Further targeted ransomware attacks on the UK education sector by cyber criminals

Since late February 2021, an increased number of ransomware attacks have affected education establishments in the UK, including schools, colleges and universities. The NCSC previously acknowledged an increase in ransomware attacks on the UK education sector during August and September 2020. The NCSC has therefore updated this Alert in line with the latest activity. The NCSC urges all organisations to follow our guidance on ‘Mitigating malware and ransomware.’ This details a number of steps organisations can take to disrupt ransomware attack vectors and enable effective recovery from ransomware attacks.

College closes all campuses for a week following ‘major’ cyber attack

All of South & City College Birmingham's eight sites have closed and will return to online teaching after being hit by ‘major’ ransomware attack that disabled core IT systems. The attack occurred just one week after the students returned to campuses for physical lessons. The college has allegedly confirmed to FE Week that the attack that took place on Saturday 13th March involved data “on a number of servers and workstations connected to our domain” being encrypted by ransomware and stated “a volume of data has been extracted from our servers”.

The college has stated that the Government and Information Commissioner’s Office have been informed of the incident and forensic specialists have been working to fix the problem.
Illegal Mobile Application with More Than 100 Million Users Taken Down in Spain

Europol aided the Spanish National Police (or Policía Nacional), as well as law enforcement in Andorra and Portugal, in disassembling a group of criminals distributing illegal video streams.

The investigation started in October of 2018 after the Spanish National police received reports from several organisations (including the Premier League and Spanish Football League) regarding a mobile phone app, with over 100 million users, that was illegally distributing video streams of videos and TV channels. The investigation has resulted in 3 house searches (2 in Spain and 1 in Andorra), 4 arrests (4 in Spain and one in Andorra), 4 court orders to take down domains, 20 web domains and servers blocked, 1 server in Portugal taken down with 1 in Czechia under investigation and bank accounts being frozen.
Nurseries sent first official cyber-attack warning

The NCSC has warned nurseries and childminders of the threat of cyber attacks in recent guidance that can be found here.

This marks the first time that the NCSC has given guidance to a sector that cares for such young children and includes useful information around back ups, tips on password protection, protecting devices from malware, how to deal with phishing attacks and more.

NCSC: Microsoft Vulnerabilities Exploitation - Updated Advice

The Background
Microsoft Exchange servers are widely utilised by many large organisations and government bodies, the software helps manage emails including those that are incoming, outgoing, drafts and saved as well as calendar events. However, on March 2nd 2021, Microsoft publicly announced that threat actors had made several sophisticated attacks on a number of Microsoft Exchange servers.

In response to these incidents, Microsoft released patch updates premature to their usual monthly update cycle, as out of the 7 vulnerabilities 4 were being exploited in the attacks. While these updates rectify the vulnerabilities utilised in the attacks, a range of malicious attackers are making use of automated tools to scan Microsoft Exchange servers to locate updates that have not been installed. When a server is identified as vulnerable (without the security updates), criminals can then install malware.  On the March 11th, it was reported that threat actors had also exploited these vulnerabilities to install ransomware onto a network.

What servers are affected?

The vulnerabilities are affecting:

  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

Exchange Online (part of Microsoft 365) is NOT affected.

NCSC’s Updated Recommended Priority Actions

1. Install the latest updates immediately

This should be the key step for any UK organisation using an affected version of a Microsoft Exchange Server.
  • The latest security updates can be found on the Microsoft website.
  • Microsoft has produced an additional series of security updates that can be applied to some older (and unsupported) Cumulative Updates (CUs). This is only intended as a temporary measure to protect vulnerable servers in the short term. Organisations still need to update to the latest supported CU and then apply the applicable security updates.
  • If you are uncertain about how to update Exchange servers or unsure if you have installed an update successfully refer to Microsoft support documents.
  • The Microsoft Exchange Server Health Checker can be consulted if you are unsure if you are using an affect server or are unsure of the update status.

2. If updates are unable to be installed, the recommended Microsoft mitigation measures should be implementedThese mitigation measures are only recommended where updating is not possible and are only temporary measures.

3. If it's not possible to install the updates or apply the mitigation measures, then the NCSC recommends isolating the Exchange Server from the internet by:
  • Blocking untrusted connections to the Exchange server port 443.
  • If secure remote access solutions are already in place (e.g. a VPN or VDI) then configure Exchange to only to be available remotely via this solution.
4. It is strongly advised by the NCSC that all organisations using affected versions of Microsoft Exchange Server proactively search their systems for evidence of compromise in line with the Microsoft guidance found here.

Further information regarding indicators of compromise and detection can be found at:
Covid: White hat bounty hackers become millionaires

Ethical hackers made a record £28 million in 2020 by reporting software flaws through a popular bug bounty reporting service known as HackerOne. The company has stated that 9 white hat hackers have made more than $1 million each after flagging their flaw findings to affected organisations.
The top earning bounty hacker in the UK received $370,000 last year.

WeLeakInfo Leaked Customer Payment Info

The FBI and law enforcement partners overseas seized the popular site that sold access to over 12 billion stolen usernames and passwords from hacked websites known as WeLeakInfo. However, a recent lapse in domain registration linked to WeLeakInfo allowed a malicious actor to access and publish sensitive account information, including payment details, of 24,000 customers who used the service and paid by credit card.
Magecart Attackers Save Stolen Credit-Card Data in .JPG File

Magecart threat actors have uncovered a novel way to mask their malicious activity that involves saving data skimmed from credit cards online in .JPG format on a compromised website. The unique method was discovered by researchers at Sucuri during an investigation involving compromised e-commerce website Magento 2.
Zoom Screen-Sharing Glitch ‘Briefly’ Leaks Sensitive Data

A bug in the current version of Zoom’s screen sharing feature meant that parts of the presenters screen, that they did not intend to share, was being shown. The glitch (CVE-2021-28133) only leaked the additional information briefly meaning that potential attacks would have been difficult to carry out.
What can we offer you?
Get in Touch
Click here to subscribe to the Cyber Crime Sentinel Newsletter!

Cyber Choices: Virtual School and Education Events

Join our online webinars aimed at schools and educational organisations for advice and support on how we can help young people make informed cyber choices and use their cyber skills in a legal way.

Please note: All participants are screened before being invited to the event. Please use your corporate school email address when registering.

Cyber Aware - Training for staff: Sports Organisations

Join our monthly online webinars aimed at sports organisations and discover the latest attacks businesses are facing, the social engineering tactics being used to gain data and the latest awareness training that staff need to know.

Please note: All participants are screened before being invited to the event. Please use your corporate sports email address when registering.

If you think you may have been the victim of fraud or cybercrime and incurred a financial loss or have been hacked as a result of responding to a phishing message, you should report this to Action Fraud 

Spotted a suspicious email? If you have received an email which you’re not quite sure about, forward it to the Suspicious Email Reporting Service (SERS):

Alternatively you can call 0300 123 2040
to report and obtain advice about fraud or cyber crime
Our lives are relying on technology more every day. Join us each week for your bitesize cybersecurity podcast. In this increasingly technical world we deliver non-technical cyber news, and identify the current threats we’re facing.
Over 15,000 people reported their email or social media accounts were hacked last year. Have you secured your accounts properly? #SecureYourAccounts


The WMCRC work with local Universities and Police forces in Staffordshire, West Midlands, West Mercia and Warwickshire to provide you access to the latest information on emerging cyber threats, criminal trends and best practice to protect your business.
Apple Podcast
Copyright © 2021 West Midlands Regional Cyber Crime Unit, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp