An unnamed threat actor launched a multi-stage cyber attack on an unnamed federal agency’s enterprise network by leveraging confidential credentials, exploiting a known vulnerability, planting malware and taking advantage of a poorly configured firewall, the Department of Homeland Security’s cyber wing said in an incident response report.
The Cybersecurity and Infrastructure Security Agency’s (CISA) recounting is unusual in that it offers a schematic of the hacker’s movements and tactics yet stops short of providing the date of the event, or clues to the intruder’s identity (a lone bad actor or nation state-backed hackers?), location and associated industry. It also does not provide any information as ti whether the perpetrator(s) have been apprehended.
CISA officials said the agency’s intrusion detection system for monitoring federal civilian networks raised red flags of a potential infiltration, “confirming malicious activity.” The subsequent report, entitled Federal Agency Compromised by Malicious Cyber Actor, is a detailed use case of the fallout that can occur from an agency’s inadequate, or possibly neglected, cyber hygiene profile.
Here’s step-by-step what happened:
CISA recommended actions agencies can take to to protect against against activity described in the report, including the following:
Deploy an enterprise firewall to control what is allowed in and out of their network. If the organization chooses not to deploy an enterprise firewall, work with their internet service provider to ensure their firewall is configured properly.
Survey traffic in and out of their enterprise to determine the ports needed for organizational functions. Then configure their firewall to block unnecessary ports. Organizations should develop processes to make control changes to those rules. Of special note, unused SMB, SSH, and FTP ports should be blocked.
In addition, CISA recommends these best practices: