Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

DHS Shares Data on Top Cyber Threats to Federal Agencies

Backdoors, cryptominers, and ransomware were the most widely detected threats by the DHS Cybersecurity and Infrastructure Security Agency (CISA)'s intrusion prevention system EINSTEIN.

The US federal government's civilian agencies see many of the same attacks as the private sector, fending off ransomware, cryptominers, and backdoors, according to the an alert published this week by the US Department of Homeland Security's main cybersecurity agency.

In the June 30 alert, the Cybersecurity and Infrastructure Agency (CISA) warned that three threats constituted more than 90% of the active signatures detected by the government's intrusion prevention system known as EINSTEIN. The three threats are the NetSupport Manager RAT, the Kovter Trojan, and the XMRig cryptominer. While DHS CISA did not discuss the impact that the threats have had on government agencies, the agency did provide Snort signatures for other security analysts to use.  

The release shows the US government may start sharing more information with the private sector on cyberattacks, says Johannes Ullrich, dean of research for the SANS Technology Institute, a professional cybersecurity education organization.

"It is nice that they share, and it's interesting, but not surprising that they are seeing what everyone else is seeing: A backdoor, a cryptominer, and ransomware," he says. "For me as a researcher, it's good to know that they are seeing the same things we are."

The usefulness of the data, however, is somewhat dampened by the fact that the information is from the month of May and at least 30 days old. In addition, defenders increasingly rely on behavior-recognition technologies and not pattern-matching to detect threats, Ullrich says.

"This information is meant to give the reader a closer look into what analysts are seeing at the national level and provide technical details on some of the most active threats," the CISA stated in its advisory

The EINSTEIN Program is the DHS's baseline cybersecurity capability that detects and blocks attacks on civilian federal agencies. First deployed in 2003, the system is in its third iteration, which was originally envisioned to incorporate classified cyberattack signatures into its defenses but has transitioned to using commercial cybersecurity services. In addition, the DHS continues to reduce the number of access points used by government agencies to increase the visibility of its centralized cybersecurity force. 

"The EINSTEIN Program is an automated process for collecting, correlating, analyzing, and sharing computer security information across the federal civilian departments and agencies," CISA stated. "By collecting information from participating federal departments and agencies, CISA builds and enhances our Nation’s cyber-related situational awareness."

One of the three threats - the NetSupport Manager Remote Access Tool - uses legitimate administration software to infect systems and allow them to be remotely controlled by the attacks. 

"In a malicious context, it can — among many other functions — be used to steal information," CISA stated. "Malicious RATs can be difficult to detect because they do not normally appear in lists of running programs, and they can mimic the behavior of legitimate applications."

A second threat, Kovter, is a fileless attack tool that is often used for click fraud, but also as a downloader for ransomware, according to recent analyses of the malware. In 2013, the malware started as scareware, waiting for the user to do something embarrassing, and then inserting a popup of a fake police notice. The program ranked No. 5 on the Center for Internet Security's Top-10 list of malware in April.

XMRig, a program for mining Monero cryptocurrency, is the third program. While the program focuses on consuming processing power for its computations, XMRig can also lead to overheating hardware and poor performance for business-critical applications. 

Any company that finds XMRig should worry about other malware on their network as well, Ullrich says. The recently discovered Lucifer malware, for example, installs XMRig as part of compromising a system.

"If you are seeing a cryptominer, then it is indicative that you have at least one system with a wide-open vulnerability," he says.

Related Content

 

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
9/14/2020 | 5:03:36 PM
Re: hmmm
A backdoor, a cryptominer, and ransomware," he says.

Hmm, interesting, we were the ones who created ransomware and deployed it to other countries but it was not designed to be used for monetary purposes, it was called cryptoviral extortion. So let's be clear, we invented it - the question you have to ask yourself -  if it was created at Columbia University, how did it happen to appear from other nation-states radar and how is it that other countries are attacking us using our own software program. They reversed engineered it and sent it back to us. This also happened with Stuxnet and NitroZeus. 

But the conversation was not only just based on that, it also covered numerous programs that were getting out of hand, managed by people who got sloppy drunk over their power broker decisions. It never fails, General Alexander, Clapper, and now DHS's power-hungry leader. The funny thing is that they (Congress) tried to denounce Clapper and Alexander's decision but they were the one's who authorized it, basically to deploy and initiate cyber-warfare on nation-states (some of which were even our allies - France and England - they found us spying on prime-minister's cell phone and Video conferencing sessions, we found a way to hack their session, those video conferencing sessions were held on US soil - NY/US).
  • The concept of file-encrypting ransomware was invented and implemented by Young and Yung at Columbia University and was presented at the 1996 IEEE Security & Privacy conference. It is called cryptoviral extortion and it was inspired by the fictional face-hugger in the movie Alien.

It is funny how we act like the victim when we are the one's causing the problems, another instance of "chickens coming home to roost", for some reason, this sounds familiar.

T
susanarose
50%
50%
susanarose,
User Rank: Apprentice
8/17/2020 | 12:14:36 PM
Re: hmmm
Apparently, no. 
mitchellwekey
100%
0%
mitchellwekey,
User Rank: Apprentice
7/21/2020 | 7:45:11 PM
hmmm
So no mentions on cryptocurrencies?
tdsan
100%
0%
tdsan,
User Rank: Ninja
7/16/2020 | 6:46:17 PM
Interested info about Einstein
Sounds good, but what they did not tell you is that there are different versions of Einstein I and II, I think there are more. This SIEM project was really part of the Prism program because of the egregious violations against US citizens. It was also part of the two other programs Trailblazer (failure after spending billions of dollars and Thin Thread created by William "Bill" Binney" who was the architect who would have caught the 911 bombing if they would have allowed him - 28 years at NSA as the leading technical director, actually they arrested him at gunpoint in his own house when he identified and brought the information to their attention).

It is interesting to see that they are sharing after years of asking for this (its about damn time - Labraun James). I am glad the regime has retired/gone and a new group of leaders is taking up the mantle with new ideas (i.e. Clapper and General Alexander https://www.cnet.com/news/nsa-surveillance-programs-prism-upstream-live-on-snowden/)

Anyway, thank you for sharing.

Todd
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...