CISA's hit parade of malware aimed at federal agencies

Remote Access Tool exploitation, fileless Trojan malware and cryptocurrency mining software accounted for 90 percent of the observed threat activity against civilian federal systems and networks in May, according to insights pulled from the Department of Homeland Security's Intrusion Detection System.

The system -- also referred to as EINSTEIN -- is run out of the Cybersecurity and Infrastructure Security Agency and is designed to record and analyze network traffic flowing to and from federal agencies in order to identify and mitigate cybersecurity threats.

According to a June 30 CISA post looking at trend data for the month of May, nearly all the network intrusion signatures picked up by the system fall into one of three groups.

The first is actually a legitimate software program – NetSupport's Manager Remote Access Tool – used to give system administrators remote access to employee devices. However, it can also be used in phishing schemes to trick users into downloading the tool, giving malicious actors unauthorized access to their machines. In May, Microsoft's Security Intelligence wing warned the public about a massive phishing campaign that utilized emails leveraging interest in the COVID-19 pandemic and spoofing organizations like the Johns Hopkins Center to entice users to click on links that would install the NetSupport RAT on their computers. Other companies like Palo Alto and Zscaler have identified similar campaigns.

The second most popular attacks use a fileless Trojan named Kovter that initially started out as ransomware but has since also evolved to carry out a number of different attacks, including click-fraud schemes that steal information and beam them back to command and control servers. According to 2017 research from TrendMicro, clicking on attachments from Macro-based malicious spam – usually in the form of Microsoft Office files – is among the most common ways users are infected by this malware.

Finally, malware called XMRig that uses an infected device's computing power to mine Monero cryptocurrency was also highlighted as a common attack.

According to a CISA official, the data pulled from EINSTEIN does include instances where federal devices or systems were infected.

"Malware detection signatures vary in what they are looking for and range from detecting outbound activity, meaning malware contained on an agency device is being detected beaconing back to the threat actor, to other signatures that detect traffic before it makes its way to the targeted device," a spokesperson for the agency told FCW through email. "When we become aware of an agency affected by malware, regardless of the type, we notify that agency and provide mitigation support."

Cryptocurrency malware "is prevalent in all networks, whether public or private" the spokesperson said, and CISA works with network defenders on a regular basis to better understand and manage the risk.