DHS Shares Data on Top Cyber Threats to Federal Agencies

Backdoors, cryptominers, and ransomware were the most widely detected threats by the DHS Cybersecurity and Infrastructure Security Agency (CISA)'s intrusion prevention system EINSTEIN.

4 Min Read

The US federal government's civilian agencies see many of the same attacks as the private sector, fending off ransomware, cryptominers, and backdoors, according to the an alert published this week by the US Department of Homeland Security's main cybersecurity agency.

In the June 30 alert, the Cybersecurity and Infrastructure Agency (CISA) warned that three threats constituted more than 90% of the active signatures detected by the government's intrusion prevention system known as EINSTEIN. The three threats are the NetSupport Manager RAT, the Kovter Trojan, and the XMRig cryptominer. While DHS CISA did not discuss the impact that the threats have had on government agencies, the agency did provide Snort signatures for other security analysts to use.  

The release shows the US government may start sharing more information with the private sector on cyberattacks, says Johannes Ullrich, dean of research for the SANS Technology Institute, a professional cybersecurity education organization.

"It is nice that they share, and it's interesting, but not surprising that they are seeing what everyone else is seeing: A backdoor, a cryptominer, and ransomware," he says. "For me as a researcher, it's good to know that they are seeing the same things we are."

The usefulness of the data, however, is somewhat dampened by the fact that the information is from the month of May and at least 30 days old. In addition, defenders increasingly rely on behavior-recognition technologies and not pattern-matching to detect threats, Ullrich says.

"This information is meant to give the reader a closer look into what analysts are seeing at the national level and provide technical details on some of the most active threats," the CISA stated in its advisory

The EINSTEIN Program is the DHS's baseline cybersecurity capability that detects and blocks attacks on civilian federal agencies. First deployed in 2003, the system is in its third iteration, which was originally envisioned to incorporate classified cyberattack signatures into its defenses but has transitioned to using commercial cybersecurity services. In addition, the DHS continues to reduce the number of access points used by government agencies to increase the visibility of its centralized cybersecurity force. 

"The EINSTEIN Program is an automated process for collecting, correlating, analyzing, and sharing computer security information across the federal civilian departments and agencies," CISA stated. "By collecting information from participating federal departments and agencies, CISA builds and enhances our Nation’s cyber-related situational awareness."

One of the three threats - the NetSupport Manager Remote Access Tool - uses legitimate administration software to infect systems and allow them to be remotely controlled by the attacks. 

"In a malicious context, it can — among many other functions — be used to steal information," CISA stated. "Malicious RATs can be difficult to detect because they do not normally appear in lists of running programs, and they can mimic the behavior of legitimate applications."

A second threat, Kovter, is a fileless attack tool that is often used for click fraud, but also as a downloader for ransomware, according to recent analyses of the malware. In 2013, the malware started as scareware, waiting for the user to do something embarrassing, and then inserting a popup of a fake police notice. The program ranked No. 5 on the Center for Internet Security's Top-10 list of malware in April.

XMRig, a program for mining Monero cryptocurrency, is the third program. While the program focuses on consuming processing power for its computations, XMRig can also lead to overheating hardware and poor performance for business-critical applications. 

Any company that finds XMRig should worry about other malware on their network as well, Ullrich says. The recently discovered Lucifer malware, for example, installs XMRig as part of compromising a system.

"If you are seeing a cryptominer, then it is indicative that you have at least one system with a wide-open vulnerability," he says.

Related Content



About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights