Eaton's Intelligent Power Manager (IPM) Vulnerability

Overview:

  Eaton’s Intelligent Power Manager (IPM) software provides the tools needed to monitor and manage power devices in your physical or virtual environment keeping devices up and running during a power or environmental event. This software solution ensures system uptime and data integrity by enabling remote monitoring, managing and controlling devices on the network.

  An arbitrary file deletion vulnerability has been reported in Eaton Intelligent Power Management and Eaton Intelligent Power Protector. The vulnerability is due to missing input validation in meta_driver_srv.js. A remote unauthenticated attacker could exploit this vulnerability by sending a maliciously crafted packet. Successful exploitation of these vulnerabilities could allow attackers to delete arbitrary files on the target system.

  The main program mc2 contains compressed Javascript code which is relevant for understanding this vulnerability. The web interface can be accessed over HTTP or HTTPS on ports 4679 and 4680, respectively.

CVE Reference:

  Assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-23279

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H), based on the following metrics:;
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is none.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.7 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  An arbitrary file deletion vulnerability exists in Eaton Intelligent Power Manager. The vulnerability is due to missing authentication check and missing input validation in the HTTP requests sent to “/server/ meta_driver_srv.js” endpoint. When a user sends a HTTP request to this endpoint, the code in meta_driver_srv.js will parse the JSON data in the data request parameter.

  The code maintains the driverList list data structure in MetaDriverManager Javascript object that collects all driver IDs that are currently known to the application and can be found in the “configs/drivers/” directory. This directory maintains files where each file contains information about a driver ID and the file name is in the form of “X.drv”, where X is the driver ID.

  After parsing the JSON data in the data request parameter, the code will then check if any driver ID in the driverList data structure is or is not present in the JSON data. If it is not present, the code will delete the file in the “configs/ drivers” directory where the file name matches the driver ID that was not present in the JSON data. The code makes a call to function deleteDriver() in the MetaDriverManager Javascript file to do the file deletion. Afterwards, it will add the data for each driver ID found in the JSON data that is not present in the driverList data structure. Namely, it will create the new “.drv” file in the “configs/drivers” directory with the provided JSON data in the request.

  The problem with this code is the fact that it utilizes the driver ID keys in the provided JSON data to delete or create “.drv” file in the “configs/drivers” directory while not checking for directory traversal characters in the driver ID key. Therefore, the attacker can send the requests where the driver ID key in JSON data contains directory traversal characters.

*Note that the attacker will have to send two requests.

  • In the first request, the attacker will send a malicious request containing driver ID that is a path to the file that is to be deleted. While processing this first request, the code will proceed to overwrite that file with the data provided in the data request parameter. However, the overwritten content would be in JSON format and not fully controlled by the attacker.

  • The attacker then needs to send the second request where the driver ID, that was added when the first request was processed, is omitted from the request thereby initiating the code that will delete that file. By sending these two requests, the attacker can delete any file on the target system by employing directory traversal characters and the null character (%00). The null character is also needed to remove the trailing “.drv” extension from the maliciously crafted path.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.

Triggering Conditions:

  The attacker sends a malicious HTTP request to overwrite the contents of the file and then sends the second request to delete the same file. The vulnerability is triggered when the affected software processes the second request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 4679/TCP
    • HTTPS, over port 4680/TCP

Attack Request:

Attack Response:

Patched Software:

  Eaton has patched these security issues and new versions of the affected software are released. The latest versions can be downloaded from below location:
    • Eaton IPM v1.69 – Download | IPM | Eaton
    • Eaton IPP v1.68 – Download software | Power management | Eaton

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15540 Eaton Intelligent Power Manager Arbitrary File Deletion

Vendor Advisory:

Cybersecurity News & Trends

This week, attacks by cybercriminals in Russia and China made headlines — and the U.S. government is mobilizing to fight back.


SonicWall in the News

‘A Perfect Score’: SonicWall Capture ATP Aces Latest ICSA Lab Test, Finds More ‘Never-Before-Seen’ Malware Than Ever — Company Press Release

  • SonicWall Capture Advanced Threat Protection (ATP) sandbox service with Real-Time Deep Memory Inspection™ (RTDMI) received a perfect score in the latest ICSA Labs Advanced Threat Defense test for Q1 2021.

Industry News

Here’s what Russia’s SVR spy agency does when it breaks into your network, says U.S. CISA infosec agency — The Register

  • Following attribution of the SolarWinds supply chain attack to Russia’s APT29/Cozy Bear, the U.S. CISA infosec agency has published a list of the spies’ known tactics.

