Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label University Hack. Show all posts

New Jersey City University Targeted by ransomware Outfit Demanding $700K

 

A ransomware outfit launched an assault on New Jersey City University's computer network, threatening to reveal sensitive private details of students and staff unless $700,000 in Bitcoin is paid by Saturday. The institution notified staff and students of the June 4-10 data breach on Friday, some seven weeks after the incident that resulted in the loss of social security numbers, driver's licence numbers, financial account information, and credit card details. 

The estimated number of potential victims was not known till Monday afternoon, although the 100-year-old university enrols about 6,000 undergraduate and graduate students annually in addition to a small number of teachers and staff members. When asked about how quickly they found out about the data breach, school officials had no response. 

“In June 2024, our computer network was accessed without permission by an unknown actor,” the university stated in a post under its webpage’s data events. “In response, we immediately notified law enforcement authorities, took steps to secure our computer network, and conducted a thorough assessment of the matter to determine what happened and how it may affect information that was stored on the network.” 

A university spokesperson and a representative for the state Department of Homeland Security did not reply to requests for comment. Hack Manac, a cybersecurity business that monitors various cyber security risks across the country, stated the Rhysida Ransomware Group is responsible for the hack and is seeking 10 Bitcoins, or around $700,000, by August 3. 

Sentinel One, another cybersecurity company, stated that Rhysida believes it is doing "victims a favour" by raising security concerns. The institution, which did not name the hacker, stated that the "unknown actor" copied "certain files" between June 4 and June 10. 

The school will notify individuals who may be affected by email, and those who believe they have been affected may contact the institution. It will provide free identification monitoring to possibly affected individuals. The school emphasised that just because someone has been contacted does not imply that they are a victim of identity theft.

Assessing F Society's Latest Ransomware Targets: Are They at Risk?

 

In recent developments, the F Society ransomware group has once again made headlines by listing four additional victims on its leak site. The alleged targets include Bitfinex, Coinmoma, Rutgers University, and SBC Global Net. Bitfinex, a renowned cryptocurrency exchange platform, and Coinmoma, offering cryptocurrency-related data, are among the victims. 

Rutgers University, one of the oldest universities in the US, and SBC Global Net, an email service once provided by SBC Communications, are also allegedly affected. While the attacks are yet to be officially confirmed, the ransomware group has provided unique descriptions for each victim, along with links to sample data obtained from the attacks. 

Bitfinex was reportedly targeted with the theft of 2.5 TB of information and personal details of 400K users. Rutgers University faced an alleged theft of 1 TB of data, with the specific type of information not disclosed. Coinmoma was claimed to have sensitive data, including user information and transaction histories, compromised, with a file size of 2TB and 210k user records. 

Similarly, SBC Global Net was stated to have unauthorized access, leading to the theft of personal user details, with a file size of 1 TB. Despite these claims, no ransom amount has been publicly mentioned, and the victims are given seven days to comply with the demands, failing which the obtained data will be leaked. 

As of now, there have been no official responses from the victims, and the claims remain unverified. While the authenticity of F Society's claims is uncertain, Bitfinex had previously experienced a significant hacking incident in 2016. During this incident, approximately 119,754 bitcoins were stolen from the platform due to a breach, leading to unauthorized transactions. The stolen bitcoins were later recovered by law enforcement after a thorough investigation, marking one of the largest recoveries in the history of the US Department of Justice. 

However, the perpetrator behind the hack remains unidentified, although it is known that they attempted to cover their tracks using a data destruction tool. The previous security lapse experienced by Bitfinex highlights the importance of robust cybersecurity measures, especially in the realm of cryptocurrency exchanges. As cyber threats continue to evolve, organizations must prioritize the implementation of stringent security protocols to safeguard sensitive data and mitigate the risk of ransomware attacks.
 
Additionally, prompt response and collaboration with law enforcement agencies are essential in investigating such incidents and holding perpetrators accountable for their actions. The recent targeting of prominent entities by the F Society ransomware group underscores the persistent threat posed by cybercriminals. As organizations strive to fortify their defenses against such attacks, proactive measures and swift action are imperative to protect valuable assets and maintain trust among stakeholders in an increasingly digital landscape.

Southeastern Louisiana University & Tennessee State Hit by Breaches

After a possible incident last week forced the Southeastern Louisiana University to shut down its network and call in Louisiana State Police to investigate, the University is now on its fifth day without a website, email, or mechanism for submitting assignments.

Due to hacks that have paralyzed school services and forced students to look for substitute tools, two institutions in Tennessee and Louisiana are currently experiencing difficulties.

Another cyberattack on Tennessee State with more than 8,000 students at Tennessee State University, a historically black public land-grant university in Nashville, was informed on Wednesday that a ransomware attack had taken down the school's IT infrastructure.

Internet problems have also emerged due to the event. Still, Louisiana State said that they were not brought on by a ransomware attack and that there has been no indication of any breach of personal data.

According to a university spokesperson, Southeastern's outages started on Thursday night, making it difficult for students and teachers to finish assignments and hold online classes. Facebook was used by some teachers in an effort to connect with their pupils.

According to Forbes, ransomware attacks are the most prevalent sort of recent cyberattacks that have hurt higher education. Universities paid a ransom in the amount of $112,000 on average during these attacks, despite the fact that experts claim that ransom demands can reach millions.

