such as intellectual property (IP), which they can sell for a profit. In recent years, we have reported on cyberattacks aimed at prestigious academic institutions like Howard University, The University of California, and most recently Lincoln College. The FBI report highlighted incidents that date back to 2017 where hackers attempted to snag users’ login details by cloning the “.edu” login pages of universities and embedding “credential harvester links” into phishing emails sent to unsuspecting victims. The same tactics prevail and hackers have since “ramped up with COVID-themed” attacks to steal university login credentials, the report said. Once hackers successfully gain access to users’ login, they can drain victims’ accounts of stored value, re-sell credit card numbers and other personally identifiable information (PII), conduct fraudulent transactions, use the credentials to orchestrate cyberattacks on affiliated organizations, and carry out other criminal activities, the report warned.
Credentials for Sale Online
According to the FBI, there have been instances of the network credentials of U.S. universities and colleges being offered up for sale on the clearnet and the dark web. As of January 2022, “network credentials and virtual private network accesses” to several U.S.-based academic institutions have been offered for sale or posted for public access on Russian cybercriminal forums, the report states. Some of these posts included “screenshots as proof of access.” The stolen credentials are typically priced “from a few to multiple thousand US dollars.” The report highlighted two cases in late 2020 and May 2021 respectively, where tens of thousands of academic credentials were discovered to be for sale. With the former incident, the seller offered to exchange the “unique usernames with accompanying passwords” for cryptocurrency. With the latter incident, which has been linked to a cybercriminal group that deals with stolen logins, the credentials were found to be available on an “instant messaging platform.”
FBI Cybersecurity Recommendations
To help identify potential vulnerabilities and mitigate threats, the report recommends that all academic institutions establish and maintain “strong liaison relationships with the FBI Field Office in their region.” Furthermore, all institutions should, if necessary, review their incident response and communication strategies in case of a cyber incident. In addition, the FBI recommends mitigation strategies aimed at reducing the risk of compromise, such as:
Keeping all systems up-to-date Implementing cybersecurity training Requiring strong passwords Utilizing multi-factor authentication (MFA) Using anomaly detection tools Enforcing the principle of least privilege
The FBI’s extensive list of security recommendations can be found in the original report.