CISA names top 3 threats to government systems
- By Derek B. Johnson
- Jul 06, 2020
Analysis of the Cybersecurity and Infrastructure Security Agency’s EINSTEIN intrusion detection system has determined that remote-access tool exploitation, fileless Trojan malware and cryptocurrency mining software accounted for 90% of the observed threat activity against civilian federal systems and networks in May.
According to a June 30 CISA post looking at trend data for the month of May, nearly all the network intrusion signatures picked up by the system fall into one of three groups.
The first is actually a legitimate software program – NetSupport Manager. The remote access tool gives system administrators remote access to employee devices, but when phishing schemes trick users into downloading the tool, malicious actors can gain unauthorized access to users’ machines. In May, Microsoft's Security Intelligence wing warned about a massive COVID-19 themed phishing campaign to entice users to click on links that would install the NetSupport RAT on their computers.
The second most popular attacks use a fileless Trojan named Kovter that initially started out as ransomware but has since also evolved to carry out a number of different attacks, including click-fraud schemes that steal information and beam them back to command and control servers. According to 2017 research from TrendMicro, clicking on attachments from macro-based malicious spam -- usually in the form of Microsoft Office files -- is among the most common ways users are infected by this malware.
Finally, malware called XMRig that uses an infected device's computing power to mine Monero cryptocurrency was also highlighted as a common attack.
According to a CISA official, the data pulled from EINSTEIN does include instances where federal devices or systems were infected.
"Malware detection signatures vary in what they are looking for and range from detecting outbound activity, meaning malware contained on an agency device is being detected beaconing back to the threat actor, to other signatures that detect traffic before it makes its way to the targeted device," a spokesperson for the agency said via email. "When we become aware of an agency affected by malware, regardless of the type, we notify that agency and provide mitigation support."
Cryptocurrency malware "is prevalent in all networks, whether public or private" the spokesperson said, and CISA works with network defenders on a regular basis to better understand and manage the risk.
This article was first posted to FCW, a sibling site to GCN.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.