Ransomware crooks threaten to ID informants if cops don’t pay up — Ars Technica

  • Ransomware operators have delivered a stunning ultimatum to Washington, D.C.’s Metropolitan Police Department: pay them $50 million, or they’ll leak the identities of confidential informants to street gangs.

Navy SEALs to Shift From Counterterrorism to Global Threats — Security Week

  • U.S. Navy SEALs are undergoing a major transition to improve leadership and expand their commando capabilities to battle threats from global powers like China and Russia.

Cyberspies target military organizations with new Nebulae backdoor — Bleeping Computer

  • A Chinese-speaking threat actor has deployed a new backdoor in multiple cyber-espionage operations, spanning roughly two years and targeting military organizations from Southeast Asia.

Suspected Chinese hackers are breaking into nearby military targets — Cyberscoop

  • The suspected PLA hackers are back in action.

Microsoft Weighs Revamping Flaw Disclosures After Suspected Leak — Bloomberg

  • Microsoft Corp. may revise a program that shares coding flaws in its products with other companies after a sprawling cyberattack against thousands of Microsoft Exchange email clients.

U.S. warns of Russian state hackers still targeting U.S., foreign orgs — Bleeping Computer

  • The FBI, the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency warned of continued attacks by Russian-backed APT 29 hacking group against U.S. and foreign organizations.

Law enforcement delivers final blow to Emotet — Cyberscoop

  • Law-enforcement officials are sending a specially crafted file to infected machines.

Selling of Mobile Phone Data Presents Security Risk for U.S. Armed Forces — The Wall Street Journal

  • Apps show troop movements buried in data available for purchase: a “major risk to national security.”

Ransomware’s perfect target: Why one industry needs to improve cybersecurity, before it’s too late — ZDNet

  • Dependencies on just-in-time supply chains and sometimes out-of-date technology make shipping and logistics an ever-more-tempting target for cybercriminals.

Apple’s ransomware mess is the future of online extortion — Ars Technica

  • Hackers want $50 million in exchange for not releasing schematics they stole from an Apple supplier.

China could ‘control the global operating system’ of tech, warns UK spy chief — ZDNet

  • The head of the UK’s intelligence service warns that the West must be prepared to face a world where technology is developed and controlled by states with “illiberal values.”

New cryptomining malware builds an army of Windows, Linux bots — Bleeping Computer

  • A recently discovered cryptomining botnet is actively scanning for vulnerable Windows and Linux enterprise servers and infecting them with Monero (XMRig) miner and self-spreader malware payloads.

ToxicEye: Trojan abuses Telegram platform to steal your data — ZDNet

  • This recently discovered RAT is using bots to propagate across Telegram channels.

In Case You Missed It

cURL new addition to LOLBins

The SonicWall Capture Labs Threat Research Team has observed a new Microsoft Excel sample, which uses curl.exe to download AVE Maria Remote Admin Tool. This sample launches curl.exe using XLM Macro.

cURL is a command-line tool for getting or sending data including files using URL syntax. cUrl is included by default in Windows 10 build 17063, or later.

Any country where the French language is spoken, or is the official language, may be the target of this campaign, given that the sheet name is “Feuil1” which means “Sheet1” in French.

Analysis:

Upon opening the file, the user is displayed instructions to enable content as shown below:

Fig-1: Excel File

If the user enables macro, the following code is executed:

Fig-2: Macro Sheet

The downloaded file remains under analysis, and initial investigations show that it belongs to the “AVE-Maria RAT” family.

File properties indicate that the sample was created on 20-Sep-2020 and modified on 27-Apr-2021 8:14 pm (UTC) as shown below.

Fig-3: Sample properties

Sonicwall Capture ATP detected the sample as soon as it was first observed in the wild ( 27-Apr-2021 9:01:05 GMT) as is evident from the sample properties and Capture Detection Report:

Fig-4: Capture Report

 

Indicators of Compromise:

SHA256:

  • 2e07eafbfb9f4700dbb3983d59d45939eb80f99807aee1c85e955d6f67991794 {Excel File}
  • 5bdc77c84e5ae4fd2c48746ad421b04fb8af9dca2b4d0e9e38906b777f976577 {Excel File}
  • 27b2fd40a9bf3ea07a45437c743cf9fdba97565231e4ae3ea90adf897e26b663 {Executable File}

Network Activity:

  • akmestarhfc[.]in/public/smartpc[.]exe
  • http://bitcoincoin[.]xyz/payment/xls[.]exe

SonicWall Capture ATP Receives Perfect Score in ICSA Labs ATD Certification

In 2020, the pandemic forced businesses to find new ways to conduct their operations. But it also revealed that cybercriminals can adapt to new workplace realities as quickly as corporations. When your adversaries are as nimble as you are, third-party validation of your advanced security solutions is more important than ever.

