The FBI is warning institutions of higher learning that some VPNs and login credentials from their respective institutions have become compromised and are being sold on the dark web and public forums.
The information was announced on May 26, after cyber actors have been using techniques such as spear-phishing, ransomware, or other cyber intrusion tactics. These cyber actors are specifically targeting educational institutions by looking for domain accounts that end with .edu.
According to the announcement, these phishing attacks have only grown more since the rise of the COVID-19 pandemic with many universities shifting to online learning as well as from Russian actors trying to weaken American institutions.
The FBI sent out a series of recommendations that are aimed at deterring would-be cyber actors from accessing university credentials. Some of the following are examples that institutions can take in order to stop such actors:
- Keep all operating systems and software up to date.
- Implement user training programs and phishing exercises for students and faculty to raise awareness.
- Require strong, unique passwords for all accounts with password logins and establish lock-out rules for incorrect password attempts.
- Require multi-factor authentication, preferably using phishing-resistant authenticators.
- Identify, detect, and investigate abnormal activity with network-monitoring tools that log and report all network traffic, including lateral movement on a network.
- Use anomaly detection tools that identify an unusual increase in traffic and failed authentication attempts.
- Enforce the principle of least privilege through authorization policies. Account privileges should be clearly defined, narrowly scoped, and regularly audited against usage patterns.
Ultimately, “the FBI recommends colleges, universities, and all academic entities establish and maintain strong liaison relationships with the FBI Field Office in their region.”