Cyberattack strikes a school system told for years it was vulnerable
Multiple red flags preceded last week’s “catastrophic” cyber attack on Baltimore County Schools
A tech expert warned school officials in 2019 their networks were vulnerable to attack. A trove of personal data was exposed later that year. And the state auditor warned of vulnerabilities months ago – and previously in 2015.
Above: A ransomware attack has brought virtual learning for Baltimore County Public Schools students to a halt. (BCPS Facebook)
In May 2019, shortly after a malware attack had crippled Baltimore City government, the public school system in neighboring Baltimore County got a specific warning about its own vulnerability.
The technology journal Ars Technica not only revealed that Baltimore County Public Schools had alarming weaknesses, but it used BCPS as a prime example of how school systems across the country were at risk for similar attacks.
“Major parts of BCPS’ network are not properly configured or protected,” author Sean Gallagher said, speaking with The Brew at the time. “It means that if something like the ransomware that hit Baltimore City got into their network, it would have an easier time spreading.”
Gallagher had discovered eight publicly accessible servers were running in configurations that indicated they were vulnerable to a commonly known weakness or “exploit” – the Microsoft Windows’ Server Message Block version 1 (SMB v. 1) file sharing protocol exploit, to be precise.
It’s the exploit exposed by a hacker group in 2017 and used as part of the worldwide cyber-attack, WannaCry.
In response, the school system applied a (publicly viewable) system patch that Gallagher judged “the bare minimum required to prevent an attack” by a malware clone.
Now BCPS has been hit by what school officials called “a catastrophic attack” that prompted them to cancel classes on Wednesday, shutter offices and warn against logging into devices.
The attack has crippled a school system whose 115,000 students have been online-only due to the coronavirus pandemic.
Gallagher said he was not surprised.
Warned by State
It’s not clear when classes, which are canceled today and Tuesday, will resume. (Board Chair Kathleen Causey said during an interview on WBAL radio today that instruction could be back up sometime this week, but facilitated through alternate means.) Also unclear are the hackers’ ransom demands – school officials are not discussing their interactions with the attackers.
But as they turn to experts, including the FBI, to sort out precisely what happened, it is clear that BCPS administration was given multiple red flags and official warnings about the system’s vulnerabilities.
Last Tuesday – the very day the cyber attack struck the system – the Maryland Office of Legislative Audits released a devastating report on Baltimore County’s networking exposures.
The report notes that auditors had finished their study last February, giving the school system time to respond or fix the inadequacies before the public release of the document.
That means that Baltimore County may have been officially informed of serious network security vulnerability as early as last spring.
The attackers struck the BCPS network just hours after the state released devastating findings about its vulnerabilities.
Among the findings in the Financial Management Practices Audit Report:
• “Twenty-six publicly accessible servers were located within the BCPS internal network rather than being isolated in a separate protected network zone to minimize security risks. . . If compromised [these] could expose the internal network to attack from external sources.”
• Intrusion detection prevention system coverage “did not exist for untrusted encrypted traffic entering the BCPS network.” An appliance used as a safeguard “was configured to only analyze unencrypted traffic.”
• Network firewall protection protocols allowed “encrypted traffic from any source to unique network destinations within BCPS’ internal network.” This lack of coverage created network security risks which could allow traffic containing malicious data “to go undetected.”
It wasn’t the first legislative audit to call out BCPS’ security deficiencies. In a 2015 report, auditors noted – verbatim, in many cases – the same vulnerabilities with the same upshot: That BCPS’ network was not adequately secured.
“14 publicly accessible servers were located in the BCPS internal network rather than isolating these servers in a separate protected network zone.” – 2015 report
“26 publicly accessible servers were located within the BCPS internal network rather than being isolated in a separate protected network zone” – 2020 report
They also found that the system’s firewall rules allowed numerous insecure and unnecessary connections to critical network devices.
Gallagher, now a senior threat researcher at the cybersecurity firm Sophos, reviewed this year’s audit for The Brew.
He said it showed BCPS was highly vulnerable to RDP (remote desktop protocol) attacks, “a very common way” for hackers to enter a remote network.