That’s why we’re proud to announce that SonicWall Capture ATP (Advanced Threat Protection) has received a perfect score from ICSA Labs. Capture ATP uses patented RTDMITM (Real-Time Deep Memory Inspection) technology to catch more malware faster than traditional behavior-based sandboxing methods, with a lower false positive rate. This fact can be seen in the test results, as Capture ATP detected 100% of previously unknown threats with no false positives. This marks the fifth consecutive ICSA certification for SonicWall Capture ATP.

During the 35-day test cycle, ICSA conducted a total of 1,471 tests against Capture ATP, with a mixture of 580 new and little-known malicious samples and 891 innocuous applications. Capture ATP correctly identified all malicious samples while allowing all clean samples through, proving the effectiveness of the solution against unknown threats.

According to the report, “SonicWall Capture ATP did remarkably well during this test cycle — detecting 100% of previously unknown threats while having zero false positives.

The full report can be downloaded here.

What is ICSA Advanced Threat Defense?

Standard ICSA Labs Advanced Threat Defense (ATD) testing is aimed at vendor solutions designed to detect new threats that traditional security products miss. The test cycles evaluate how effectively vendor ATD solutions detect these unknown and little-known threats while minimizing false positives.

Cybersecurity News & Trends

This week hackers ramped up attacks on office workers, with malicious emails impersonating Slack, BaseCamp and Bloomberg Industry Group.


SonicWall in the News

The 8 Best Wireless Routers for Business in 2021 — Solutions Review

  • SonicWall SOHO 250 was included on Solutions Review’s (alphabetically organized) list of the top wireless routers of 2021.

Higher the Factors, Stronger the Security — Security MEA

  • Mohamed Abdallah, SonicWall regional director for MEA, explores the importance of multi-factor authentication.

Saudi GDP Can Spike Automation — Khaleej Times

  • Mohamed Abdallah, SonicWall regional director for MEA, discusses digital transformation initiatives in Saudi Arabia and the need for intelligent automation deployments.

Industry News

Apple Targeted in $50 Million Ransomware Hack of Supplier Quanta — Bloomberg

  • The REvil ransomware group is threatening Apple after one of its key MacBook suppliers, Quanta, allegedly refused to pay a $50 million ransom.

Hackers pose as Bloomberg employees in email scam — Cyberscoop

  • The ruse seeks to capitalize on the influence of Bloomberg Industry Group, whose analysis major corporations use to track markets.

Japan says Chinese military likely behind cyberattacks — The Washington Times

  • Tokyo police are investigating cyberattacks on about 200 Japanese companies and research organizations, including the country’s space agency, by a hacking group believed to be linked to the Chinese military.

US takes steps to protect electric system from cyberattacks — The Washington Times

  • The initiative encourages power plants and electric utilities to improve their ability to identify cyber threats, including implementing technologies to spot and respond to intrusions in real time.

Fake Microsoft Store, Spotify sites spread info-stealing malware — Bleeping Computer

  • Sites that impersonate the Microsoft Store, Spotify, and an online document converter are using malware to steal credit cards and passwords saved in web browsers.

Millions of web surfers are being targeted by a single malvertising group — Ars Technica

  • Hackers have compromised more than 120 ad servers over the past year in an ongoing campaign that displays malicious advertisements on sites that seem completely benign.

Discord Nitro gift codes now demanded as ransomware payments — Bleeping Computer

  • A new ransomware calling itself “NitroRansomware” encrypts victims’ files and then demands a Discord Nitro gift code in exchange for decryption.

Ryuk ransomware operation updates hacking techniques — Bleeping Computer

  • Recent attacks from Ryuk ransomware operators show that the actors have a new preference when it comes to gaining initial access to the victim network.

BazarLoader Malware Abuses Slack, BaseCamp Cloud — Threat Post

  • The BazarLoader malware’s email messages leverage worker trust in collaboration tools like Slack and BaseCamp to get them to click links containing malware payloads.

