Education institutions are key targets for cyber criminals so here’s a summary of what has been happening in the East of England recently and further afield.

Mass phishing campaign seen

Schools are reporting an increase in phishing emails, with one campaign targeting all staff within the school. The email looks to be an invoice from a company however it redirects to a fake Microsoft login page in the hopes that staff will input their password.

Actions taken by the schools

• The sender domain and email were blocked
• Updated their ISP about what they were seeing so that proxy settings could be set to block any attempt to reach websites which are identified as hosting malware or phishing campaigns
• All staff warned about the campaign and to maintain their vigilance with regards to phishing emails
• Reported to the NCSC phishing mailbox - report@phishing.gov.uk
• Signed up to Mail Check - NCSC.GOV.UK. This is a free service which checks email configuration and encryption settings.
• Considered geofencing logins - https://docs.microsoft.com/en-us/sharepoint/control-access-based-on-network-location

New malware tactic using Microsoft Teams

Email security company Avanan advised that they are seeing an increasing number of attempts by threat actors to spread malware files via Microsoft Teams chats. Threat actors are using traditional phishing techniques to compromise user O365 accounts, before spreading malware across organisations via Teams chats by replying to existing chats and sharing trojanised executable files designed to take over computers. The executable file was named UserCentric.exe.

Potential mitigation

• Staff need to be made aware of this as a new and emerging threat, and that they should exercise caution when receiving any shared files in Teams from external organisations, especially from historical chat threads.
• Organisations could also consider using AppLocker to block executable files from running from folders that Teams downloads files to. For example, if the default download location is the Documents folder, then consider blocking executable files from running in this folder.

Police CyberAlarm

Police CyberAlarm is showing that schools are consistently being targeted. With one school having over 20 million suspicious incoming connections. But being aware means that you can put mitigation into place.

What is Police Cyber Alarm?

Police CyberAlarm is a free tool to help your business understand and monitor malicious cyber activity. Police CyberAlarm acts like a "CCTV camera" monitoring the traffic seen by a member's connection to the internet. It will detect and provide regular reports of suspected malicious activity, enabling organisations to minimise their vulnerabilities. Find out more here: Police CyberAlarm | The Eastern Cyber Resilience Centre (ecrcentre.co.uk)

War in Ukraine

All organisations need to be aware of the heightened risk to UK institutions due to the conflict in Ukraine.

It is well known that Ukraine is being attacked, both physically but also in the cyber space, with DDoS and malware attacks. The malware is of particular concern, as it is a wiper variant. This means that if your systems get infected the data on them is deleted. In the case of a ransomware attack, there might have been a potential to pay for the data to be recovered, with a wiper, there is no second chance.

Actions

• Register for the Early Warning service so that the NCSC can quickly inform you of any malicious activity reported regarding your systems.
• The NCSC has published specific guidance for this time of heightened threat. Make sure you read it Actions to take when the cyber threat is heightened - NCSC.GOV.UK
• Sign up for free membership with the Eastern Cyber Resilience Centre and keep updated about what is going on

Further guidance & support

The Eastern Cyber Resilience Centre is a not-for-profit membership organisation, run by policing, with the intention of increasing cyber resilience of SMEs within the East of England.

You can contact the Cyber Resilience Centre for guidance and support through our e-mail enquiries@ecrcentre.co.uk or use our online booking system to make an appointment with one of our team.

We also provide free guidance on our website and we would always encourage you to sign up for our free core membership. Core members receive regular updates which include the latest guidance, news, and security updates. Our core membership has been tailored for businesses and charities of all sizes who are based across the seven counties in the East of England.