Month: September 2024

Highline Public Schools, a school district in Washington state, remains closed following a cyberattack that occurred two days ago.

Two days ago Highline Public Schools (HPS), a school district in Washington state, suffered a cyber attack that caused a significant disruption of its activities.

Highline Public Schools (HPS) is a public school district in King County, headquartered in Burien, Washington, it serves more than 18,000 students.

The HPS took critical systems offline in response to the security incident.   

“We have detected unauthorized activity on our technology systems and have taken immediate action to isolate critical systems. We are working closely with third-party, state and federal partners to safely restore and test our systems.” reads the first statement published by the school district on Monday. 

“We understand this comes as an unexpected disruption, particularly on the eve of the first day of kindergarten for many of our families. We recognize the burden this decision places on both families and staff, but student safety is our top priority, and we cannot have school without these critical systems in place.”

Two days later, the Washington state school district is still closed due to the unavailability of its IT systems.

Following the cyberattack, the school district announced the closure of its facilities and the temporary suspension of all activities, including athletics and meetings.

“All schools will remain closed on Tuesday, September 10. All school activities, athletics and meetings are canceled. Central office will be open.” reads the statement published by the HPS on its website. “Our investigation into unauthorized activity on our technology systems is ongoing, and critical systems are still offline. We understand canceling school is a significant disruption for our families and staff, but student safety remains our top priority.”

The HPS did not provide details about the attack, however, the measures adopted in response to the incident suggest it was the victim of a ransomware attack. At this time, no cybercrime group has claimed responsibility for the attack.

Unfortunately, school districts are privileged targets of cybercrime groups due to the huge amount of date they manage.

In March 2024, schools in Scranton, Pennsylvania, experienced a ransomware attack, resulting in IT outages. In September 2022, one of the US largest School districts, the Los Angeles Unified School District, suffered a ransomware attack.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Education) 

Researchers observed the RansomHub ransomware group using the TDSSKiller tool to disable endpoint detection and response (EDR) systems.

The RansomHub ransomware gang is using the TDSSKiller tool to disable endpoint detection and response (EDR) systems, Malwarebytes ThreatDown Managed Detection and Response (MDR) team observed.

TDSSKiller a legitimate tool developed by the cybersecurity firm Kaspersky to remove rootkits, the software could also disable EDR solutions through a command line script or batch file.

The experts noticed that the ransomware group also used the LaZagne tool to harvest credentials. During the case investigated by MDR, experts observed that LaZagne generated 60 file writes, likely logging extracted credentials, and performed 1 file deletion, likely to hide traces of the credential-harvesting activity.

“Although both TDSSKiller and LaZagne have been used by attackers for years, this is the first record of RansomHub using them in its operations, with the TTPs not listed in CISA’s recently published advisory on RansomHub.” reads the Malwarebytes MDR’s report. “The tools were deployed following initial reconnaissance and network probing through admin group enumeration, such as net1 group "Enterprise Admins" /do. “

RansomHub used TDSSKiller with the -dcsvc flag to try disabling critical security services, specifically targeting Malwarebytes Anti-Malware Service (MBAMService). The command aimed to disrupt security defenses by disabling this service.

Command line: tdsskiller.exe -dcsvc MBAMService where the -dcsvc flag was used to target specific services. In this instance, attackers attempted to disable MBAMService.

RansomHub is a ransomware as a service (RaaS) that was employed in the operations of multiple threat actors. Microsoft reported that RansomHub was observed being deployed in post-compromise activity by the threat actor tracked as Manatee Tempest following initial access by Mustard Tempest via FakeUpdates/Socgholish infections.

Experts believe RansomHub is a rebrand of the Knight ransomware. Knight, also known as Cyclops 2.0, appeared in the threat landscape in May 2023. The malware targets multiple platforms, including Windows, Linux, macOS, ESXi, and Android. The operators used a double extortion model for their RaaS operation.

This isn’t the first time that security experts documented the use of the tool developed by Kaspersky.

The Sangfor Cyber Guardian Incident Response team reported that the LockBit ransomware gang used the -dcsvc parameter of TDSSKiller as part of their attack chain.

Attackers use legitimate tools because are not blocked by security solutions.

Malwarebytes shared indicators of compromise (IoCs) for these attacks and recommends:

• Isolate critical systems through network segmentation to limit lateral movement.
• Restrict Bring Your Own Vulnerable Driver (BYOVD) exploits by implementing controls to monitor and restrict vulnerable drivers like TDSSKiller, especially when executed with suspicious command-line flags such as -dcsvc. Quarantining or blocking known misuse patterns while allowing legitimate uses can prevent BYOVD attacks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RansomHub ransomware)