Did Someone at the Commerce Dept. Find a SolarWinds Backdoor in Aug. 2020? — Krebs on Security

  • On Aug. 13, 2020, someone uploaded a suspected malicious file to VirusTotal, a service that scans submitted files against more than five dozen antivirus and security products. Last month, Microsoft and FireEye identified that file as a newly discovered fourth malware backdoor used in the sprawling SolarWinds supply-chain hack.

Cyberattack on UK university knocks out online learning, Teams and Zoom — ZDNet

  • The attack cancelled all live online teaching for the rest of the week.

How the Kremlin Provides a Safe Harbor for Ransomware — Security Week

  • Ransomware is crippling local governments, hospitals, school districts and businesses by scrambling their data files until they pay up — and law enforcement has been largely powerless to stop it.

Swinburne University confirms over 5,000 individuals affected in data breach— ZDNet

  • The university confirmed the personal information included in the breach contained names, email addresses and phone numbers of staff, students and external parties.

HackBoss malware poses as hacker tools on Telegram to steal digital coins — Bleeping Computer

  • The authors of a cryptocurrency-stealing malware are distributing it over Telegram to aspiring cybercriminals under the guise of free malicious applications.

In Case You Missed It

Android banking trojan targets more than 450 apps

SonicWall Capture Labs Threats Research team yet again observed malicious Android banking trojans that target a large number of financial apps. This time the malicious app is spreading by masquerading the Austrain PayLife bank app.

 

Sample Details:

 

Infection Cycle

Upon installation the application appears in the app drawer as follows:

Once executed, the application icon disappears from the app drawer giving the victim an impression that the application is no more present on the device. Next, it requests for Accessibility services permission from the victim:

 

Upon checking the AndroidManifest.xml file for the main activity, we see an entry for an activity that is not visible in the source code:

But on running the application on the device a few files are dropped in the folder app_DynamicOptDex. The sample we analyzed dropped the following interesting files:

  • AWrQyH.dex
  • AWrQyH.json

 

Within name.json file which is a .dex fiel in reality, we get the files containing malicious code including the main activity that was not visible earlier:

 

The malware is capable of accepting and executing the following commands:

  • Send_SMS
  • Flood_SMS
  • Download_SMS
  • Spam_on_contacts
  • Change_SMS_Manager
  • Run_App
  • StartKeyLogs
  • StopKeyLogs
  • StartPush
  • StopPush
  • Hide_Screen_Lock
  • Unlock_Hide_Screen
  • Admin
  • Profile
  • Start_clean_Push
  • Stop_clean_Push

 

Based on the commands and functionality, it appears that this malware is capable of carrying out a number of dangerous actions from the infected device:

  • Critical SMS related actions
  • Capture victim keystrokes
  • Send SMS messages to contacts, this may include the ability to spread the infection to people in contacts

 

The malware we analyzed communicates with a hardcoded server – autolycus.ug

 

During our analysis the malware communicated with the server by sending encrypted data at gate.php. However we did not receive any communication back from the server:

 

We observed the following VirusTotal graph for this domain:

 

The source code for this app contains a list of apps that are monitored by this malware, this list of around 455 apps contains a majority of financial apps. Few of these targeted apps are listed below, the complete list can be obtained here:

  1. ar.com.santander.rio.mbanking
  2. at.volksbank.volksbankmobile
  3. au.com.bankwest.mobile
  4. com.bancomer.mbanking
  5. com.bankaustria.android.olb
  6. com.bankofqueensland.boq
  7. com.bbva.mobile.pt
  8. com.CredemMobile
  9. com.db.pbc.DBPay
  10. com.desjardins.mobile

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: AndroidOS.Banker.AL (Trojan)

 

Indicators of compromise (IOC’s):

  • 670e49e6cdb47f8e6121fc706b2c6886
  • 6fb48c0121f446c3010867f02e0b53ee
  • e030c8ba233ea0b3b50daafbe54605a6

Runsomeaware ransomware as a service actively spreading in the wild

The SonicWall Capture Labs Threat Research team observed reports of a new variant family of Runsomeaware RaaS actively spreading in the wild. Ransomware as a service (RaaS) is a subscription-based / free model that enables affiliates to use already-developed ransomware tools to execute ransomware attacks. hackers earn a percentage of each successful ransom payment. Ransomware as a Service (RaaS) is an adoption of the Software as a Service (SaaS) business model.

The Runsomeaware encrypts the victim’s files with a strong encryption algorithm.

