Article from ZDNet
Ethical hackers testing the security of university networks found they were able to breach networks and access high-value data in under two hours in every single penetration test they performed.
Almost 50 universities across the UK were a part of the test and ethical hackers working on behalf of The Higher Education Policy Institute (HEPI) and Jisc, a not-for-profit digital support service for higher education, were able to successfully use spear-phishing attacks to gain access to sensitive information.
In some cases, it was possible in under an hour; in others, universities were compromised across multiple campuses.
Penetration testers were able to gain complete access to system information by acquiring domain-level administrator access to control systems. That enabled access to personal information about students and staff, information about financial records, and even the ability to hack into databases and networks containing sensitive research data.
A common tactic in spear-phishing attacks targeting universities is for cyber criminals to spoof an email to look as if it comes from a senior member of staff and send it to people they’re known to work closely with. These messages will send victims to websites that attempt to steal credentials, or contain attachments which will drop malware.
The public-facing nature of universities often means it’s easy for cyber criminals to conduct reconnaissance on the departments they’re targeting, as staff will be listed on the university website.
The findings have been laid out in a research paper and it comes following a series of high-profile hacking campaigns targeting universities over the course of the last year.
A North Korean advanced persistent threat group targeted individual academics with spear-phishing emails designed to trick them into downloading a malicious Google Chrome extension, while last summer an Iranian hacking operation was detected targeting universities around the world in an effort to steal intellectual property.
“Cyberattacks are becoming more sophisticated and prevalent and universities can’t afford to stand still in the face of this constantly evolving threat,” said Dr John Chapman, head of Jisc’s security operations centre and the author of the report.
Read the full article here.