Cybersecurity Snapshot: Schools Suffer Heavy Downtime Losses Due To Ransomware, as Banks Grapple with AI Challenges

The cost of ransomware downtime in schools gets pegged at $500K-plus per day. Meanwhile, check out the AI-usage risks threatening banks’ cyber resilience. Plus, Uncle Sam is warning about a dangerous Iran-backed hacking group. And get the latest on AI-system inventories, the APT29 nation-state attacker and digital identity security!

Dive into six things that are top of mind for the week ending August 30.

1 - Ransomware downtime costs to schools: About half a million dollars per day

After suffering a ransomware attack, schools and colleges lose an average of $550,000 per day of downtime, a heavy financial burden considering they remain offline for an average of about 11 days.

That’s according to an analysis by research firm Comparitech of almost 500 ransomware attacks against U.S. educational institutions between 2018 and this year.

“Most schools faced astronomical recovery costs as they tried to restore computers, recover data, and shore up their systems to prevent future attacks,” reads a Comparitech blog about the research published this week.

^{(Source: Comparitech, August 2024)}

Highlights from the research include:

• In 2023, the average downtime suffered by an educational institution due to ransomware was 12.6 days, up from almost 9 days in 2021.
• The 491 ransomware attacks analyzed between 2018 and 2024 affected about 8,000 schools and colleges
• The average ransom demanded was $1.4 million.
• Collectively, these 491 incidents cost about $2.5 billion and involved the breach of 6.7 million individual records.

For more information about cybersecurity threats to educational institutions:

• “Cybersecurity Preparedness for K-12 Schools and Institutions of Higher Education” (U.S. Department of Education)
• “$200 Million Cybersecurity Funding Available for K-12 Schools and Libraries through FCC Cybersecurity Pilot Program” (Tenable)
• “Survey Reveals Top Cybersecurity Issues in Education” (EdTech Magazine)
• “School cybersecurity threats on the rise” (K-12 Dive)
• “Yes, University Cybersecurity Is Still a Concern” (Inside Higher Ed)

2 - GenAI risks among banks’ top cloud security challenges

As financial institutions aim to boost their cloud security, they face a variety of obstacles, including data-privacy and data-integrity risks posed by their use of generative AI systems.

That’s one takeaway from the Cloud Security Alliance’s upcoming report “Cloud Resiliency in Financial Services,” based on a survey of about 860 security pros, CISOs and financial services leaders.

Other AI-related concerns cited by respondents include the danger of suffering AI-boosted cyberattacks, as well as issues with data accuracy, information bias and regulatory compliance, according to a CSA blog posted this week.

Meanwhile, respondents’ top-three challenges with cloud service providers are:

• Cloud settings misconfigurations, cited by 62%
• Integration of cloud and third-party services (52%)
• Effective identity and access management systems (35%)

Other barriers cited by respondents include a lack of qualified cloud-security staff and difficulties with serverless and containerized environments.

More key findings include:

• The NIST Cybersecurity Framework has been adopted by 67% of respondents. The ISO/IEC 27001 standard for information security management is also popular.
• Seeking simplicity and easier management, a majority of respondents (78%) prefer to use a single cloud services provider.
• Enhancing disaster-recovery preparedness (60%) and infrastructure scalability and availability (58%) are high-ranking priorities.

To get more details, read the CSA blog “The State of Cyber Resiliency in Financial Services.”

For more information about cybersecurity trends in the financial sector:

• “Is AI Making Banking Safer or Just More Complicated?” (Bank Infosecurity)
• “Seven cybersecurity threats for banks in 2024—and some smart precautions” (ABA Banking Journal)
• “Cybersecurity remains number one risk for global banks, as financial risk moves back up the agenda” (Institute of International Finance)
• “Ransomware in the financial sector: What to know and how to respond” (ABA Banking Journal)
• “Global financial stability at risk due to cyber threats” (World Economic Forum)

3 - CISA: Iranian hackers unleash ransomware, data-theft attacks

A cybercrime group is attacking U.S. organizations with ransomware for financial gain, while separately stealing data on behalf of Iran’s government from U.S., Israel, United Arab Emirates and Azerbaijan organizations.

That’s the warning the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued this week in their joint advisory “Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations.”

The advisory outlines the Iran-based group’s tactics, techniques and procedures, as well as indicators of compromise, and provides mitigation recommendations.

The group, known as Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM and Lemon Sandstorm, has been conducting a “high volume of network breach attempts against U.S. organizations since 2017." It’s also known as Br0k3r and xplfinder, and uses the Iranian company name Danesh Novin Sahand as a cover.

For a deep dive and analysis of the advisory, check out the Tenable blog “AA24-241A: Joint Cybersecurity Advisory on Iran-based Cyber Actors Targeting US Organizations.”

