UPDATED 22:15 EDT / SEPTEMBER 24 2020

SECURITY

DHS discloses data breach of US agency but doesn’t name which was hacked

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency today issued an analysis report in relation to a U.S. federal agency that has suffered a data breach after being hacked.

CISA didn’t name the federal agency targeted, but the report makes for sober reading in terms of cybersecurity, and in this case, the basic steps the unnamed agency did not take to prevent the attack.

The attack, detected by EINSTEIN, CISA’s intrusion detection system, involved a malicious actor leveraging compromised credentials to insert “sophisticated” malware that evaded the affected agency’s anti-malware protection. Once through the door, the malware gained persistent access through two reverse Socket Secure proxies that exploited weaknesses in the agency’s firewall.

Those behind the attack gained access to the unnamed U.S. government agency by compromising an Office 365 account. Then it becomes more interesting in that CISA believes that it’s possible that the attacker obtained the credentials from an unpatched agency virtual private network server by exploiting a known vulnerability in Pulse Secure, called CVE-2019-11510.

The attacker stole various types of data as well as modifying settings on the server to which they gained access. “The mounted file share allowed the actor to freely move during its operations while leaving fewer artifacts for forensic analysis,” CISA said.

That CISA did not name the agency is of concern in and of itself, given that there could be U.S. national security concerns involved. It could have involved a nation-state sponsored hacker stealing U.S. secrets or alternatively it could have involved the U.S. Department of Agriculture and the hacker stole data on cornfield yields in Oklahoma.

The news that an unnamed U.S. federal agency has suffered a cyberattack came after the DHS finally admitted Wednesday, albeit via an investigation, that photos that were part of a facial recognition pilot program were hacked from a Customs and Border Control subcontractor.

News of the hack was first reported in June 2019 and involved Perceptics, a maker of license-plate reader hardware and software used by CBP. The data stolen included pictures of vehicles and pictures of people crossing borders along with internal data from Perceptis such as internal emails and databases, documentation and client details, blueprints and backups.

The disclosure came via a report published Sept. 21 by the U.S. Office of the Inspector General, DHS, a “review of CBP’s major cybersecurity incident during a 2019 biometric pilot.”

Photo: UpstateNYer/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU