TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Threats Plague Educational Organizations

2025-11-13 · Read original ↗

ATT&CK techniques detected

16 predictions
T1110Brute Force
92%
"sector was slightly higher than in other sectors, likely due to educational systems relying heavily on remote administration. deep - dive : what do cyberattacks on schools look like? we ’ ve seen endless media coverage about cyberattacks on the education sector, but what does an …"
T1567.002Exfiltration to Cloud Storage
82%
"malicious anydesk instance was removed. rclone data exfiltration in may, the soc encountered a threat actor downloading rclone and attempting to use it to exfiltrate data from a high school. rclone was used to attempt to obtain the contents from several directories ( including on…"
T1657Financial Theft
81%
"threats plague educational organizations as a managed endpoint detection and response ( edr ) company, we see attacks hitting all kinds of sectors. but cyberattacks hitting the education sector can be particularly sinister. the education space encompasses both k - 12 school distr…"
T1486Data Encrypted for Impact
80%
"threats plague educational organizations as a managed endpoint detection and response ( edr ) company, we see attacks hitting all kinds of sectors. but cyberattacks hitting the education sector can be particularly sinister. the education space encompasses both k - 12 school distr…"
T1219Remote Access Tools
65%
"of incidents seen in 2024 threats facing schools threat actors target higher education and k - 12 school districts through various means. this includes phishing attacks against faculty and students, which often include lures that pretend to come from the university or school dist…"
T1133External Remote Services
62%
"sector was slightly higher than in other sectors, likely due to educational systems relying heavily on remote administration. deep - dive : what do cyberattacks on schools look like? we ’ ve seen endless media coverage about cyberattacks on the education sector, but what does an …"
T1048Exfiltration Over Alternative Protocol
59%
"malicious anydesk instance was removed. rclone data exfiltration in may, the soc encountered a threat actor downloading rclone and attempting to use it to exfiltrate data from a high school. rclone was used to attempt to obtain the contents from several directories ( including on…"
T1078.003Local Accounts
58%
"instance to cast a wide net across their downstream customer base, effectively hitting multiple organizations through one attack. in this incident, a user operating as system used the atera instance to execute c : \ programdata \ anydesk. exe and then install an additional anydes…"
T1021.001Remote Desktop Protocol
55%
"rdp instance for this school, which used both managed siem and managed edr. further investigation into one of the school ’ s hosts revealed it was exposing its domain controller. exposed ports are major security risks for organizations and can open systems to various attacks, fro…"
T1219Remote Access Tools
51%
"rdp instance for this school, which used both managed siem and managed edr. further investigation into one of the school ’ s hosts revealed it was exposing its domain controller. exposed ports are major security risks for organizations and can open systems to various attacks, fro…"
T1078Valid Accounts
49%
"sector was slightly higher than in other sectors, likely due to educational systems relying heavily on remote administration. deep - dive : what do cyberattacks on schools look like? we ’ ve seen endless media coverage about cyberattacks on the education sector, but what does an …"
T1048.002Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
47%
"malicious anydesk instance was removed. rclone data exfiltration in may, the soc encountered a threat actor downloading rclone and attempting to use it to exfiltrate data from a high school. rclone was used to attempt to obtain the contents from several directories ( including on…"
T1486Data Encrypted for Impact
34%
"and social security numbers for children. for instance, after the minneapolis public schools were hit by medusa ransomware in 2023, the threat actors behind the attack released highly sensitive details about students, including sexual assault case files. understanding the techniq…"
T1110.004Credential Stuffing
34%
"sector was slightly higher than in other sectors, likely due to educational systems relying heavily on remote administration. deep - dive : what do cyberattacks on schools look like? we ’ ve seen endless media coverage about cyberattacks on the education sector, but what does an …"
T1537Transfer Data to Cloud Account
32%
"malicious anydesk instance was removed. rclone data exfiltration in may, the soc encountered a threat actor downloading rclone and attempting to use it to exfiltrate data from a high school. rclone was used to attempt to obtain the contents from several directories ( including on…"
T1133External Remote Services
31%
"rdp instance for this school, which used both managed siem and managed edr. further investigation into one of the school ’ s hosts revealed it was exposing its domain controller. exposed ports are major security risks for organizations and can open systems to various attacks, fro…"

Summary

Threat actors are targeting the education sector with data breaches, phishing emails, ransomware hits, brute force RDP attacks, and more.