Wednesday 9th September 2020

Newcastle University ransomware infection – what happened and why?

By Katharine Palmer

Following an incident affecting Northumbria University, Newcastle University is the latest victim of a big game hunting ransomware group. In this case, DoppelPaymer is also increasing its extortion leverage on their victims by threatening to leak stolen data as well as encrypt it.

Figure 1: DoppelPaymer claims responsibility for the ransomware infection via Twitter

Figure 2: Leaked Newcastle University data on DoppelPaymer’s dedicated site

The education sector continues to prove a popular target for these groups, with vulnerabilities stemming from general under investment in cyber security, especially threat intelligence. This is compounded by extensive and complex networks, system uptime requirements, and their holding of masses of personally identifiable information (PII) or students. These issues have been amplified by efforts to better accommodate changing working practices and online learning as students return in the midst of the pandemic – an issue we have previously assessed. The timing of the incident and its disruptive impact also affirms our previous assessment in our latest Monthly Report that threat actors will look to target schools and universities ahead of the new academic term.

Despite these broader systemic issues, our Cyber Risk Rating tool has identified several issues with Newcastle University’s public-facing infrastructure that are likely to have attracted DoppelPaymer’s interest. For example, in addition to spear-phishing, the group looks to identify vulnerable Remote Desktop Protocol (RDP) services, and known vulnerabilities in software.[1] In this latter category, Newcastle performs worse than 85% of entities in our database, featuring over 100 critical-severity CVEs which are typically sought out by threat actors because of their potential utility. Large number of open ports would have also made the University look attractive to indiscriminate scanning by cybercriminals, while high number of expired certificates also point to failings of cyber hygiene.

Conclusion:

To adopt an intelligence led and risk-based approach to security, it is critical to understand both the specific threats and vulnerabilities that your organisation faces. If you can use threat intelligence to assess how your company looks from a threat actor’s perspective, and how you compare against your industry peers and competitors, you can better understand the likelihood of a cyber attack and work to reduce this overall level of cyber risk.

If you are interested in learning your cyber risk rating and how you compare to industry peers, contact us here.


[1] https://orpheus-portal.com/#/overview?tags%5B0%5D%5B0%5D=4493&type=intrep&id=3252

our previous assessment in our latest Monthly Report that threat actors will look to target schools and universities ahead of the new academic term.Despite these broader systemic issues, our Cyber Risk Rating tool has identified several issues with Newcastle University’s public-facing infrastructure that are likely to have attracted DoppelPaymer’s interest. For example, in addition to spear-phishing, the group looks to identify vulnerable Remote Desktop Protocol (RDP) services, and known vulnerabilities in software.1 In this latter category, Newcastle performs worse than 85% of entities in our database, featuring over 100 critical-severity CVEs which are typically sought out by threat actors because of their potential utility. Large number ofopen ports would have also made the University look attractive to indiscriminate scanning by cybercriminals, while high number of expired certificates also point to failings of cyber hygiene.Conclusion: To adopt an intelligence-led and risk-based approach to security, it is critical to understand both the specific threats and vulnerabilities that your organisation faces. If you can assess how your company looks from a threat actor’s perspective, and how you compare against your industry peers and competitors, you can better understand the likelihood of a cyber attack and work to reduce this overalllevel of cyber risk.Call to action1https://orpheus-portal.com/#/overview?tags%5B0%5D%5B0%5D=4493&type=intrep&id=3252

Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.