Following major cyberattacks against central government bodies in Brazil, initial investigations have found that malicious actors have used civil servant credentials to access systems.

The finding is among a series of warnings and recommendations issued by the presidency’s Institutional Security Office (GSI). Initially released last Wednesday (December 8) and edited yesterday (December 14), the alert is aimed at security managers across the federal government.

“Some intrusions have occurred using legitimate administrator [credentials],” the document noted, adding this meant attackers didn’t have to perform any actions to access system privileges.

The publication and subsequent editing of GSI’s alert emerge as Brazil’s Ministry of Health (MoH) struggles to re-establish its systems following a major ransomware attack last Friday. Systems such as ConecteSUS, which holds COVID-19 vaccination data and certificates, remain unavailable.

GSI recommended a series of security measures to be adopted by departments in the event of “malicious actions or improper use of credentials”.

As well as notifying the government’s cyberattack prevention and response center, instructions included strengthening the use of multi-factor authentication tools for all cloud system administrators.

The security office also recommended the re-evaluation of backup policies, as well as requesting cloud providers to change master passwords and implement additional security layers to mitigate the risk that malicious actors utilize high-privilege passwords.

Security managers should control metadata access settings in cloud environments, the GSI document noted, and start internal campaigns to get staff to change their passwords for stronger alternatives.

In addition, the document suggests reducing the level of network privileges as a means to limit the number of staff able to make major system changes. Recommendations also include blocking access to systems for public servants away from work for reasons such as vacation.

The Ministry of Health is still working to bring systems back online after a second cyberattack “caused turmoil” at Datasus, the department’s IT function. On Wednesday (December 15), the MoH said in a statement teams were working on re-establishing the system for vaccine certification as soon as possible but did not provide an estimate of when that would happen.

In addition, the MoH alerted the population about false emails about a supposed service whereby vaccine certificates would be emailed to the population. The department reiterated the only way to get the certificates is via the ConecteSUS app or online.

Members of the Lapsus$ group, who has claimed responsibility for the cyberattacks against the Ministry of Health over the last few days, started to dump files online that were allegedly extracted from the MoH’s systems, according to Brazilian security website CISO Advisor.

So far, 293MB worth of data has already been dumped, and the package is composed mainly of data tables, Javascript code and apparently no citizen data. In an exchange with CISO Advisor, the perpetrators said they will dump an additional 10MB online soon but did not say when.