BCPS’ system was prey to everything from simple password guessing or phishing to the purchasing of employees’ unsecured passwords on the Dark Web, he said, noting that his conclusions were based on the audit since he has not scrutinized BCPS data systems since leaving tech journalism.
“A student, teacher or administrator with the password [could have] given it up. Or someone shared a password with someone else in a public forum,” Gallagher said.
“There are known flaws in these protocols.”
Personal Data Exposed
The state audit and subsequent attack are not the only red flags indicating Baltimore County schools’ inadequate safeguards.
Just two weeks after Gallagher’s report about BCPS’ firewall gaps in May 2019, the district had another data security embarrassment.
This time 36,000 folders, spanning 10 years, had been exposed after a routine Microsoft 365 software update, a tool within the district’s “BCPS One” public-facing platform.
• Baltimore’s out-of-date and underfunded IT system was ripe for ransomware attack (5/21/19)
• Major Security Flaw Detected on Baltimore County Schools’ Digital Platform, Exposing Highly Sensitive Information on Students and Staff Members (Baltimore Post, 6/5/19)
The error allowed sensitive records – including special education reports, suspension and expulsion data, medical information and state assessment scores – to be seen by anyone holding a password to the portal.
Credential holders included students, their parents or guardians and thousands of teachers and staff members.
As reported by the Baltimore Post, concerned parents who came across the sensitive documents notified school administrators who apparently did nothing to secure the data.
The material remained unsecured for days until a Post reporter queried a member of the system’s IT department after-hours. In response, the district immediately shut down access to the application within its portal, throwing some students preparing for final exams at the time into a panic.
Then-Interim Superintendent Verletta White pointed to Microsoft’s software update – and eight employees who allowed the files to be viewed publicly, prior to the update – as the cause for the data lapse, while Microsoft pointed squarely at the district.
“We’re working with Baltimore County Public Schools to help resolve their issue,” a spokesperson for Microsoft told the Baltimore Post at the time. “We encourage customers to use best practices when configuring sharing settings unique to their needs.”
Moaning at a Meeting
A more recent incident that shocked those attending the school board’s October 13 virtual meeting – the sound of a moaning woman coming from an unmuted mic – raised concern it could be the result of a network system breach.
A state investigation into the source of what was described as a pornographic sound – heard after 1 a.m. toward the end of the meeting – concluded that it “did not appear to be intentionally transmitted” and so was not the result of a hack by an outsider.
The sound, which drew multiple complaints, occurred during a time when only employees and school board members were participating in the meeting, sources tell The Brew.
School employees may have used a system-issued device to access pornographic sites, thereby opening up the system to a cyber threat.
But to tech security expert Gallagher, the fact that the interruption was not the result of a hack doesn’t let BCPS off the hook.
Employees who may have used a system-issued device to access pornographic sites could have opened up the system to a cyber threat.
“Adult sites are a major factor in cyber security” underscoring the need to establish better security measures, Gallagher said.
He warned that employees working from home – and the blurring of boundaries between personal and professional devices – have created dangerous security vulnerabilities for school systems, governments and private entities, especially with so many people now teleworking due to Covid.
Data Backed up?
Gallagher said he was not surprised by the weaknesses revealed by the state audit because school IT departments are typically underfunded.
“It was not a discipline that school districts invest a lot of money in,” he said.
For the last two years, public school networks have been a major target of hackers, underscoring the need for more support and for state governments to possibly take over information security rather than leaving it to local jurisdictions.
“If they don’t have backups on the grading systems, etc., they are going to have to pay the ransom” – Sean Gallagher
As for how the system will respond to the hackers, Gallagher told The Brew that comes down to how well the district backed up its data offsite.
“If they don’t have backups on the grading systems, etc., they are going to have to pay the ransom because it is the quickest way for us to get the data back,” he said, pointing out that high-level cyber-criminals are coldly calculating and sophisticated.
“This is purely a business operation for them,” he said, noting that hackers often refer to their victims as “clients.”
• To reach a reporter: email@example.com or firstname.lastname@example.org Use 410-410-419-9620 to call Costantino, or reach her through the Signal App.