NSA Compromised Network Indicators

2. Information Technology Cyber Security https://media.defense.gov/2020/Sep/17/2002499615/-1/-1/0/COMPROMISED_PERSONAL_NETWORK_INDICATORS_AND_MITIGATIONS_20200914_FINAL.PDF.pdf

K### Key Notes and Takeaways

Network Based Attacks

Indicators of Compromise

1. Compromised Router:

   • Router Password Changes: Unauthorized changes to router login credentials.
   • Modified Connectivity: Router status shows a different SSID or foreign devices on the network.

2. Browser Redirects:

   • Users are redirected to unintended websites, especially banking sites.

3. Malware (e.g., Spyware, Adware, Rootkits):

   • Devices Functioning Without User Input: Mouse cursors moving on their own, webcams, and microphones activating without user control.
   • False Anti-Virus Alerts: Misleading security notifications appearing on device screens.
   • Unexpected Hardware Displays: Indicators like camera lights turning on without user interaction.
   • Inactivity Faults: Devices being warm after extended periods of inactivity.

4. Ransomware:

   • Ransomware Messages: Messages demanding a ransom to unlock the device or access files.
   • Unexpected File Encryption: Files or folders becoming encrypted without user action.

5. Compromised Account:

   • Sharing Exposure: Unexpected connections in collaborative or teleconference applications.
   • Unexpected Login Notifications: Notifications of new device logins.
   • Unintentional Sent Messages: Messages or invitations sent without user action.
   • Unusual Displays: Password change prompts that look different from usual prompts.

Mitigation Practices

1. For Compromised Router:

   • Reboot the router, disable remote administration, reset to factory settings, update firmware, and change all passwords.

2. For Malware:

   • Disconnect compromised devices, change passwords using a trusted device, run antivirus scans, remove malware, and restore devices to a known good state.

3. For Ransomware:

   • Do not pay the ransom, disconnect compromised devices, run antivirus scans, remove malware, reset devices to factory settings, and change all passwords.

4. For Compromised Accounts:

   • Change all passwords, enable multi-factor authentication, remove social media accounts if necessary, and warn contacts about potential phishing attempts.

Aggressive Eradication

1. Disconnect All Devices: Disconnect all devices from the network and perform factory resets on all network devices.
2. Factory Reset Devices: Factory reset all mobile devices, desktops, and laptops, and restore using original operating system media.
3. Change Passwords: Change passwords for all accounts, including email, social media, and banking, and require new sign-ins from all linked devices.

Expert Support

• Seek forensic expert support if uncomfortable performing mitigations or if suspicious activity continues after mitigation steps.

Safeguard Personal Networks

• Follow recommended mitigations to minimize damage and secure the network from future threats. For further guidance, refer to the full document here.

  NIST SP 800-124r2 Guidelines for Managing the Security of Mobile Devices in the Enterprise