Runsomeaware is a multi-component RaaS family and its POC has been released in the wild by its developers.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [Filename]. graysuit

Once the computer is compromised, the ransomware runs the following commands:

When Runsomeaware is started it will create and assign a unique ID number to the victim then scan all local drives for data files to encrypt.

When encrypting files, it will use the AES encryption algorithm and encrypt all files except following extensions:

The ransomware encrypts all the files and appends the [.graysuit] extension onto each encrypted file’s filename.

The hackers are active on a Discord Channel and they have released few tutorials on YouTube and GitHub.

Recently Discord have become handy mechanisms for cybercriminals. they’re being used to serve up malware to victims in the form of a link that looks trustworthy. In some cases, hackers have integrated Discord into their malware for C & C of their code running on infected machines, and even to steal data from victims.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Runsomeaware.A (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

A Look Back: SonicWall Reflects on its 42nd CRN Award

For many, the number 42 holds an elevated degree of significance. Sports fans will recognize it as MLB great Jackie Robinson’s jersey number. Comic book fans will associate it with the spider that bit Miles Morales, creating the next Spider-Man. And science-fiction fans will remember it as “the answer to the ultimate question of life, the universe, and everything,” as revealed by supercomputer Deep Thought in Douglas Adams’ 1979 novel, The Hitchhiker’s Guide to the Galaxy.

It has added significance for SonicWall, as well: It’s the number of CRN awards that SonicWall, its team and its partner program have received since 2016.

President and CEO Bill Conner has been a key driver behind the numerous awards bestowed upon the company and its team members, products and partner program since taking the helm at SonicWall. During his tenure, the company’s channel leaders have consistently earned spots on CRN’s lists of ‘Channel Chiefs’ and ‘Most Influential’ — including this year’s honorees, Bob VanKirk, HoJin Kim and Dave Bankemper. A testament to the diversity of its expansive, global channel team, several SonicWall channel drivers have also been recognized as ‘CRN Women of Channel.’

“After arriving at SonicWall, I was blown away by the company’s portfolio, team and partner program,” Conner said. “I wanted all of those who had been working hard to feel appreciated and recognized for a job well done. Looking back at the tally of CRN awards is satisfying, and also a reflection of where we have taken this company as a team.”

SonicWall itself has been the recipient of numerous awards, and has been honored on lists such as ‘Coolest Network Security Vendors’, ‘The 25 Hottest Edge Security Companies’ and ‘Security 100’, which provides a look at 100 vendors across five market segments to help solution providers determine which security technologies and vendors they can place their bets on in a crowded market.

SonicWall’s products have earned their share of accolades as well, including ‘2021 Tech Innovator’ for the SonicWall TZ 570, 670 and NSsp 15700; ‘2018 Products of the Year’ for SonicWall Capture Cloud Platform; and SonicWall Email Security, which received top marks in the ‘2018 Annual Report Card’ based on performance in 24 product categories, including product innovation, support and partnership.

“We’re proud of our work here at SonicWall, our offerings, and our partner program but, most importantly, we’re proud of the loyal and dedicated support we get from our amazing partners around the world,” said SonicWall VP, Worldwide Channel Sales HoJin Kim.

For more additional details regarding SonicWall accolades, please visit https://www.sonicwall.com/about-sonicwall/awards.

Laravel Ignition Remote Code Execution Vulnerability

Ignition versions prior to 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents and file_put_contents. This is exploitable on sites using debug mode with Laravel versions prior to 8.4.2

Ignition is a beautiful and customizable error page for Laravel applications running on Laravel 5.5 and newer. It is the default error page for all Laravel 6 applications. It also allows to publicly share your errors on Flare. If configured with a valid Flare API key, errors in production applications will be tracked, and you’ll get notified when they happen. So, it can hook into the framework to display the uncompiled view path and your Blade view. It has various features such as app, user ,context and debug tab. It not only displays error but also suggests a solution.

Vulnerability | CVE-2021-3129

Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code. This is exploitable on sites using debug mode with Laravel before 8.4.2.

The vulnerability lies in a way in which the file_get_contents function is implemented in the module MakeViewVariableOptionalSolution.php of Ignition . The file_get_contents function doesn’t check the path and an attacker can abuse this weakness to view and write code of attackers choice at the path specified by an attacker.

This vulnerability is patched . When we look at the patched code we see that file_get_contents now checks the path before getting contents.

