The FBI Alerts that U.S. Academic Access Credentials Are on Sale on the Dark Web

IBL News | New York

Russian cybercriminal forums offer U.S. college and university credentials for sale from a few to multiple thousands of dollars. Last week, the FBI warned that public and dark web forums were advertising credentials and network access information, especially privileged user accounts.

This exposure could lead to cyber attacks against individuals or organizations, said the Bureau. “Credential harvesting against an organization is often a byproduct of spear-phishing, ransomware, or other cyber intrusion tactics.”

COVID-themed phishing attacks to steal university login credentials, with users and passwords, ramped up recently.

In May 2021, over 36,000 email and password combinations for email accounts ending in .edu were identified on a publically available instant messaging platform.

The FBI recommends colleges and universities establish and maintain strong liaison relationships with the field offices in their region. “Through these partnerships, the FBI can assist with identifying vulnerabilities to academia and mitigating potential threat activity.”

Some specific recommendations are:

  • Keep all operating systems and software up to date.
  • Implement user training programs and phishing exercises for students and faculty to raise awareness about the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments.
  • Require strong, unique passwords for all accounts with password logins and establish lock-out rules for incorrect password attempts. Avoid password reuse across multiple accounts or stored on the system where an adversary may gain access.
  • Require multi-factor authentication (MFA), preferably using phishing-resistant authenticators, for as many services as possible – particularly for accounts that access critical systems, webmail, virtual private networks (VPN), and privileged accounts that manage backups.
  • Reduce credential exposure and enforce credential protection by restricting where accounts and credentials can be used and by using local device credential protection features.
  • Segment networks to help prevent unauthorized access by malicious actors or the spread of malware.
  • Identify, detect, and investigate abnormal activity with network-monitoring tools that log and report all network traffic, including lateral movement on a network.
  • Use anomaly detection tools that identify an unusual increase in traffic and failed authentication attempts.
  • Enforce the principle of least privilege through authorization policies. Account privileges should be clearly defined, narrowly scoped, and regularly audited against usage patterns.
  • Secure and closely monitor remote desktop protocol (RDP) use.
  • Document external remote connections.