Hackers selling network access to 7500 educational establishments have reportedly dropped their asking price.
Reports emerged last week that access was being sold by a threat actor on multiple Russian hacker forums and as well as educational organizations. The package also included access to corporate networks from other verticals, such as entertainment and the bar industry.
In particular, access to the networks via remote desktop protocol was being sold, with the initial bid for the entire package starting at 25 BTC (roughly $330,000) and the buy now an option at 75 BTC (about $1,000,000).
In an email to Infosecurity, Kacey Clark, a security researcher at Digital Shadows, said these were posted on the Russian-language cyber-criminal forums Exploit and XSS; however, they are yet to receive any responses from other forum users on either platform.
“There are no indications yet as to which entities/organizations are involved, and this will likely remain the case to keep the offering available,” Clark said.
Digital Shadows also confirmed that the threat actor reduced the asking price to BTC 10 (USD 155,300) from BTC 25 (USD 387,000) on November 4, “but this is still a significant amount of money even on these forums, hence why it might be taking longer to sell,” Clark said.
Clark also made the point that whilst the user only registered on the forums relatively recently, they have deposited significant funds into both of their forum accounts, likely in an effort to substantiate their credibility on these forums and justify the legitimacy of their presence.
“Interestingly, they have even sponsored the most recent articles competition on XSS, which indicates they have developed an effective relationship with the administrator on this platform and again highlights their potential prowess,” she said. “Although this does not provide insight into the actual legitimacy of the offering, it likely indicates the vendor is legitimate and credible in their offering.”
Mark Kerrison, CEO at New Net Technologies, said: “Educational establishments could be a particularly tantalizing target for research and intellectual property theft, especially if linked to COVID-19 research. Cyber-criminals are economically rational in their behavior and will price their ‘offer’ of credentials to maximize returns, in the shortest time, for the smallest of efforts.”
Commenting, Matt Walmsley, EMEA director at Vectra, said, as we move to a world of zero trust, identity is the new perimeter, and so access to live credentials makes an attacker’s task significantly easier. “Whether captured from data dumps of inadvertently public repositories, gained through social engineering or through more traditional vulnerability exploitation and network penetration, these credentials offer an open door through which attackers will pay to walk through then move and expand their influence and establish the privileged access needed to meet their nefarious goals,” he said.