DHS Shares Data on Top Cyber Threats to Federal Agencies

Backdoors, cryptominers, and ransomware were the most widely detected threats by the DHS Cybersecurity and Infrastructure Security Agency (CISA)s intrusion prevention system EINSTEIN.

The US federal governments civilian agencies see many of the same attacks as the private sector, fending off ransomware, cryptominers, and backdoors, according to the an alert published this week by the US Department of Homeland Securitys main cybersecurity agency.
In the June 30 alert, the Cybersecurity and Infrastructure Agency (CISA) warned that three threats constituted more than 90% of the active signatures detected by the governments intrusion prevention system known as EINSTEIN. The three threats are the NetSupport Manager RAT, the Kovter Trojan, and the XMRig cryptominer. While DHS CISA did not discuss the impact that the threats have had on government agencies, the agency did provide Snort signatures for other security analysts to use.
The release shows the US government may start sharing more information with the private sector on cyberattacks, says Johannes Ullrich, dean of research for the SANS Technology Institute, a professional cybersecurity education organization.
It is nice that they share, and its interesting, but not surprising that they are seeing what everyone else is seeing: A backdoor, a cryptominer, and ransomware, he says. For me as a researcher, its good to know that they are seeing the same things we are.
The usefulness of the data, however, is somewhat dampened by the fact that the information is from the month of May and at least 30 days old. In addition, defenders increasingly rely on behavior-recognition technologies and not pattern-matching to detect threats, Ullrich says.
This information is meant to give the reader a closer look into what analysts are seeing at the national level and provide technical details on some of the most active threats, the CISA
stated in its advisory
.
The
EINSTEIN Program
is the DHSs baseline cybersecurity capability that detects and blocks attacks on civilian federal agencies. First deployed in 2003, the system is in its third iteration, which was originally envisioned to incorporate classified cyberattack signatures into its defenses but has transitioned to using commercial cybersecurity services. In addition, the DHS continues to reduce the number of access points used by government agencies to increase the visibility of its centralized cybersecurity force.
The EINSTEIN Program is an automated process for collecting, correlating, analyzing, and sharing computer security information across the federal civilian departments and agencies, CISA stated. By collecting information from participating federal departments and agencies, CISA builds and enhances our Nation’s cyber-related situational awareness.
One of the three threats - the NetSupport Manager Remote Access Tool - uses legitimate administration software to infect systems and allow them to be remotely controlled by the attacks.
In a malicious context, it can — among many other functions — be used to steal information, CISA stated. Malicious RATs can be difficult to detect because they do not normally appear in lists of running programs, and they can mimic the behavior of legitimate applications.
A second threat, Kovter, is a fileless attack tool that is often used for click fraud, but also as a downloader for ransomware, according to recent analyses of the malware. In 2013, the malware started as scareware, waiting for the user to do something embarrassing, and then inserting a popup of a fake police notice. The program
ranked No. 5 on the Center for Internet Securitys Top-10 list of malware in April
.
XMRig, a program for mining Monero cryptocurrency, is the third program. While the program focuses on consuming processing power for its computations, XMRig can also lead to overheating hardware and poor performance for business-critical applications.
Any company that finds XMRig should worry about other malware on their network as well, Ullrich says. The recently discovered Lucifer malware, for example,
installs XMRig
as part of compromising a system.
If you are seeing a cryptominer, then it is indicative that you have at least one system with a wide-open vulnerability, he says.
Related Content
TA505 Targets HR Departments with Poisoned CVs
Lucifer Malware Aims to Become Broad Platform for Attacks
New Cryptocurrency Mining Malware Has Links to North Korea
New Kovter Trojan Variant Spreading Via Targeted Email Campaign

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
DHS Shares Data on Top Cyber Threats to Federal Agencies