Cyber Threat Actor Group “Vice Society” Targeting UCLA and Education Sector

We are writing to raise awareness and urge vigilance around a cyber threat actor group named Vice Society. This group has been observed by the FBI, CISA, and other agencies to disproportionately target the education sector with ransomware attacks, and the Information Security Office has recently tracked active attempts by their infrastructure to exploit campus platforms. This group recently claimed responsibility for the ransomware on LAUSD which resulted in the theft of 500GBs worth of data.

Vice Society has been observed leveraging compromised credentials to gain an initial foothold into environments, and then pivoting to the usage of legitimate system administration tools such as psexec and WMI to evade detection by traditional endpoint protection products. This can present unique challenges to detect and prevent attacks within the organization. We strongly urge all campus operators to review the information below and maintain vigilance against this persistent threat.

What the Information Security Office is doing:

• We have blocked the threat actor IPs at the campus border indicated in the CISA advisory and other closed-source intelligence feeds.
• Indicator file hashes and other signatures have been uploaded to our campus network monitoring systems.
• We are working with our partners at Mandiant to continue tracking this group behavior and updating our countermeasures as new information becomes available.

What you can do:

• Ensure the FireEye Endpoint Security (FES) agent is running on all university-owned systems.
  • This will also ensure protection on remote systems used by hybrid or fully-remote workforce members
• Encourage the use of Campus VPN whenever working offsite. 
  • This will network traffic is encrypted, including the transfer of credentials and keys
• Review the CISA Advisory below and take steps to implement any local security controls (e.g., firewalls, ACLs, other endpoint protection products) against the indicators provided. 
• Ensure strong, complex passwords are in place and rotated regularly for privileged accounts; enable MFA wherever possible.
• The ISO provides local Duo tenant accounts free of charge (https://ociso.ucla.edu/services/multi-factor-authentication-mfa). Email security@ucla.edu to get started.
• Stay current on patching and vulnerability management
  • Particularly with regard to Windows systems

Additional Information:

• CISA Advisory - https://www.cisa.gov/uscert/ncas/alerts/aa22-249a
• Attacks on Education - https://www.bleepingcomputer.com/news/security/fbi-warns-of-vice-society-ransomware-attacks-on-school-districts/
• LAUSD Ransomware - https://www.bleepingcomputer.com/news/security/vice-society-claims-lausd-ransomware-attack-theft-of-500gb-of-data/
   

If you have any questions, please do not hesitate to reach out to security@ucla.edu. Thank you for your vigilance!