The Louisiana State Police is looking into the event after Louisiana University reported it to them. The University is diligently restoring services for the University community, therefore we ask that everyone continue to be patient at this time.

The federal cybersecurity & infrastructure security service advises everyone to exercise caution when clicking on URLs or opening attachments in emails, check website security before providing passwords, authenticate email senders, and use antivirus software to protect against ransomware attacks.



Northeastern University Students Hack Under-Desk Spying Tools Installed to Track Their Activities

 

The COVID-19 pandemic has made surveillance more pervasive than ever in schools, universities, and much of daily life over the past few years. However, graduate students at Northeastern University successfully organized and thwarted an attempt to implement intrusive monitoring devices that were covertly hidden under desks at their institution back in October. 

At the school's Interdisciplinary Science & Engineering Complex (ISEC), a building utilized by graduate students and the location of the "Cybersecurity and Privacy Institute" that researches surveillance, Senior Vice Provost David Luzzi put motion sensors beneath every desk at the beginning of October. 

According to a blog post by Max von Hippel, a Privacy Institute PhD candidate who wrote about the situation for the Tech Workers Coalition's newsletter, these sensors were installed at night—without student knowledge or consent—and when students were asked for an explanation, they were told this was part of a study on "desk usage." 

When academic institutions compete for access to facilities, those with the best funding or who receive the most grant money tend to prevail. It may make sense for the university to attempt and investigate how desks are used in order to increase or optimize access to the ISEC because it is a wonderful building, the computer science department brings in a lot of money, and they get to use it a lot. 

But according to Von Hippel, since workstations are assigned and badges are needed to enter the rooms, desk utilization can already be monitored. Instead, he thinks the sensors were used as an excuse by the building's owner, the administration, to eject computer science students who don't make as much use of it as other students might. 

Students started to voice concerns about the sensors as a result, and Luzzi responded by sending an email that attempted to answer the concerns made by students. 

“In order to develop best practices for assigning desks and seating within ISEC, the Office of the Provost will be conducting a study aimed at quantifying the usage of currently assigned seating in the write-up areas outside of the labs and the computational research desks,” the email reads. “The results will be used to develop best practices for assigning desks and seating within ISEC (and EXP in due course).” 

An unplanned listening session was held in the ISEC after that email. Luzzi urged graduate students present at this initial listening session to "trust the university since you trust them to grant you a degree." Luzzi said that "we are not performing any scientific here" as a further justification for the choice to forego requesting IRB permission. 

After that, the Privacy Institute students—who focus on researching surveillance and undoing its negative effects—started removing the sensors, hacking into them, and creating an open-source manual to help other students do the same. Students at the Privacy Institute discovered that contrary to Luzzi's claims, the gadgets were only moderately secure and the data was not encrypted. 

"The way that this facility's students, including myself, obtain publications is by examining the shortcomings of systems like these. They could not have chosen a better group of students to figure out why their study was flawed, so we explain what's awful about them and why they don't work," von Hippel added. 

Students hacked the devices and then sent an open letter to Joseph E. Aoun, the president of the university, and Luzzi requesting that the sensors be taken down because they were intimidating, a part of a poorly designed study, and were used without IRB approval despite the fact that human subjects were the focus of the purported study. 

“Resident in ISEC is the Cybersecurity and Privacy Institute, one of the world’s leading groups studying privacy and tracking, with a particular focus on IoT devices. To deploy an under-desk tracking system to the very researchers who regularly expose the perils of these technologies is, at best, an extremely poor look for a university that routinely touts these researchers’ accomplishments. At worst, it raises retention concerns and is a serious reputational issue for Northeastern,” the letter reads. 

Then there was another listening session, this time just for professors, and Luzzi argued that since the devices "don't perceive humans in particular, they sense any heat source," they are not subject to IRB approval. Later, more sensors were taken out and placed in a "public art piece" that read "NO" in the foyer of the building. 

In response to the open letter, which has gained widespread distribution and hundreds of signatures, as well as ongoing complaints and sensor removals, Luzzi then issued an email arranging for another listening session to address students and faculty. By all accounts, that listening session was a complete failure. 

In a transcript of the event that Motherboard reviewed, Luzzi tries to allay worries that the study is intrusive, carelessly executed, expensive, and probably unethical. When a faculty member reveals that the Institutional Review Board (IRB), which ensures that the rights and welfare of human research subjects are protected, never received any submissions, he claims that they submitted a proposal to the IRB, only to concede that this never happened. 

Luzzi also made an effort to brush off the issues as being unique to the Privacy Institute because "your lived experience is more desk-centric" as opposed to other graduate students. 

Von Hippel then posted on Twitter what quickly gained popularity, detailing the complete sequence of events from the covert installation of the sensors to the listening session that day. After removing the sensors, Luzzi sends one final email reading: 

"Given the concerns voiced by a population of our graduate students around the project to gather data on desk usage in a model research building (ISEC), we are pulling all of the desk occupancy sensors from the building. For those of you who have engaged in discussion, please accept my gratitude for that engagement."

This was a particularly enlightening experience because it demonstrates that monitoring need not be ongoing and that those who are impacted by it can work together to eliminate it. Von Hippel claims that the department of computer science is overrun with union members, which contributes in part to their success. The majority of the engaged students were not members of an established NLRB union, as were the graduate students at the university in general. However, graduate students are in a good position to put pressure on colleges when they make unreasonable or immoral demands.