As early as December of last year, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) received reports of several cyber attacks targeting K-12 distance learning institutions. Investigations revealed a number of threats putting not only the institutions but their students at risk of ransomware infection, data theft, and learning disruption.

Threat actors are known for targeting insufficiently protected networks, which, unfortunately, is often true for educational institutions. Microsoft Security Intelligence, in fact, touts the education sector as the top industry most affected by cyberthreats in the last 30 days.

This post will tackle some of the ransomware (one of the greatest threats to the education sector) variants that were used in the attacks.

Ransomware: The Bane of the K-12 Institution Targets

The threat actors behind the recent spate of cyber attacks used four malware variants to get to their targets, two of which (i.e., Cerber and Kovter) are ransomware.

Cerber

Cerber is known for its sophisticated detection evasion tactics aided by machine learning (ML) algorithms, allowing it to encrypt files in offline mode. It ranked fourth in the top 10 malware as of July 2020, according to the Center for Internet Security (CIS).

Confirmed Malicious Cerber Domains

We obtained the following list of confirmed malicious domains related to Cerber from VirusTotal:

• btc[.]blockr[.]io
• p27dokhpz2n7nvgr[.]1hpvzl[.]top
• hjhqmbxyinislkkt[.]1j9r76[.]top
• cs11[.]wpc[.]v0cdn[.]net

The attackers also used the potentially hijacked subdomain a767[.]dscg3[.]akamai[.]net, which uses a legitimate root domain, possibly as an added precautionary measure against blocking.

We ran the domains on Subdomains Lookup and discovered close to an additional 30 subdomains that could figure in similar attacks. Examples of these include two[.]blockr[.]io and cs1[.]adn[.]v0cdn[.]net.

K-12 distance learning institutions may also benefit from monitoring typosquatting domains that could be related to Cerber or ransomware and malware attacks in general.

We downloaded the typosquatting data feed for the whole month of December 2020 and found some domains like xingkongyx147[.]top and its 31 variations that were bulk-registered on 1 December 2020. Those appear to use randomly generated numbers, a characteristic that two Cerber-connected domains (i.e., p27dokhpz2n7nvgr[.]1hpvzl[.]top and hjhqmbxyinislkkt[.]1j9r76[.]top) share. Note, however, that this characteristic is not unique to Cerber. Many malware use domain generation algorithms (DGAs) to come up with diverse URLs for their hosts.

Kovter

Kovter takes its roots as a police ransomware but has evolved to become a fileless click fraud malware or downloader that evades detection and consequent blocking by hiding in registry keys. Some variants can have backdoor capabilities, letting operators know what exactly goes on in infected systems. It ranked ninth in the CIS top 10 malware in July 2020.

Confirmed Malicious Kovter Domains

We applied the same technique for this malware and obtained the confirmed malicious domain www[.]yixun[.]com. A subdomain lookup for it turned up 12 potentially harmful links that organizations want to consider avoiding to prevent Kovter infection. Examples include ecclogin[.]yixun[.]com, campus[.]yixun[.]com, and total[.]yixun[.]com.

Like Cerber, Kovter also used potentially hijacked subdomains that fall under a legitimate root domain, particularly dc[.]services[.]visualstudio[.]com.

As this post showed, digging deeper into known ransomware distribution domains affecting K—12 distance learning providers and other organizations is possible with domain intelligence feeds—notably to gather a list of potentially harmful subdomains and bulk-registered domains.

If you’re a security researcher or solution provider interested in knowing more about the threats currently targeting the education industry, contact us for more information about the IoCs and artifacts found in this piece.