Hackers Selling US College VPN Credentials on Underground Markets, FBI Warns

Hackers are advertising Network and Virtual Private Network (VPN) credentials and access codes for US colleges and universities on underground and public cybercrime marketplaces. The credentials could let attackers infiltrate vulnerable networks and conduct subsequent attacks against their users.

“This exposure of sensitive credential and network access information, especially privileged user accounts, could lead to subsequent cyber attacks against individual users or affiliated organizations,” according to an FBI advisory.

The report shows that threat actors leverage various tools and tactics, such as ransomware and spear-phishing, to execute credential harvesting attacks. Attackers exfiltrate the stolen data and market it to Russian cybercrime forums; some credentials are reportedly sold for thousands of US dollars.

Threat actors who buy stolen credentials often use them in brute-force credential stuffing attacks can provide attackers with accounts of the same victim on various platforms, websites and password-protected services.

“If attackers are successful in compromising a victim account, they may attempt to drain the account of stored value, leverage or re-sell credit card numbers and other personally identifiable information, submit fraudulent transactions, exploit for other criminal activity against the account holder, or use for subsequent attacks against affiliated organizations,” the FBI warns.

Credential stuffing is a type of cyberattack where the perpetrator uses lists of stolen credentials (usernames, email addresses, passwords) to gain unauthorized access to user accounts, mainly through brute force.

Unfortunately, a single set of credentials often unlocks multiple accounts since many people repeat username and password combinations on multiple services or websites. Fortunately, mitigation against credential stuffing is easy -- avoid using the same email address, username and password for several accounts.

Furthermore, a strong password (minimum character limit, combinations of uppercase, lowercase, numbers and symbols)or a password manager can further decrease the odds of being hit by credential stuffing attacks.

The FBI released a list of mitigation strategies to “reduce the risk of compromise,” namely:

• Keeping operating systems and software up to date
• Implementing strong password policies
• Enabling lock-out rules for failed authentication attempts
• Enabling mandatory multi-factor authentication (MFA)
• Implementing user training programs and phishing exercises
• Segmenting networks to reduce the odds of malware spreading
• Using network monitoring tools to detect, log and report abnormal activity
• Monitoring remote desktop protocol (RDP) usage
• Documenting and limiting external connections to the network