Threat Groups Actively Targeting Higher Education Institutions

Jan. 2023 Threat Advisory 


Threat intelligence can provide valuable insights into the latest vulnerabilities being actively exploited by cybercriminals, as well as the potential impact these vulnerabilities could have on your organization. This information can help you prioritize vulnerabilities and determine the most effective patching or mitigation strategies. 

Threat actor group activity against Higher Education institutions increased in Q4 2022.  

This report looks at those active groups, their motivations and some of the known vulnerabilities the groups are exploiting within Higher Education networks and systems. This report examines cyber threat intelligence data available in the FortifyData platform. FortifyData incorporates threat intelligence data for threat likelihood enrichment capabilities, helping security teams at universities and colleges better prioritize risks and vulnerabilities across networks and IT assets. The FortifyData platform informs risk through incorporation of intelligence sources like AlienVault’s OTX, Cybersecurity and Infrastructure Security Agency (CISA), MITRE ATT&CK and many other threat intelligence sources.

Active Threat Groups 

This report covers ongoing activities of threat groups from starting October 2022 through Jan 2023. During this time there was activity from 18 threat groups identified with related activities specifically targeting Higher Education institutions. Motivations for these groups are classified among financial gain increasingly from malware campaigns, espionage, IP and Research data theft and compromising supply chains. We have aggregated the information to illustrate the groups, their motivations and known CVEs, noting any overlap.



The known CVEs employed by the threat groups vary with only some overlap among certain vulnerabilities, as identified through internal scanning assessments. PrintNightmare (Windows Print Spooler Remote Code Execution) is one CVE being targeted by two different groups, Vice Society and Mustang Panda as part of their efforts of espionage, financial gain and research theft.  

The CVEs targeted range from ‘Medium’ to ‘Critical’ based on CVSS 3.0 scoring. Higher Education Institutions must utilize a process to prioritize vulnerability identification and remediation of affected assets using data from this threat advisory report.  

An important question to ask your vulnerability management team is “Does your current vulnerability management system uses more than just CVSS and auto-prioritize vulnerabilities using informed industry threat intelligence data, and asset criticality?”. CVSS scores are just not sufficient, as the pace of threat activity within your industry is vital to remain proactive with effectively resolving issues that matter most to your institution. Automating these processes will help scale your vulnerability and remediation management program.

Higher Education Targeted CVEs and Threat Actors Involved
CVE Description CVSS 3.0 Actors Targeting CVEs 
CVE-2022-31199 Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems9.8 Silence Group 
CVE-2021-4044 Microsoft MSHTML Remote Code Execution 7.8 Mustang Panda / Earth Preta 
CVE-2021-34527 Windows Print Spooler Remote Code Execution Vulnerability8.8 Mustang Panda / Earth Preta 
CVE-2021-1675 Windows Print Spooler Elevation of Privilege8.8 Mustang Panda / Earth Preta 
CVE-2022-30190 Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution7.8 Gelsemium 
CVE-2021-27065 Microsoft Exchange Server Remote Code Execution7.8 Winnti 
CVE-2021-26855 Microsoft Exchange Server Remote Code Execution9.8 Winnti 
CVE-2019-2215 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.23 and prior.4.9 SideWinder 
CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. 9.8 Tilted Temple 
CVE-2021-40539 Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution. 9.8 Tilted Temple 
CVE-2021-33617 Zoho ManageEngine Password Manager Pro before 11.2 11200 allows login/AjaxResponse.jsp?RequestType=GetUserDomainName&userName= username enumeration, because the response (to a failed login request) is null only when the username is invalid. 5.3 Tilted Temple 
CVE-2021-28799 An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device.9.8 Tilted Temple 
CVE-2018-13379 An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests. 9.8 Agrius 

Auto-Prioritize Vulnerabilities with Risk-based Vulnerability Management  

The FortifyData platform uses risk informed intelligence presented above incorporated with external and internal vulnerability assessments to auto-prioritize risks and vulnerabilities within your institution. Additional context such as asset criticality is also considered during the assessments. The system does this on your behalf, so you don’t have to manually review and prioritize every vulnerability using published threat intelligence – unless you really love doing that.  

CISA Advisories and Notable Ransomware Findings 

For additional context, a few of these threat groups have specific alerts, or are referenced in notices, issued by CISA that include additional information on IOCs, and Mitre Att&ck technics.  

Most recently Vice Society received an alert from CISA due to their prevalence for deploying ransomware attacks against the education sector. Palo Alto Networks threat research group Unit 42 in their incident response reports on Vice Society note some additional findings of active ransomware campaigns- such as dwell times as high as 6 days, initial ransom requests at $1,0000,000 and accepted ransoms in the range of $400,000.  


Targeted Geographies 

Antarctica seems to be a safe spot. You can scroll through these maps that show which geographies each of the group targets, based on attribution information to date. As you may be aware these groups originate from various parts of the world, and likewise target many different parts of the globe.  

What Should You Do? 

Higher education institutions should:  

  • Conduct both external and internal risk-based vulnerability assessments on networks and internal hosts across departments, schools and devices.  
  • Leverage this report to re-prioritize vulnerabilities or implement an automated risk-based vulnerability management solution where it continuously informs and prioritizes vulnerabilities for effective remediation.   

If you want to find out if your institution is susceptible to attacks from these groups, contact us.  

FortifyData can help you gain instant and continuous visibility of vulnerabilities targeted by actors focused on the Higher Education sector. 

Watch our video below, read more about our solutions for higher education institutions or schedule a demo to learn more. 

Related Posts