Cybersecurity Threat Trends in Higher Education

​

Highlights

• Cybersecurity threats continue to increase due to higher education's reliance on digital infrastructure, open networks, and the storage of sensitive information.
• Higher education institutions are prime targets for ransomware, identity theft, and other cyberattacks.
• Ransomware remains the number one threat trend in higher education.
• Since 2020, 10% of community colleges in Illinois have been hit with some form of cybersecurity attack resulting in either system downtime, data disclosure, or both.
• Malvertising, the use of web advertisements on legitimate web sites to spread malware or phishing of user credentials, is becoming more prevalent.

Introduction

2024 continued to see an increase in cybersecurity threats in higher education due to a reliance on a constantly growing, digital infrastructure, the openness of educational networks, and the personal information stored in these systems. These factors make higher education institutions prime targets for both digital financial extortion, e.g. ransomware, and identity theft.

While the top two threats, ransomware and phishing, have remained the same for the past few years, malvertising, a new form of cyberattack method that involves embedding malicious code within digital advertisements has begun to make inroads due to its ability to be difficult to detect and reach large audiences via legitimate third-party advertising sites.

Ransomware

Ransomware is still the number one threat facing higher education today. It is a cyberattack where a threat actor uses malicious software, also referred to as malware, to encrypt a victim's files, effectively locking them out of their systems until a ransom is paid.

By now the majority of you have heard of such attacks, mostly through the media, but you may have also received letters from various organizations and companies informing you that some of your information was disclosed as part of a cyberbreach. In many cases, these information disclosures happen because a ransom is not paid, and the threat actors release the company's confidential and sensitive information out onto the Web.

Higher education in Illinois is no different and since October 2020 I am aware of seven Illinois colleges, five of which are community colleges, that have been targeted to date. If you were to ask me my opinion, I believe there are possibly more; however, they were able to keep their breaches quiet as no confidential or sensitive information was released publicly. Illinois law does require organizations to notify individuals whose information is released publicly in a cyberbreach.

Here are some of the facts that we know about a few of those seven Illinois colleges:

• Lincoln College, a 157 year old institution, cited as one of its key reasons for closing in 2022 was its inability to recover after being a victim of a ransomware attack (npr). – Date of attack: 12/2021
• Illinois Valley Community College (IVCC) experienced a breach shortly after the college closed its campus for COVID, a prime time for threat actors to attempt to work undetected. College services were unavailable for weeks and even nine months after the ransomware attack, IVCC, still had not recovered all systems (npr). – Date of attack: 4/2020
• College of DuPage's data breach resulted in the release of personal and tax information of over 1,700 current and former employees (itsecurityguru). – Date of attack: 3/2020
• South Suburban College experienced a ransomware attack in 2023, whereas they issued 96,012 data breach notifications informing users that their names, social security numbers, addresses, and dates of birth may have been disclosed (comparitech). – Date of attack: 11/23

As you can see, the threat to our community colleges is "real" and closer to home than you might think. The impact of ransomware is more than just a financial impact. It is the impact to our student's education, the loss of productivity for our employees, and has the ability to tarnish our reputation as a trustworthy partner in the community.

Phishing and Smishing

Phishing remains near the top but with a slight twist and that is that we are seeing an increase in "smishing" attacks. Smishing, which is a concatenation of the phrase SMS (short message service), i.e. texting, and the word "phish". It is an out‑of‑band attack where instead of using e‑mail, the threat actor will use texting as a way to communicate with the target in hopes of getting them to either carry out a certain action or divulge confidential information.

Just two weeks ago we heard from a handful of KCC employees who received a text purportedly from Dr. Boyd asking, "Are you available?". As we don't know particularly what the threat actor wanted, we can surmise it was more than likely a "gift card" scam or an attempt to get the target to divulge their username and password.

After this last attempt, I wanted to have a better understanding of how a smishing operation was able to get our employee's personal text numbers, when after all this information is not shared publicly on the KCC website, or on any other information service the College controls.

What I discovered is these operations are incredible at data mining and then drawing correlations between the data sets to compile a single dossier of an individual, which contains all, or most, of the individual's personal information. In many cases, these data sets come from prior data breaches (think Ticketmaster, Home Depot, Target, etc..) and in much the same way that Facebook uses its algorithms to know your likes, friends, and make recommendations; these operations use their algorithms to create targets.

Malvertising

Malvertising is a relatively new method by which threat actors create advertisements that appear legitimate but are actually designed to install malware or phish for information. What makes malvertising particularly troublesome is that it leverages existing advertising networks on the web. This means that even if you are on a reputable website, if it uses a third-party ad provider like Google's AdSense, it could still serve ads containing malware.

Coming Up

For our next post, I'll discuss the specific actions that KCC's ITS department takes to keep our data and systems safe as well as steps that our employees can take to avoid the various cyberattacks that were discussed in this post. - MO