Texas A&M monitors cybersecurity threats 24 hours a day.
There are many ways an unauthorized person might be able to enter your access-controlled facility. One way is to check for a door that is propped open or a window that is not latched properly, especially when you are not watching. Another technique is for the stranger to lie in wait until you open the door, then try to quickly tailgate as you enter.
A bolder move would be to engage you, as they see you approach the door, by saying they lost or forgot their key or ID and asking you to let them in. It is a form of social engineering that can especially manipulate Aggies who hold a core value of selfless service to others. While supporting this behavior may seem like a nice thing to do, you may unwittingly harm those the security controls are intended to protect.
A recent security incident highlights how similar social engineering can occur in our virtual world. A person trying to illegally gain access to a student affairs server actually submitted a help request to Technology Services – Student Affairs asking for access.
In the cybersecurity sphere, a person who is responsible for an incident that impacts or has the potential to impact an organization’s security is called a “threat actor.”
A few days before asking for access, the threat actor began trying to find an unlocked door or window on the server. A common tactic is to target the server with a set of attack scripts written by others which has earned such actors the monikor “script kiddies.” Although requiring little technical skill, these actors can be just as dangerous as their technically-savvy counterparts. The scripts quickly attempt to exploit the gamut of potential vulnerabilities on the server.
In the recent case, a module was discovered in a custom application that allowed file uploads without requiring the user to have a password-protected computer account. The module had been necessary in the past for non-university affiliates to provide documentation for the associated business process. Although there were other controls in place to mitigate the security risk, they were less effective against the latest attack.
Due to business process changes, the targeted module had not been needed for about a year. A review of the application had already begun as part of DoIT’s routine process to update the language version and security controls.
Fortunately, the security model includes several layers of mitigating controls. If one layer fails, other layers can remain effective. Although the actor was able to upload a file containing a malicious script, the script was unable to achieve its goal.
The server has antivirus software that is always watching for threats. You may use antivirus software on your home computer that requires regular updates to recognize the distinctive “signatures” of the latest malware. This approach leaves your computer vulnerable to “zero-day” and other types of attacks for which signatures are not yet identified. The software used by Texas A&M recognizes anomalous behavior letting it defend against unknown threats. It is constantly learning, so the moment a new threat is identified other campus computers can be better protected.
When execution of the uploaded file was attempted, the antivirus software automatically recognized the threat and blocked its attempt to compromise the server. The software also instantly alerted Texas A&M’s top-notch security operations team.
With Texas A&M’s presence in several countries, the distributed security operations team is able to follow the sun to monitor and respond to alerts 24 hours a day. The international experience of the team also equips them with great cultural knowledge to better understand threats that originate from around the world.
The security operations team notified Technology Services – Student Affairs of the attempt to compromise its server and worked with Technology Services – Student Affairs to investigate the situation. In addition to verifying no information was compromised, the method of attack was identified, and a plan was developed to remove the unnecessary module.
Although the threat actor had been unsuccessful with their earlier attempt, they did not give up. When they tried to upload another malicious file, they discovered the door had been closed. The application offered a way for users to submit help requests. The actor submitted a request that basically said the service was not working as expected. Could we please fix it.
This is an example of attempted social engineering. Like all users and our antivirus software, IT staff also have to remain watchful for anomalous behavior. Despite use of the magic word “Please”, one security analyst remarked, “Wow, the nerve!” Needless to say, that request was closed without being satisfied.
One of our customers, aware of the attack, remarked, “Why would someone want to upload anything malicious? People are weird. So strange to me.” The motivation for such an attack may not be understood, but the old expression is still relevant: “One man’s trash is another man’s treasure.” We typically only see the usefulness of a service as it relates to our needs but have difficulty seeing the alternate potentials through the lens of other people’s perspectives.
The blocked script referenced a chat service used by threat actors. The channel included messages from people offering thousands of dollars for compromised education and government servers. Clearly some malicious actors see great value.
The average income in the country from which the attack was launched is much lower than in the United States. “Thousands of dollars” for a compromised server is equivalent to nearly the average annual income in their country. The risk versus reward equation offers incentive for someone to take the time to search out potential targets for their scripts.
That motivation leads to an ever-increasing number of attacks attempted against Texas A&M systems. 33.8 billion cyberattacks and malware were blocked during the latest month reported.
Chris Wiley, associate director of security operations, has seen the threats grow and the actors change since long before he started working at Texas A&M. “Back in the day when tracking down these actors was so much simpler, I could send an email to the IT director of a company when we discovered one of their employees was attempting to compromise our company’s systems. I can’t tell you how many IT directors responded with thanks, informing me the offending individual was terminated.”
In our modern world, we may never see the actors stopped, so multiple layers of effective security controls are crucial for preventing successful attacks. Antivirus software alone cannot fully protect our information services. Just like each person going through an access-controlled door is responsible for not letting others tailgate through the entry, each computer user shares responsibility for being alert.
If you see someone wanting to tailgate into your facility, tell them to use the public spaces on game day!
If you see or suspect anomalous behavior or a phishing message, immediately email [email protected] or call Help Desk Central at 979.845.8300. If someone is trying to manipulate you with social engineering, you can be certain that, given Texas A&M’s size, you are not the only one being targeted. Your report is a selfless service that can result in defenses being enacted quickly for the well-being of the rest of our campus community.
Protecting value for our customers. That’s what we’re about. Ask how we can help you!
For practical guides to protecting your device, your identity and university data, visit the safe computing site.
By David Swanson, Department of Information Technology, Texas A&M University Division of Student Affairs
Photo credit: TAMU Security Operations
