The U.S. Cybersecurity Infrastructure and Security Agency discovered a potential cyberattack on the U.S. Federal network, in which attackers have taken control of the organization's DC and used cryptominers and credential harvesters.
The attack, according to CISA, was started by hackers supported by the Iranian government who installed the XMRig crypto mining software, moved laterally to the domain controller (DC), stole passwords, and then placed Ngrok reverse proxies on a number of sites to ensure persistence.
With the aid of EINSTEIN, an intrusion detection system deployed across the FCEB, CISA conducts a routine investigation and suspected harmful APT activity on the FCEB network (IDS).
Source: https://cybersecuritynews.com/u-s-federal-network-hacked/
TPRM report: https://scoringcyber.rankiteo.com/company/united-states-federal-government
"id": "uni1045221122",
"linkid": "united-states-federal-government",
"type": "Cyber Attack",
"date": "11/2022",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Public Administration',
'location': 'United States',
'name': 'U.S. Federal Network',
'type': 'Government'}],
'attack_vector': ['Cryptominers', 'Credential Harvesters'],
'description': 'The U.S. Cybersecurity Infrastructure and Security Agency '
'(CISA) discovered a potential cyberattack on the U.S. Federal '
'network, in which attackers have taken control of the '
"organization's DC and used cryptominers and credential "
'harvesters.',
'impact': {'systems_affected': ['Domain Controller (DC)']},
'initial_access_broker': {'backdoors_established': ['Ngrok reverse proxies']},
'motivation': ['Cryptocurrency mining', 'Credential theft'],
'references': [{'source': 'CISA'}],
'threat_actor': 'Iranian government-supported hackers',
'title': 'U.S. Federal Network Cyberattack',
'type': 'Cyberattack'}