How Hackers Evaded Detection at CSUSM
According to Morningstar and Hudson, the threat actors gained access to CSUSM’s network via outdated student and staff credentials, some dating back to 2015. The credentials belonged to alumni, former students and privileged domain-level service accounts.
The old passwords were weaker than the university’s current standard, which now requires 15 characters for passwords. As Morningstar explained, these kinds of accounts are often created with a “set it and forget it” mentality, making them easy targets for hackers.
Additionally, the threat actors managed to move between accounts. The team would block one avenue, and the attackers would move to another, Morningstar said. The ability to jump between outdated student and service accounts with weak passwords allowed these actors to operate quickly and effectively.
Critical Steps After a Ransomware Attack
Following the breach and detection, CSUSM deployed a series of changes to enhance its security posture. Morningstar and Hudson explained that one of the first measures was a campuswide password change and multifactor authentication implementation. In fact, “prior to this event, all the students that had financial aid had already completed MFA setup,” said Morningstar, so the transition to campuswide MFA was fairly seamless.
Beyond this measure, Hudson said, the larger CSU system partnered with Secureworks to enact a cyber hygiene plan that prioritizes endpoint detection response (EDR) and extended detection response (XDR). The plan also includes re-evaluating how long to keep former student accounts active and ensuring domain users have unique credentials for each account they might access.
These efforts were successful, ejecting the threat actors and improving network security.
Cybersecurity Strategies to Consider Moving Forward
The university system learned several lessons from this event. A crucial first step for campuses everywhere is to increase their network visibility. CSU worked closely with Microsoft and Secureworks to implement an incident response plan that broadened visibility and created a tiered security model.
As CSU’s leaders explained, the separation of a Tier 0 network and a Tier 1 network offers better protection for students and system admins. Even if a threat actor were to attain credentials, the siloed environment would prevent lateral movement.
Finally, CSU leaders encouraged other campuses to reconsider the level of access alumni accounts should have. They also emphasized incorporating EDR and XDR into campus’s incident response plans to enable earlier detection and quicker action. The combination of these efforts and measures can greatly improve a campus’s security posture and protect future users.