Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

DHS Shares Data on Top Cyber Threats to Federal Agencies

Backdoors, cryptominers, and ransomware were the most widely detected threats by the DHS Cybersecurity and Infrastructure Security Agency (CISA)'s intrusion prevention system EINSTEIN.

The US federal government's civilian agencies see many of the same attacks as the private sector, fending off ransomware, cryptominers, and backdoors, according to the an alert published this week by the US Department of Homeland Security's main cybersecurity agency.

In the June 30 alert, the Cybersecurity and Infrastructure Agency (CISA) warned that three threats constituted more than 90% of the active signatures detected by the government's intrusion prevention system known as EINSTEIN. The three threats are the NetSupport Manager RAT, the Kovter Trojan, and the XMRig cryptominer. While DHS CISA did not discuss the impact that the threats have had on government agencies, the agency did provide Snort signatures for other security analysts to use.  

The release shows the US government may start sharing more information with the private sector on cyberattacks, says Johannes Ullrich, dean of research for the SANS Technology Institute, a professional cybersecurity education organization.

"It is nice that they share, and it's interesting, but not surprising that they are seeing what everyone else is seeing: A backdoor, a cryptominer, and ransomware," he says. "For me as a researcher, it's good to know that they are seeing the same things we are."

The usefulness of the data, however, is somewhat dampened by the fact that the information is from the month of May and at least 30 days old. In addition, defenders increasingly rely on behavior-recognition technologies and not pattern-matching to detect threats, Ullrich says.

"This information is meant to give the reader a closer look into what analysts are seeing at the national level and provide technical details on some of the most active threats," the CISA stated in its advisory

The EINSTEIN Program is the DHS's baseline cybersecurity capability that detects and blocks attacks on civilian federal agencies. First deployed in 2003, the system is in its third iteration, which was originally envisioned to incorporate classified cyberattack signatures into its defenses but has transitioned to using commercial cybersecurity services. In addition, the DHS continues to reduce the number of access points used by government agencies to increase the visibility of its centralized cybersecurity force. 

"The EINSTEIN Program is an automated process for collecting, correlating, analyzing, and sharing computer security information across the federal civilian departments and agencies," CISA stated. "By collecting information from participating federal departments and agencies, CISA builds and enhances our Nation’s cyber-related situational awareness."

One of the three threats - the NetSupport Manager Remote Access Tool - uses legitimate administration software to infect systems and allow them to be remotely controlled by the attacks. 

"In a malicious context, it can — among many other functions — be used to steal information," CISA stated. "Malicious RATs can be difficult to detect because they do not normally appear in lists of running programs, and they can mimic the behavior of legitimate applications."

A second threat, Kovter, is a fileless attack tool that is often used for click fraud, but also as a downloader for ransomware, according to recent analyses of the malware. In 2013, the malware started as scareware, waiting for the user to do something embarrassing, and then inserting a popup of a fake police notice. The program ranked No. 5 on the Center for Internet Security's Top-10 list of malware in April.

XMRig, a program for mining Monero cryptocurrency, is the third program. While the program focuses on consuming processing power for its computations, XMRig can also lead to overheating hardware and poor performance for business-critical applications. 

Any company that finds XMRig should worry about other malware on their network as well, Ullrich says. The recently discovered Lucifer malware, for example, installs XMRig as part of compromising a system.

"If you are seeing a cryptominer, then it is indicative that you have at least one system with a wide-open vulnerability," he says.

Related Content



Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
9/14/2020 | 5:03:36 PM
Re: hmmm
A backdoor, a cryptominer, and ransomware," he says.

Hmm, interesting, we were the ones who created ransomware and deployed it to other countries but it was not designed to be used for monetary purposes, it was called cryptoviral extortion. So let's be clear, we invented it - the question you have to ask yourself -  if it was created at Columbia University, how did it happen to appear from other nation-states radar and how is it that other countries are attacking us using our own software program. They reversed engineered it and sent it back to us. This also happened with Stuxnet and NitroZeus. 

But the conversation was not only just based on that, it also covered numerous programs that were getting out of hand, managed by people who got sloppy drunk over their power broker decisions. It never fails, General Alexander, Clapper, and now DHS's power-hungry leader. The funny thing is that they (Congress) tried to denounce Clapper and Alexander's decision but they were the one's who authorized it, basically to deploy and initiate cyber-warfare on nation-states (some of which were even our allies - France and England - they found us spying on prime-minister's cell phone and Video conferencing sessions, we found a way to hack their session, those video conferencing sessions were held on US soil - NY/US).
  • The concept of file-encrypting ransomware was invented and implemented by Young and Yung at Columbia University and was presented at the 1996 IEEE Security & Privacy conference. It is called cryptoviral extortion and it was inspired by the fictional face-hugger in the movie Alien.

It is funny how we act like the victim when we are the one's causing the problems, another instance of "chickens coming home to roost", for some reason, this sounds familiar.

User Rank: Apprentice
7/21/2020 | 7:45:11 PM
So no mentions on cryptocurrencies?
User Rank: Ninja
7/16/2020 | 6:46:17 PM
Interested info about Einstein
Sounds good, but what they did not tell you is that there are different versions of Einstein I and II, I think there are more. This SIEM project was really part of the Prism program because of the egregious violations against US citizens. It was also part of the two other programs Trailblazer (failure after spending billions of dollars and Thin Thread created by William "Bill" Binney" who was the architect who would have caught the 911 bombing if they would have allowed him - 28 years at NSA as the leading technical director, actually they arrested him at gunpoint in his own house when he identified and brought the information to their attention).

It is interesting to see that they are sharing after years of asking for this (its about damn time - Labraun James). I am glad the regime has retired/gone and a new group of leaders is taking up the mantle with new ideas (i.e. Clapper and General Alexander https://www.cnet.com/news/nsa-surveillance-programs-prism-upstream-live-on-snowden/)

Anyway, thank you for sharing.

FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-06
Primary Source Verification in VerityStream MSOW Solutions before 3.1.1 allows an anonymous internet user to discover Social Security Number (SSN) values via a brute-force attack on a (sometimes hidden) search field, because the last four SSN digits are part of the supported combination of search se...
PUBLISHED: 2021-05-06
Persistent Cross-site scripting vulnerability on Fork CMS version 5.8.2 allows remote attackers to inject arbitrary Javascript code via the "navigation_title" parameter and the "title" parameter in /private/en/pages/add.
PUBLISHED: 2021-05-06
Cross-site request forgery (CSRF) in Fork-CMS before 5.8.2 allow remote attackers to hijack the authentication of logged administrators.
PUBLISHED: 2021-05-06
Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the...
PUBLISHED: 2021-05-06
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gai...