FBI warns US colleges of widespread VPN credential leaks on Russian cybercrime forums

Russian cybercrime forums are teeming with the network credentials and virtual private network accesses of employees from U.S. colleges and universities, according to a new alert from the FBI. 

This week, the FBI said U.S. college and university credentials are being advertised widely across cybercrime forums. In May 2021, the FBI says it found more than 36,000 email and password combinations for email accounts ending in .edu publicly available on instant messaging platforms frequented by cybercriminals. 

According to the FBI, most of the credentials stem from spear-phishing, ransomware or other cyberattacks on U.S. colleges and universities that have become more prevalent over the years. 

When contacted about cyberattacks and ransomware incidents, U.S. colleges and universities often claim that there is no evidence of data theft or sale. But Emsisoft threat analyst Brett Callow, a ransomware expert tracking attacks on universities and K-12 schools, said 10 of the 13 attacks on colleges this year involved data exfiltration.

Ohlone College, Savannah State University, University of Detroit Mercy, Centralia College, Phillips Community College of the University of Arkansas, National University College, North Carolina A&T University, Florida International University, Stratford University are just a few of the schools attacked with ransomware this year.

The FBI noted that the exposure of sensitive credential and network access information, especially privileged user accounts, “could lead to subsequent cyber attacks against individual users or affiliated organizations.”

“For example, in 2017, cyber criminals targeted universities to hack .edu accounts by cloning university login pages and embedding a credential harvester link in phishing emails. Successfully harvested credentials were then sent to the cyber criminals in an automated email from their servers,” the FBI notice explained. 

“Such tactics have continued to prevail and ramped up with COVID-themed phishing attacks to steal university login credentials, according to security researchers from a US-based company in December 2021.”

The law enforcement agency listed several instances where U.S. territory-based university account usernames and passwords with the domain .edu were found for sale on Russian cybercrime forums or on the dark web. 

Sometimes the credentials are sold and other times, the hackers simply ask for “donations” in exchange for full access to the stolen data. 

The widely available credentials can help threat actors conduct brute force credential stuffing attacks, allowing them to “drain the account of stored value, leverage or re-sell credit card numbers and other personally identifiable information, submit fraudulent transactions, exploit for other criminal activity against the account holder, or use for subsequent attacks against affiliated organizations.”

“As of January 2022, Russian cyber criminal forums offered for sale or posted for public access the network credentials and virtual private network accesses to a multitude of identified US-based universities and colleges across the country, some of which included screenshots as proof of access,” the FBI said. 

“Sites posting credentials for sale typically listed prices varying from a few to multiple thousands of US dollars.”