Network credentials and virtual private network (VPN) access for colleges and universities based in the U.S. are being advertised for sale on underground and public criminal marketplaces.
"This exposure of sensitive credential and network access information, especially privileged user accounts, could lead to subsequent cyber attacks against individual users or affiliated organizations," the U.S. Federal Bureau of Investigation (FBI) said in an advisory published last week.
The cyber intrusions against educational institutions involve threat actors leveraging tactics like spear-phishing and ransomware to carry out credential harvesting activities. The gathered credentials are then exfiltrated and sold on Russian cybercrime forums for prices ranging from a few to thousands of U.S. dollars.
Armed with this login information, the agency pointed out, adversaries can proceed to conduct brute-force credential stuffing attacks to break into victim accounts spanning different accounts, internet sites, and services.
"If attackers are successful in compromising a victim account, they may attempt to drain the account of stored value, leverage or re-sell credit card numbers and other personally identifiable information, submit fraudulent transactions, exploit for other criminal activity against the account holder, or use for subsequent attacks against affiliated organizations," the FBI cautioned.
For instance, in May 2021, the agency said it found more than 36,000 email and password combinations for email accounts ending in ".edu" domain publicly available on an instant messaging platform shared by a group that specialized in the trafficking of stolen login credentials.
To mitigate such threats, academic entities are urged to keep operating systems and software up to date, raise awareness about phishing, secure accounts with two-factor authentication, monitor remote access, and implement network segmentation to prevent the spread of malware.