 

Threat graph:

 

SonicWall Capture Labs provides protection against this threat via following signatures:

    • IPS 15444:Laravel Ignition Insecure Deserialization 1
    • IPS 15445:Laravel Ignition Insecure Deserialization 2

Cybercrime on Campus: How Education Became Attackers’ Biggest Target

At the core of educational philosophy is the idea that no two schools (or students) are alike. But regardless of differences in location, revenue or grade level, educational institutions are increasingly facing a common problem: They’re all being targeted by cybercriminals and an arsenal of malware, ransomware and other sophisticated cyberattacks.

In just the past month or so, more than half a dozen K-12 and primary schools, colleges and universities have been hit with ransomware attacks, including two colleges in Dublin, Ireland; a K-12 school district in Fort Lauderdale, Fla., that serves nearly 300,000 students; and a small school system in Basking Ridge, N.J.

But while this wave of attacks is alarming, it’s nothing new. Cyberattacks on schools have been happening for years, but 2020 pushed the number of these attacks to new heights, making 2020 a “record-breaking” year for cyberattacks on American schools.

According to an alert issued by the FBI, in August and September 2020 the percentage of ransomware incidents involving K-12 schools jumped from 28% to 57%. What’s even more concerning is that this figure doesn’t even include colleges and universities, many of which have been at the center of high-profile attacks.

But this isn’t a uniquely American problem. In a statement issued in March, Britain’s National Cyber Security Centre (NCSC) noted spikes in cyberattacks among educational institutions in the UK in August and September 2020, along with another wave of attacks as students were preparing to return to class this past February.

“In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records, as well as data relating to COVID-19 testing,” the statement read. “It is therefore vital that organizations have up-to-date and tested online backups.”

SonicWall Capture Labs threat researchers recorded similar trends in the recently released 2021 SonicWall Cyber Threat Report. In 2020, ransomware rose 62% globally, bolstered by disruption from the COVID-19 pandemic, the large-scale shift to remote work and an all-time high in the price of Bitcoin.

Broken down by industry below, our data shows that education is being increasingly targeted. The number of ransomware attempts per education customer remained comparatively low in the first part of 2020. However, in October it skyrocketed. And in December, the number of ransomware attempts per customer in education was higher than in any other industry in any other month.

While non-ransomware cyberattacks don’t tend to make as many headlines, they can also be highly disruptive and costly. Unfortunately, the education industry didn’t fare any better when it came to most other attack vectors.

Education customers were more likely to see cryptojacking and IoT malware attempts, with the latter being particularly concerning. The number of IoT malware attempts per customer in education was higher than for any other industry. Moreover, a significantly higher percentage of education customers was targeted by IoT malware than for any other industry — a trend which held for the entire year.

Unfortunately, with many workers still remote, schools struggling to operate on hybrid models as reopening progresses, and Bitcoin now trading at more than double the record it set at the end of last year, attacks have continued to rise. And cybercriminals, emboldened by prior successes, are getting greedier.

In early March 2021, the Broward County School District in Fort Lauderdale, Fla., found itself on the receiving end of a $40 million ransom demand — the second-highest ever. The average ransom demand now stands at $447,000, an amount that doesn’t even account for remediation or any of the other costs associated with an attack.

But those who opt not to pay the ransom — or who are targeted by another type of malware — may still take a huge financial hit. According to Ponemon Institute, in 2020 the average cost of a data breach in education was $3.9 million. The cost and frequency of these incidents has grown to the point that, in late March 2021, the credit rating agency Moody’s Corp. warned that a continued worsening of attacks could impact the credit ratings of higher-ed institutions, which could compound the difficulties these institutions have had mounting an effective cybercrime defense in the first place.

There may be hope on the horizon, however. With the signing of the American Rescue Plan Act of 2021 (ARP) in March, the existing E-rate program — which provides a source of funding for U.S. public and private K-12 schools and libraries — received a $7.1 billion infusion in the form of the Emergency Connectivity Fund. Unlike with traditional E-rate funds, this additional funding can be used for cybersecurity needs both on and off campus.

The ARP also included a $40 billion increase in the Higher Education Emergency Relief Fund (HEERF), on top of the $14 billion originally approved as part of the CARES Act in March 2020. While some of this money is earmarked for student assistance, the institutional portion can be used to improve campus cybersecurity.

This funding will provide a much-needed boost to cybersecurity efforts in the education sector, but unfortunately it won’t be available immediately. In the meantime, schools should continue following guidance issued by bodies such as CISA and the UK’s National Cyber Security Centre, as well as established best practices.

To learn more about how cyberattacks on education compare to those in other industries, such as healthcare, retail and government, download the 2021 SonicWall Cyber Threat Report.