To get more details, read:

• CISA’s announcement
• The full advisory “Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations”

4 - White House requires AI inventories from federal agencies

Has your organization considered the importance of inventorying AI assets? Need guidance on how to best document your organization’s usage of AI tools? Check out how the White House is approaching this issue.

In its recently finalized “Guidance for 2024 Agency Artificial Intelligence Reporting Per EO 14110,” the White House outlines guidelines for federal agencies to compile and submit inventories of their AI use cases.

The document states that agencies must conduct an annual inventory and metrics of their AI use cases. It also details the “criteria, format, and mechanisms” agencies should use to create their reports.

For all AI use cases, agencies will have to state their purpose, expected benefits, outputs, stage of development, and whether they impact rights or safety, among other information.

For some AI use cases, the White House wants to know more details, including:

• Does it disseminate information to the public?
• Does it involve personally identifiable information?
• Has the agency’s privacy chief assessed the use case’s privacy risks?
• What agency-owned data was used to train or fine-tune the AI model in question?
• Does it include custom-developed code, and does the agency have access to the code?
• Can it make a decision or trigger an action without direct human involvement that could impact on rights or safety?

To get more details, check out the document “Guidance for 2024 Agency Artificial Intelligence Reporting Per EO 14110.”

For more information about the importance of inventorying AI assets to prevent “shadow AI” problems:

• “Do You Think You Have No AI Exposures? Think Again” (Tenable)
• “10 ways to prevent shadow AI disaster” (CIO)
• “First Step in Securing AI/ML Tools Is Locating Them” (Dark Reading)
• “Shadow AI poses new generation of threats to enterprise IT” (TechTarget)
• “The risks of shadow AI and what leaders can do to prevent it” (IT Pro)

5 - Google: APT29 exploiting known bugs in iOS and Chrome

APT29, a nation-state attacker backed by the Russian government, is actively trying to exploit known vulnerabilities in iOS WebKit and ChromeOS using techniques employed by spyware actors.

That’s according to the Google Threat Analysis Group (TAG), which this week said that over the past nine months, multiple exploit campaigns were delivered via a watering hole attack on Mongolian government websites. 

Google TAG believes “with moderate confidence” that the attacks were carried out by APT29, also known as Cozy Bear, Nobelium and Midnight Blizzard. The group is known for high-profile hacks, including breaches of Microsoft and SolarWinds.

In the campaigns observed by Google TAG, APT29 first deployed an iOS WebKit exploit of CVE-2023-41993 that affects iOS versions older than 16.6.1. Later, it launched a ChromeOS exploit chain of CVE-2024-5274 and CVE-2024-4671 targeting Android users running versions M121 to M123. Patches are available for all three vulnerabilities.

“These campaigns delivered n-day exploits for which patches were available, but would still be effective against unpatched devices,” reads the Google TAG blog titled “State-backed attackers and commercial surveillance vendors repeatedly use the same exploits.”

For more information about APT29, check out these Tenable blogs:

• “CISA Says Midnight Blizzard Swiped U.S. Gov’t Emails During Microsoft Hack”
• “Poor Identity Hygiene at Root of Nation-State Attack Against Microsoft”
• “French cyber agency: Nobelium / Midnight Blizzard is spying on European governments on Russia's behalf”
• “Midnight Blizzard swiped Microsoft’s source code, broke into its internal systems”
• “CISA, NCSC issue cloud security advisory on Russia-backed APT29”

6 - NIST updates draft of its digital-identity recommendations

The U.S. National Institute of Standards and Technology (NIST) has released a new draft of its “Digital Identity Guidelines,” which, when finalized, U.S. federal agencies will be required to adopt and follow.

The latest draft details NIST’s identity management requirements, including identity proofing and authentication. It also offers best practices for improving the privacy protection and usability of digital identity tools.

NIST’s current guidelines date from 2017. The process to update them began in 2022. 

These are some of the changes and additions in the latest draft, which is open for comment through October 7, 2024:

• A set of recommended metrics for evaluating the performance of identity management tools
• Broader requirements and recommendations for fraud management
• The addition of user-controlled digital wallets to the federation model
• A new taxonomy and structure for identity-proofing controls

The 2022 version of the draft received almost 4,000 comments from 140 organizations and individuals, many focused on digital wallets and on passkeys digital credentials.

The digital identity guidelines aim to “ensure security, privacy and accessibility during the identity-proofing process for people accessing government services,” reads a NIST statement.

To get more details, check out:

• The NIST announcement “NIST Releases Second Public Draft of Digital Identity Guidelines for Final Review”
• The latest draft of the NIST “Digital Identity Guidelines”