Cyber Security Threat Summary:
”Colorado State University (CSU) has confirmed that the Clop ransomware operation stole sensitive personal information of current and former students and employees during the recent MOVEit Transfer data-theft attacks. Colorado State University is a public research university with nearly 28,000 students and 6,000 academic and administrative staff members, operating on an endowment of $558,000,000. The University informed its students and staff on July 12th, 2023, that the threat actors have gained access to the personal data of staff and students through these attacks. Although the actual extent and impact of the data breach are still being evaluated, CSU has provided the following statement on a webpage dedicated to the cyber incident. ‘Some data about prospective, current, and former CSU students and current and former employees maintained by the affected vendors contains personally identifiable information, which may include first name, middle initial, last name, date of birth, student or employee identification numbers, social security number, and demographic information such as gender, ethnicity, and level and area of education’ warned CSU” (Bleeping Computer, 2023).

The data seems to date as far back as 2021, with university graduates potentially impacted. According to CSU, this data leak was not due to the breach of its systems but rated the compromise of the University’s vendors including TIAA, National Student Clearinghouse, Corebridge Financial, Genworth Financial, Sunlife, and The Hartford.

Security Officer Comments:
CSU joins the list of Clop ransomware victims being targeted via the MOVEit vulnerability. Given that personally identifiable information was stolen, cybercriminals will more than likely use that data to perform social engineering, identify theft, and targeted phishing attacks.

CSU is currently conducting an investigation to determine the full scope of the attack and stated that it will notify impacted individuals. In the meantime, members of the CSU community should be on the look out of potential identity theft and phishing attacks and report the activity to the university and law enforcement authorities.

Suggested Correction(s):
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.

Link(s):
https://www.bleepingcomputer.com/ne...sity-says-data-breach-impacts-students-staff/