Threat Actor Allegedly Leaked US Department of Education Database, Exposing Student and Teacher Phone Numbers
Threat Actor: IntelBroker (forum member)
Victim: US Department of Education
🌟 The threat actor allegedly breached the database of the US Department of Education.
🌟 The compromised data includes UserIDs and Phone Numbers.
🌟 The leaked data is reported to be 288 megabytes in size.
🌟 Approximately 8.9 million entries were exposed.
MITRE ATT&CK techniques and procedures might be relevant:
Technique: T1595 - Active Scanning
The threat actor likely started by actively scanning the Department’s external-facing infrastructure to identify vulnerabilities or misconfigurations that could be exploited. This could involve port scanning, vulnerability scanning, or searching for exposed databases.
Possibility - HIGH: The actor could have used automated scanning tools to enumerate services running on the Department’s systems and then targeted those with known vulnerabilities, leading to unauthorized access.
T1190 - Exploit Public-Facing Application
Given that user IDs and phone numbers were exposed, the attacker might have exploited vulnerabilities in a public-facing application, such as a web portal used by the Department of Education.
Possibility - HIGH: Utilizing a flaw in the web application’s code, the attacker could inject malicious payloads to gain unauthorized access or exploit a known vulnerability in the application software, leading to data exfiltration.
T1580 - Cloud Infrastructure Discovery
This technique involves discovering details about cloud infrastructure, including databases hosted in the cloud.
Possibility - LOW: The attacker might enumerate cloud assets using cloud service provider APIs or leveraging compromised cloud management credentials to identify and access cloud-hosted databases.
T1530 - Data from Cloud Storage Object
If the Department of Education’s data was stored in a cloud environment, attackers might have accessed and exfiltrated it directly from cloud storage services.
Possibility - LOW: Exploiting improperly secured cloud storage buckets (such as an Amazon S3 bucket with public access or misconfigured permissions), the threat actor could have downloaded sensitive data directly.
T1005 - Data from Local System
To gather valuable data, the threat actor might have extracted files and information directly from systems they gained access to.
Possibility - HIGH: Using custom scripts or malware, the actor could have searched for and exfiltrated files containing sensitive data, such as databases or documents, to a controlled external server.
T1213 - Data from Information Repositories
Attackers target specific information management systems, like databases or document management systems, to access sensitive data.
Possibility - LOW: The attacker might use SQL injection vulnerabilities or exploit default credentials to gain access to the database and execute unauthorized queries to extract data.
T1078 - Valid Accounts
Attackers use valid accounts to interact with and access databases, leveraging stolen credentials.
Possibility - HIGH: By obtaining credentials through phishing or other means, the attacker logs into the database using a legitimate user account, bypassing authentication mechanisms to perform unauthorized data extraction.