The Cybersecurity and Infrastructure Security Agency (CISA) has found that a cyber threat actor exploited compromised credentials to implant a multistage malware and launch a cyber attack on a federal agency’s network.
An analysis report published on Thursday stated that CISA carried out an incident response engagement after it found a malicious actor that compromised the agency’s enterprise network through its EINSTEIN intrusion detection tool.
The hacker secured persistent access using two reverse Socket Secure (SOCKS) proxies that exploited vulnerabilities in the agency’s firewall, according to the report.
The threat actor created a local account to collect data, browse directories on a victim file server and exfiltrate data from a file server directory and account directory.
CISA has recommended that agencies monitor network traffic for unusual open ports, large outbound files and other suspicious activities, deploy an enterprise firewall and block unused ports, among others.