The Cybersecurity and Infrastructure Security Agency (CISA) have disclosed a cyber attack on a federal agency. According to CISA, a malware attack targeted the enterprise network of the unnamed federal agency.
Malware Attack On Federal Agency
US CISA has shared a detailed incident response report about a malware attack that targeted a federal agency. While CISA hasn’t disclosed the name of the agency, it did reveal the details of the incident.
Briefly, CISA detected the attack via its intrusion detection system EINSTEIN that “monitors federal civilian networks”.
They found that the attackers succeeded in intrusion as they possessed valid access credentials to Microsoft Office 365 accounts of multiple users and domain admin accounts. Through these valid credentials, they could access the agency’s internal network
It isn’t clear how they managed to get these credentials in the first place. Yet, they suspect the exploitation of a known Pulse Secure VPN vulnerability, CVE-2019-11510, on an unpatched server to be the reason for it.
After achieving the initial access, the attackers then viewed and downloaded email attachments from a compromised account, and performed various activities.
Besides meddling with the system, the attackers also deployed malware on the agency’s network with persistence. They even disabled the anti-malware protection on the system.
How To Prevent Such Incidents?
While elaborating on the cyberattack on the anonymous federal agency, CISA has also shared various recommendations to prevent such incidents.
Some of these measures include,
- Deploying an enterprise firewall
- Blocking unused ports
- Using separate admin accounts on segregated systems
- Employing multi-factor authentication on privileged accounts
- Securing RDP and remote access solutions
- Implementing endpoint protection measures
- Keeping the software up to date
Besides, CISA noted the attack to have happened in a multi-stage process involving several IP addresses and C2. So, they recommend everyone to look up for these as IoC.
Also, they have asked to check for any unusual open ports, large outbound files, and unexpected or unapproved protocols, particularly, outbound to the internet.