A Canadian university’s network may be at risk from a cyber attack, according to KELA, an Israeli threat intelligence firm.
On April 3, a threat actor selling access on a Russian dark web put up for sale administrative access to the domain of an unnamed Canadian university for two bitcoin, or about CDN$20,600.
Irina Nesterovsky, KELA’s head of research provided this translation of the post:
“Selling access to a large Canadian university. An internal scan of the network shows 8,000+ devices, RDP port gives ~4.4k PCs. The university is one of the largest, 50K+ students, 7k+ staff and teachers etc. Access: local admin inside the domain. Price is 2 BTC.”
A follow-up post says the actor has access to two domain users and was able to connect and maintain access from an external machine over a “non-standard port.”
Nesterovsky believes the post is authentic. “This forum frequently features posts by threat actors who trade in network access. This guy has been on the forum for a few years with some activity and a reputation given [on the forum].
“It’s also very detailed. We think it’s a valid threat.”
She suspects the threat actor gained access before April 3. Usually, it takes time for an attacker to discover details about each hacked organization’s infrastructure before deciding what to do do. It’s common for an attacker to put access up for sale to monetize the breach if they can’t exploit the intrusion themselves.
It isn’t clear how access was obtained. Nesterovsky said this threat actor seems to specialize in brute-forcing RDP (remote desktop) servers, running an affiliate program with other threat actors for this purpose.
A university is a tempting target to an attacker for several reasons: Because student work stored on university servers is valuable, education institutions are often chosen for ransomware attacks. That research could also be valuable if stolen for resale on a black market.
KELA has notified a contact at the University of Toronto and asked it to pass on the threat to other institutions.
The Russian post was news to Brian Lesser, CIO of Toronto’s Ryerson University, when contacted Monday afternoon by ITWC. He promised to pass it on to the chairs of the Canadian CIO association’s cybersecurity group.
“We hear about this sort of thing in general, all the time,” Lesser said in an email. “But, I can’t say I’ve heard about the access to a specific university system being sold.”
Lesser said universities have several sources of threat information, including the federal government’s Canadian Centre for Cyber Security. Asked if the centre has come across this particular dark web post a spokesperson said it doesn’t comment on specific cyber threats.
Without knowing the victim, Nesterovsky said infosec pros at Canadian universities should be scanning their networks for suspicious activity.