Security News > 2020 > September > CISA Says Threat Actor Breached Federal Agency's Network
A threat actor was able to compromise the network of a federal agency and create a reverse proxy and install malware, the Cybersecurity and Infrastructure Security Agency reported on Thursday.
Following initial access, the threat actor started gathering information of interest from email accounts, enumerated the Active Directory and Group Policy key, modified a registry key for the Group Policy, and enumerated compromised systems.
The threat actor also created a local account to browse directories on a file server, copy a file to the locally mounted remote share, interact with other files on users' home directories, create a reverse SMB SOCKS proxy, interact with a PowerShell module, steal data from an account directory and file server directory, and create ZIP archives containing files and directories.
To overcome the agency's anti-malware protection, the threat actor accessed the "Anti-malware product's software license key and installation guide and then visited a directory used by the product for temporary file analysis," after which they were able to run their malware executable.
CISA, which has provided indicators of compromise associated with the attack, recommends that all federal agencies monitor network traffic to identify unusual activity such as unusual open ports, large outbound files, and unexpected and unapproved protocols.