A Cybersecurity Firm Assessed a State's Entire Education System, Finding Thousands of Security Risks

  • By Kristal Kuykendall
  • 09/22/22

Cyber Security Works, an IT risk management company and partner agency of the U.S. Department of Homeland Security, recently conducted an assessment of an entire state’s public education system, analyzing the security posture across 180 school districts and charter schools.

The investigation included a scan of 1,172 IT infrastructure assets, revealing 2,221 potential IT security problems, including 519 unique vulnerabilities, according to the assessment report by CSW, which does not identify which state requested the assessment.

CSW’s report noted that 17% of the vulnerabilities identified are known to be used by threat actors in cyber attacks against U.S. schools, and 33 of them would “allow hackers to remotely execute malicious code.”

As a result of the report to the state’s education agency, 30 schools immediately remediated the vulnerabilities known to be weaponized by threat actors, improving their security posture, CSW said.

CSW, with offices in Albuquerque and in India, provides risk management, security management, exposure management, and compliance services to public and private organizations in the United States, United Arab Emirates, India, and Asia. The firm is sponsored by and works with DHS’s Cybersecurity and Infrastructure Agency.

In its report — which includes a few key steps it urges school districts to take to reduce the risk of cyberattacks and data breaches — CSW said it found “374 vulnerabilities (that) are weaponized and can be exploited by attackers to gain access to the school systems and steal data.”

“Based on our AI and ML-based predictive analysis, CSW researchers warned that 78 of the existing vulnerabilities are most likely to be exploited by malicious actors and need to be remediated immediately,” the report said.

A List of the Cyber Risk Findings Considered Common Among Schools

A breakdown of the vulnerabilities identified in the assessment is as follows:

  • RCE/PE Vulnerabilities: CSW identified 33 RCE/PE vulnerabilities to be remediated immediately. “If left unchecked, data loss and access loss are imminent.”
  • Ransomware-Associated Vulnerabilities: Three of the districts assessed had “vulnerabilities that have known ransomware exploitation instances:
    • CVE 2019-11043 associated with NextCry ransomware. This ransomware encrypts files on the NextCloud servers. This is a trending PHP CVE which has maximum possibility of exploitation in schools and NAS devices. Our recommendation to schools was to upgrade to PHP version 7.3.11 and to remediate the vulnerability immediately.
    • CVE-2021-34473 associated with Lockfile, BlackByte, and Conti ransomware groups. Our research also shows that the Conti and Lockfile groups are actively being deployed by APT groups like Wizard Spider, Exotic Lily and DEV-0401 to attack prominent organizations.
    • CVE-2018-19943, a command injection vulnerability, and CVE-2018-19949 associated with eCh0raix Ransomware.”
  • Vulnerabilities on CISA’s KEV list: CSW’s report said that 374 of the discovered vulnerabilities are on the CISA-KEVs list of known instances of exploitation.
  • Vulnerability Aging: CSW noted that 22% of the vulnerabilities “could potentially be present in systems since 2001 (based on the vulnerability age), which is extremely dangerous as there are many attack methodologies readily available and refined over the years.” Nearly half, or 45%, of the exploits are less than 6 years old, CSW said.

Four Commonly Missed Exposures K-12 IT Leaders Should Look For

CSW’s assessment report included a list of recommendations for education IT practitioners, commonly overlooked vulnerabilities that can provide an open door to threat actors. In addition to the usual recommendations such as patching and exposures due to misconfigurations, it listed a few education-specific items:

  • Devices exposed to SSH server targeted by FritzFrog P2P Botnet Attack
  • The APT group Sparkling Goblin adopted a new backdoor technique called SideWalk to penetrate cybersecurity defenses of multiple targets, including educational institutions.
  • Exposures in third-party software, including:
    • CVE-2022-1609, a critical vulnerability was observed in School Management Pro, a WordPress plugin with over 3,40,000 customers, exploitation of which could allow complete control of school websites
    • Critical zero-day vulnerabilities were found in Fedena, a now-abandoned software used for school management.
    • “Misconfigured certificates in Eduroam, a free Wi-Fi network used by many universities, exposed the credentials of multiple users.”

Read the full report or learn more about CSW at CyberSecurityWorks.com’s blog.

Featured

  • abstract geometric pattern of glowing interconnected triangles, hexagons, and circles in blue, gold, and white, spread across a dark navy-to-black gradient background

    OpenAI Introduces 'Operator' AI for Performing Web Tasks

    OpenAI has announced "Operator," an AI agent designed to perform web-based tasks autonomously using its own browser. Currently available as a research preview for Pro users in the United States, the tool aims to automate everyday activities such as filling out forms, ordering groceries, and even creating memes.

  • digital illustration of Estonia with glowing neural network-like connections spreading across the map

    Estonia to Roll Out ChatGPT Edu for all Secondary Schools

    In a nationwide artificial intelligence program dubbed "AI Leap 2025," the country of Estonia plans to provide free access to leading AI applications for all secondary school students and teachers. The initiative will launch with a rollout of ChatGPT Edu to 20,000 high school students in grades 10-11 and their 3,000 teachers, beginning Sept. 1.

  • glowing digital brain made of blue circuitry hovers above multiple stylized clouds of interconnected network nodes against a dark, futuristic background

    Report: 85% of Organizations Are Leveraging AI

    Eighty-five percent of organizations today are utilizing some form of AI, according to the latest State of AI in the Cloud 2025 report from Wiz. While AI's role in innovation and disruption continues to expand, security vulnerabilities and governance challenges remain pressing concerns.

  • DreamBox Math

    Discovery Education Announces Accessibility Enhancements for DreamBox Math

    Discovery Education has updated DreamBox Math, an online math program for K–8 students to supplement core instruction, to improve accessibility for K–5 students, according to a news release. DreamBox Math provides personalized instruction by adapting to individual learners’ responses and providing an engaging, dynamic learning environment.