Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

DHS Shares Data on Top Cyber Threats to Federal Agencies

Backdoors, cryptominers, and ransomware were the most widely detected threats by the DHS Cybersecurity and Infrastructure Security Agency (CISA)'s intrusion prevention system EINSTEIN.

The US federal government's civilian agencies see many of the same attacks as the private sector, fending off ransomware, cryptominers, and backdoors, according to the an alert published this week by the US Department of Homeland Security's main cybersecurity agency.

In the June 30 alert, the Cybersecurity and Infrastructure Agency (CISA) warned that three threats constituted more than 90% of the active signatures detected by the government's intrusion prevention system known as EINSTEIN. The three threats are the NetSupport Manager RAT, the Kovter Trojan, and the XMRig cryptominer. While DHS CISA did not discuss the impact that the threats have had on government agencies, the agency did provide Snort signatures for other security analysts to use.  

The release shows the US government may start sharing more information with the private sector on cyberattacks, says Johannes Ullrich, dean of research for the SANS Technology Institute, a professional cybersecurity education organization.

"It is nice that they share, and it's interesting, but not surprising that they are seeing what everyone else is seeing: A backdoor, a cryptominer, and ransomware," he says. "For me as a researcher, it's good to know that they are seeing the same things we are."

The usefulness of the data, however, is somewhat dampened by the fact that the information is from the month of May and at least 30 days old. In addition, defenders increasingly rely on behavior-recognition technologies and not pattern-matching to detect threats, Ullrich says.

"This information is meant to give the reader a closer look into what analysts are seeing at the national level and provide technical details on some of the most active threats," the CISA stated in its advisory

The EINSTEIN Program is the DHS's baseline cybersecurity capability that detects and blocks attacks on civilian federal agencies. First deployed in 2003, the system is in its third iteration, which was originally envisioned to incorporate classified cyberattack signatures into its defenses but has transitioned to using commercial cybersecurity services. In addition, the DHS continues to reduce the number of access points used by government agencies to increase the visibility of its centralized cybersecurity force. 

"The EINSTEIN Program is an automated process for collecting, correlating, analyzing, and sharing computer security information across the federal civilian departments and agencies," CISA stated. "By collecting information from participating federal departments and agencies, CISA builds and enhances our Nation’s cyber-related situational awareness."

One of the three threats - the NetSupport Manager Remote Access Tool - uses legitimate administration software to infect systems and allow them to be remotely controlled by the attacks. 

"In a malicious context, it can — among many other functions — be used to steal information," CISA stated. "Malicious RATs can be difficult to detect because they do not normally appear in lists of running programs, and they can mimic the behavior of legitimate applications."

A second threat, Kovter, is a fileless attack tool that is often used for click fraud, but also as a downloader for ransomware, according to recent analyses of the malware. In 2013, the malware started as scareware, waiting for the user to do something embarrassing, and then inserting a popup of a fake police notice. The program ranked No. 5 on the Center for Internet Security's Top-10 list of malware in April.

XMRig, a program for mining Monero cryptocurrency, is the third program. While the program focuses on consuming processing power for its computations, XMRig can also lead to overheating hardware and poor performance for business-critical applications. 

Any company that finds XMRig should worry about other malware on their network as well, Ullrich says. The recently discovered Lucifer malware, for example, installs XMRig as part of compromising a system.

"If you are seeing a cryptominer, then it is indicative that you have at least one system with a wide-open vulnerability," he says.

Related Content

 

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
9/14/2020 | 5:03:36 PM
Re: hmmm
A backdoor, a cryptominer, and ransomware," he says.

Hmm, interesting, we were the ones who created ransomware and deployed it to other countries but it was not designed to be used for monetary purposes, it was called cryptoviral extortion. So let's be clear, we invented it - the question you have to ask yourself -  if it was created at Columbia University, how did it happen to appear from other nation-states radar and how is it that other countries are attacking us using our own software program. They reversed engineered it and sent it back to us. This also happened with Stuxnet and NitroZeus. 

But the conversation was not only just based on that, it also covered numerous programs that were getting out of hand, managed by people who got sloppy drunk over their power broker decisions. It never fails, General Alexander, Clapper, and now DHS's power-hungry leader. The funny thing is that they (Congress) tried to denounce Clapper and Alexander's decision but they were the one's who authorized it, basically to deploy and initiate cyber-warfare on nation-states (some of which were even our allies - France and England - they found us spying on prime-minister's cell phone and Video conferencing sessions, we found a way to hack their session, those video conferencing sessions were held on US soil - NY/US).
  • The concept of file-encrypting ransomware was invented and implemented by Young and Yung at Columbia University and was presented at the 1996 IEEE Security & Privacy conference. It is called cryptoviral extortion and it was inspired by the fictional face-hugger in the movie Alien.

It is funny how we act like the victim when we are the one's causing the problems, another instance of "chickens coming home to roost", for some reason, this sounds familiar.

T
susanarose
50%
50%
susanarose,
User Rank: Apprentice
8/17/2020 | 12:14:36 PM
Re: hmmm
Apparently, no. 
mitchellwekey
100%
0%
mitchellwekey,
User Rank: Apprentice
7/21/2020 | 7:45:11 PM
hmmm
So no mentions on cryptocurrencies?
tdsan
100%
0%
tdsan,
User Rank: Ninja
7/16/2020 | 6:46:17 PM
Interested info about Einstein
Sounds good, but what they did not tell you is that there are different versions of Einstein I and II, I think there are more. This SIEM project was really part of the Prism program because of the egregious violations against US citizens. It was also part of the two other programs Trailblazer (failure after spending billions of dollars and Thin Thread created by William "Bill" Binney" who was the architect who would have caught the 911 bombing if they would have allowed him - 28 years at NSA as the leading technical director, actually they arrested him at gunpoint in his own house when he identified and brought the information to their attention).

It is interesting to see that they are sharing after years of asking for this (its about damn time - Labraun James). I am glad the regime has retired/gone and a new group of leaders is taking up the mantle with new ideas (i.e. Clapper and General Alexander https://www.cnet.com/news/nsa-surveillance-programs-prism-upstream-live-on-snowden/)

Anyway, thank you for sharing.

Todd
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27660
PUBLISHED: 2020-11-30
SQL injection vulnerability in request.cgi in Synology SafeAccess before 1.2.3-0234 allows remote attackers to execute arbitrary SQL commands via the domain parameter.
CVE-2020-27659
PUBLISHED: 2020-11-30
Multiple cross-site scripting (XSS) vulnerabilities in Synology SafeAccess before 1.2.3-0234 allow remote attackers to inject arbitrary web script or HTML via the (1) domain or (2) profile parameter.
CVE-2020-29127
PUBLISHED: 2020-11-30
An issue was discovered on Fujitsu Eternus Storage DX200 S4 devices through 2020-11-25. After logging into the portal as a root user (using any web browser), the portal can be accessed with root privileges when the URI cgi-bin/csp?cspid=&csppage=cgi_PgOverview&csplang=en is visit...
CVE-2020-25624
PUBLISHED: 2020-11-30
hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver.
CVE-2020-29378
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...